Android, iPhone Apps Pose Privacy Problems - InformationWeek
Software // Operating Systems
06:42 PM
Connect Directly

Android, iPhone Apps Pose Privacy Problems

Two recent studies find privacy controls for Android devices and iPhones lacking.

Smartphones many not be a smart choice if you want privacy. Two reports published last week indicate that both Android and iPhone apps may reveal more details about users' identities, whereabouts, and online activities that users might wish or expect.

A report titled "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" says that of 30 third-party Android apps studied, two-thirds revealed suspicious handling of sensitive data and half reported users' locations to the servers of third-party advertisers.

The term "TaintDroid" refers to an Android extension developed by the report's authors that monitors information flow on Android devices in real-time. The researchers responsible for the paper, from Duke University, Intel Labs, and Penn State University, are presenting their findings this week at the Usenix OSDI conference.

The information uses documented by the researchers are not necessarily harmful. But they underscore the gap between privacy controls and user expectation. Mostly, the study validates the need for mobile phone security tools like TaintDroid as a means of verifying app integrity.

"Resolving the tension between the fun and utility of running third-party mobile applications and the privacy risks they pose is a critical challenge for smartphone platforms," the paper states. "Mobile-phone operating systems currently provide only coarse-grained controls for regulating whether an application can access private information, but provide little insight into how private information is actually used."

A separate paper entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)" indicates that of 57 iPhone apps reviewed, 68% sent the device's UDID back to a remote server upon launch and 18% sent unknown encrypted data back to remote servers.

The paper's author, Eric Smith, assistant director of information security and networking at Bucknell University, says that that in some cases, a UDID can be used to determine a user's identity. He notes rather ruefully that while Intel's Pentium 3’s Processor Serial Number scheme caused outrage when it was announced in 1999, no one seems to be much concerned about the iPhone UDID as a means of potential identification. And he faults Apple for failing to provide a way for iPhone users to delete application cookies -- unaffected by mobile Safari's "Clear Cookies" function -- or to block UDIDs from being transmitted.

The privacy risk posed by a UDID is that such the number can potentially be used to identity the user and track his or her mobile browsing across Web sites and mobile applications.

"Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible -- and technically, quite simple -- for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," concludes Smith.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll