Mobile phone apps are accessing users’ private data and transmitting it to remote servers far more than appears strictly necessary, while users have inadequate tools to monitor or control such access, according to a new study by two French government agencies.
The French National Commission on Computing and Liberty (CNIL) studied the behavior of 189 apps on six iPhones equipped with monitoring software and analysis tools developed by the French National Institute for Research in Computer Science and Control (INRIA). The goal was to improve general understanding of the way apps use private data, not to point the finger at particular developers, CNIL President Isabelle Falque-Pierrotin said Tuesday at a news conference to present the research.
Rather than study apps in laboratory conditions, CNIL took a real-world approach, asking six volunteers to put their own SIM cards in the phones and use them as they would their own between mid-October and mid-January. One volunteer downloaded almost 100 apps, and one added just five to those installed by Apple.
One in 12 of the apps accessed the address book, and almost one in three accessed location information. On average, the users had their location tracked 76 times a day during the study. Foursquare and Apple’s own Maps app requested location information the most often — perhaps understandable given their purpose—with AroundMe and Apple’s Camera app close behind.
The iPhone’s name was accessed by one app in six, something the researchers found inexplicable because it serves almost no purpose and is far from a unique identifier, although since it often contains the user’s given name, it could be considered personally identifiable information.
Facebook’s app apparently made little attempt to access such private information—but then, said the researchers, it has no need, as its users already tell it so much anyway.
The data accessed by far the most in the study was the iPhone’s Universal Device Identifier (UDID), a serial number permanently associated with a particular phone. Almost half the apps accessed it, and one in three of those sent it over the Internet unencrypted. The app of one daily newspaper accessed the UDID 1,989 times during the study, sending it 614 times to its publisher.
CNIL spokesman Stéphane Petitcolas demonstrated how users might regain control with a new settings tool to limit how apps access all kinds of private information, much as Apple allows users to control access to location information today. Apple hasn’t seen the tool yet, but INRIA would consider sharing the code if the company was interested, said Claude Castelluccia, director of the research team.
Buyers of iPhone apps have little idea what information or functions their apps will access. Google’s Play Store shows what information and functions an app will access—but the choice is all or nothing. Older versions of the BlackBerry OS gave users more freedom to choose which APIs (application programming interfaces) they would allow an app to access, at the risk of breaking the app, but in BlackBerry 10 that granular control is available only for native apps: For Android apps the choice is once again take it or leave it.
Apple is taking baby steps toward giving users that kind of control. In iOS 5 they could prevent individual apps from accessing their location, and in iOS 6 they will have another option as Apple seeks to wean developers off using the UDID to identify users and target advertising.
Instead, Apple wants developers to use the Advertising Identifier it introduced in iOS 6. This is not permanently associated with a phone or person, and users who don’t want to be tracked can change it whenever they wish — as long as they think to look in Settings/General/About/Advertising rather than the more obvious Settings/Privacy.
That option wasn’t available to the participants in the CNIL-INRIA study, though, which for technical reasons was conducted using iOS 5. The next phase of research will use iOS 6, now that INRIA has updated its monitoring app to use the new version.
To monitor how the apps accessed private information, INRIA had to jailbreak the iPhones and install a special app to intercept the Apple APIs through which apps request access to private information, said INRIA researcher Vincent Roca. The researchers chose to work on iPhones because they already had experience developing for iOS. They are now developing an app with similar capabilities for Android phones, which they have to root in order to install it.
INRIA’s monitoring app recorded each intercepted request in a database on the phone, along with the private information requested, so that it could identify it in outbound network traffic. The iOS 5 app could only monitor unencrypted network traffic, but the version for iOS 6 can now hook the network APIs before the traffic is encrypted, Roca said.
The app also forwarded intercepted requests to a central server for the study — without the related private information, as even experimental subjects are entitled to their privacy, the researchers emphasized.
INRIA and CNIL are only just beginning to analyze the data they collected from the six iPhones: There’s 9 gigabytes of it, covering 7 million privacy events over the three-month period.
One thing the study has already revealed is that some access to private data is accidental. An app to identify the closest Paris swimming pool (the city has 38 within a radius of about 5 kilometers) accessed location information far more than necessary to perform its function, apparently due to a programming error, CNIL’s Petitcolas said.