Users have learned over the last few years that Apple's "walled garden" approach to third party apps isn't quite as protective of their sensitive data as it might sound. More surprising, perhaps, is another revelation: that the popular unauthorized apps outside those walls tend to respect privacy better than the approved ones inside.
After building a tool called PiOS that analyzes private data leaks from iOS apps, the researchers ran their analysis on 1,407 free apps–825 downloaded from Apple's App Store using the website App Tracker, and 526 accessible through BigBoss, the largest repository of unauthorized apps available to users through the Cydia app market for jailbroken iPhones and iPads.
But why would Cydia's unauthorized apps actually leak private data less often than those that Apple approves? Egele points to Cydia's culture of privacy among administrators and users. "The people who run Cydia seem very conscious of what information is available and can be accessed," says Egele. "The applications you get from Cydia are geared toward more privacy-aware people."
I've contacted Apple for comment and will update this post if I hear back from the company.
"If you care about this kind of thing, you should jailbreak your phone," says Freeman. "Instead of Apple making decisions about what's good and bad, you decide. People think jailbreaking is about deciding that things Apple doesn't like are good. But it also allows you to decide that things Apple likes are bad. We provide you the tools to block the functionality you don't believe apps should have on your phone."
After building a tool called PiOS that analyzes private data leaks from iOS apps, the researchers ran their analysis on 1,407 free apps–825 downloaded from Apple's App Store using the website App Tracker, and 526 accessible through BigBoss, the largest repository of unauthorized apps available to users through the Cydia app market for jailbroken iPhones and iPads.
A table from the UCSB study showing how frequently authorized App Store and unauthorized Cydia iOS apps leak private information.
Of those tested apps, 21 percent of official App Store apps uploaded the user's Unique Device Identifier, (UDID) a series of user-specific digits that can be tracked between apps to assemble a profile of a specific person's behavior. Four percent uploaded the device's location, and half a percent uploaded the user's contact list. When the researchers analyzed the unauthorized Cydia apps, on the other hand, only four percent leaked the user's UDID, and only one app out of the 500 tested–a program specifically designed for espionage called MobileSpy–leaked location or contact data.But why would Cydia's unauthorized apps actually leak private data less often than those that Apple approves? Egele points to Cydia's culture of privacy among administrators and users. "The people who run Cydia seem very conscious of what information is available and can be accessed," says Egele. "The applications you get from Cydia are geared toward more privacy-aware people."
I've contacted Apple for comment and will update this post if I hear back from the company.
"If you care about this kind of thing, you should jailbreak your phone," says Freeman. "Instead of Apple making decisions about what's good and bad, you decide. People think jailbreaking is about deciding that things Apple doesn't like are good. But it also allows you to decide that things Apple likes are bad. We provide you the tools to block the functionality you don't believe apps should have on your phone."
References
- ^ news that the iPhone app Path uploads users' entire contact lists(thenextweb.com) ( http://thenextweb.com/apps/2012/02/07/path-2-uploads-your-address-book-but-says-that-its-for-friend-matching-and-will-be-opt-in-soon/ )
- ^ here (seclab.cs.ucsb.edu) ( http://seclab.cs.ucsb.edu/media/uploads/papers/egele-ndss11.pdf )
- ^ discovery by a Singaporean researcher that the social networking app Path uploads users' contact list (mclov.in) ( http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html )
- ^ using security flaws hackers find in iOS's code (www.forbes.com) ( http://www.forbes.com/sites/andygreenberg/2011/08/01/meet-comex-the-iphone-uber-hacker-who-keeps-outsmarting-apple/ )
- ^ ContactPrivacy (www.cultofmac.com) ( http://www.cultofmac.com/145112/how-to-keep-apps-like-path-from-accessing-your-contacts-data-jailbreak/ )
- ^ PrivaCy (cydia.saurik.com) ( http://cydia.saurik.com/package/com.saurik.privacy )
- ^ here (seclab.cs.ucsb.edu) ( http://seclab.cs.ucsb.edu/media/uploads/papers/egele-ndss11.pdf )
- As the scandal swirled this past week over news that the iPhone app Path uploads users' entire contact lists 1 without permission, I came upon a study (PDF here 2 ) released last year by a group of researchers at the University of California at Santa Barbara and the International Security Systems Lab that aimed to analyze how and where iPhone apps transmit users' private data. Not only did the researchers find that one in five of the free apps in Apple's app store upload private data back to the apps' creators that could potentially identify users and allow profiles to be built of their activities. They also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on "jailbroken" iPhones, tend to leak private data far less frequently than Apple's approved apps.
- For Manuel Egele, a post-doctoral researcher at UCSB, the discovery by a Singaporean researcher that the social networking app Path uploads users' contact list 3 only confirms a pattern he and his co-authors have long seen. Four of the Apple-approved apps he tested last year were found to similarly upload contacts, including one from the location-based social network Gowalla. "Clearly this behavior hasn't changed over the last year. I'm not sure whether there's been any improvement from Apple's side," Egele says. "For easily accessible data, app store apps are much more frequently accessing and leaking that data. The app store is supposed to be a walled garden. Unless Apple gives approval, you can't put things there. But whatever job the company is doing isn't good enough."
- With somewhere between 10 million and 15 million users, Cydia's app platform has become the default unofficial app store of users who jailbreak their iPhones and iPads, hacking them to install applications and operating system tweaks that Apple restrictions are designed to block. That kind of device hacking, using security flaws hackers find in iOS's code 4 to unlock its restrictions against running unapproved code, also introduces new security and privacy risks for users by stripping away the phone or tablet's security features and leaving the device open to malware.
- But Jay Freeman, Cydia's creator, points to numerous applications available via Cydia that actually give users privacy and security features they wouldn't otherwise have. Immediately after the Path scandal broke, for instance, a developer named Ryan Petrich created a tweak for Cydia called ContactPrivacy 5that warns the user whenever an application wants to upload his or her contact information, (shown above) rather than simply allowing the data to be transmitted by default. Another app that Freeman wrote himself, called PrivaCy 6 , gives the users a toggle switch that allows them to control whether any particular app can upload usage statistics to a remote server.
- Read the study from the International Security Systems Lab and the University of California at Santa Barbara here 7 .
No comments:
Post a Comment