Android, iPhone Apps Pose Privacy Problems
Two recent studies find privacy controls for Android devices and iPhones lacking.
Smartphones many not be a smart choice if you want privacy. Two reports published last week indicate that both Android and iPhone apps may reveal more details about users' identities, whereabouts, and online activities that users might wish or expect.
A report titled "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" says that of 30 third-party Android apps studied, two-thirds revealed suspicious handling of sensitive data and half reported users' locations to the servers of third-party advertisers.
The term "TaintDroid" refers to an Android extension developed by the report's authors that monitors information flow on Android devices in real-time. The researchers responsible for the paper, from Duke University, Intel Labs, and Penn State University, are presenting their findings this week at the Usenix OSDI conference.
The information uses documented by the researchers are not necessarily harmful. But they underscore the gap between privacy controls and user expectation. Mostly, the study validates the need for mobile phone security tools like TaintDroid as a means of verifying app integrity.
"Resolving the tension between the fun and utility of running third-party mobile applications and the privacy risks they pose is a critical challenge for smartphone platforms," the paper states. "Mobile-phone operating systems currently provide only coarse-grained controls for regulating whether an application can access private information, but provide little insight into how private information is actually used."
A separate paper entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)" indicates that of 57 iPhone apps reviewed, 68% sent the device's UDID back to a remote server upon launch and 18% sent unknown encrypted data back to remote servers.
The paper's author, Eric Smith, assistant director of information security and networking at Bucknell University, says that that in some cases, a UDID can be used to determine a user's identity. He notes rather ruefully that while Intel's Pentium 3’s Processor Serial Number scheme caused outrage when it was announced in 1999, no one seems to be much concerned about the iPhone UDID as a means of potential identification. And he faults Apple for failing to provide a way for iPhone users to delete application cookies -- unaffected by mobile Safari's "Clear Cookies" function -- or to block UDIDs from being transmitted.
The privacy risk posed by a UDID is that such the number can potentially be used to identity the user and track his or her mobile browsing across Web sites and mobile applications.
"Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible -- and technically, quite simple -- for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," concludes Smith.
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022