Apps Access Data Without Approval

Tuesday, July 24, 2012 @ 07:07 PM gHale

Permission does not seem to be a driving factor with the iOS these days.

Just look at some of the latest facts: One in five iOS apps can access a user’s iPhone address book, two in five iOS apps can track a user’s location, and more than one in three apps store user data without encrypting it, all without user permission, new research said.

Android OS: No Permissions Required
Platform-Specific Java Attack
Exploit Determines OS, then Attacks
Trojan Tricks Routers to Spread Malware

More than 65,000 iOS apps on the Apple App Store revealed tens of thousands of apps access contact information and other data without explicit user permission, according to research from Bitdefender.

Bitdefender used its Clueful app, which enables iPhone owners to learn what apps may be using personal data inappropriately, to collect data for the study, said Catalin Cosoi, chief security researcher.

Apple decided to remove the Clueful app from its App Store once Bitdefender collected its iOS app statistics.

“Some apps can upload your entire contact list [from the address book] to the developer cloud….You have absolutely no idea what the developer can do with that information,” Cosoi said. The developer might sell the personal data to marketers and advertisers, or even hackers.

“There might be privacy infringement that the user should be aware of when installing or using an iOS application,” he added.

Bitdefender also found 30.7% of the iOS apps analyzed can display ads and 16.4% can connect to Facebook. Other functions include tracking usage through Flurry analytics, Google Analytics or Mobclix analytics. Some apps use all three analytics software. Hundreds of apps analyzed also use the iPhone’s unique device identifier, which can identify the owner, while hundreds more use background voice-over-IP, Open Feint usage tracking, and other capabilities.

One application sends unencrypted passwords over an unprotected WiFi. “So you are using your smartphone at a conference, for instance, and you log into a specific service using that application. If an attacker is in the same network as you, the password you sent in the clear over the network can be intercepted by the attacker, who can then use the password to log into your account,” Cosoi said.

“Users do not always know what applications are doing in the background while looking very pretty in the foreground. Once you know all the secrets about an application, you can decide whether you want to keep it if you already have it installed or whether you want to install it if you don’t have it already,” he said.

Leave a Reply

You must be logged in to post a comment.