Software // Operating Systems
News
10/4/2010
06:42 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Android, iPhone Apps Pose Privacy Problems

Two recent studies find privacy controls for Android devices and iPhones lacking.

Smartphones many not be a smart choice if you want privacy. Two reports published last week indicate that both Android and iPhone apps may reveal more details about users' identities, whereabouts, and online activities that users might wish or expect.

A report titled "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" says that of 30 third-party Android apps studied, two-thirds revealed suspicious handling of sensitive data and half reported users' locations to the servers of third-party advertisers.

The term "TaintDroid" refers to an Android extension developed by the report's authors that monitors information flow on Android devices in real-time. The researchers responsible for the paper, from Duke University, Intel Labs, and Penn State University, are presenting their findings this week at the Usenix OSDI conference.

The information uses documented by the researchers are not necessarily harmful. But they underscore the gap between privacy controls and user expectation. Mostly, the study validates the need for mobile phone security tools like TaintDroid as a means of verifying app integrity.

"Resolving the tension between the fun and utility of running third-party mobile applications and the privacy risks they pose is a critical challenge for smartphone platforms," the paper states. "Mobile-phone operating systems currently provide only coarse-grained controls for regulating whether an application can access private information, but provide little insight into how private information is actually used."

A separate paper entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)" indicates that of 57 iPhone apps reviewed, 68% sent the device's UDID back to a remote server upon launch and 18% sent unknown encrypted data back to remote servers.

The paper's author, Eric Smith, assistant director of information security and networking at Bucknell University, says that that in some cases, a UDID can be used to determine a user's identity. He notes rather ruefully that while Intel's Pentium 3’s Processor Serial Number scheme caused outrage when it was announced in 1999, no one seems to be much concerned about the iPhone UDID as a means of potential identification. And he faults Apple for failing to provide a way for iPhone users to delete application cookies -- unaffected by mobile Safari's "Clear Cookies" function -- or to block UDIDs from being transmitted.

The privacy risk posed by a UDID is that such the number can potentially be used to identity the user and track his or her mobile browsing across Web sites and mobile applications.

"Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible -- and technically, quite simple -- for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," concludes Smith.

Comment  | 
Print  | 
More Insights
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.