or Connect
AppleInsider › Forums › Mobile › iPhone › Study finds 14% of free iPhone apps can snoop contacts
New Posts  All Forums:Forum Nav:

Study finds 14% of free iPhone apps can snoop contacts

post #1 of 63
Thread Starter 
A survey of 300,000 applications for both the iPhone and Android devices found that 14 percent of free App Store software has the ability to access a user's contacts on their iPhone.

This week at the Black Hat conference in Las Vegas, Nev., security research firm Lookout revealed that it analyzed more than 300,000 free applications available on both the iPhone App Store and Android Market.

As noted earlier, the mobile security firm revealed a wallpaper application for Google's Android mobile operating system that allegedly captures a handset's SIM card number, subscriber identification and voicemail password, and reportedly sends it to the website www.imnet.us, owned by someone in Shenzhen, China.

In addition, Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data. That's more than on Android, where 8 percent of tested applications could view the contact list.

Additionally, 33 percent of free applications on the App Store have the ability to access a user's location. The difference is, Apple's iOS mobile operating system requires third-party software to inform users when the application is accessing their location. Such rules do not, however, exist for contacts. For comparison, 29 percent of free Android software has the ability to access a user's location.

Finally, Lookout also found that 47 percent of free Android applications include third-party code, such as mobile ads and analytics tracking. That number is 23 percent on the iPhone. The survey found that 28 percent of software on the App Store is free, compared with 64 percent on the Android Market.



Lookout's findings were also publicized this week by the Associated Press, which reported that nearly a quarter of tested iPhone applications contained software code with the ability to access either pictures, text messages, or Internet and search histories, in addition to contacts. Reporter Jordan Robertson reached out to both Apple and Google for comment on the survey, but neither company responded.

"Part of the problem is smart phones don't alert users to all the different types of data the applications running on them are collecting. iPhones only alert users when applications want to use their locations," the report said. "And while Android phones offer robust warnings when applications are first installed, many people breeze through them for the gratification of using the apps quickly."
post #2 of 63
Quote:
Originally Posted by AppleInsider View Post

In addition, Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data. That's more than on Android, where 8 percent of tested applications could view the contact list.

Have the ability without the users knowledge or consent? If so, that is pretty shitty.
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
Dick Applebaum on whether the iPad is a personal computer: "BTW, I am posting this from my iPad pc while sitting on the throne... personal enough for you?"
Reply
post #3 of 63
So where is the list of iPhone apps that can access contacts?
post #4 of 63
They are using the term "capability", isn't ANY app is "capable" of accessing your contacts if the coder wishes so? And wouldn't that translates to 100% of apps are "capable" of accessing the sensitive information on the phones?
post #5 of 63
Quote:
Originally Posted by spoonyfork View Post

So where is the list of iPhone apps that can access contacts?

Exactly, this is probably some bullcrap Android made up to try to scare us and "respond" to the security allegations that came out earlier today.

Apple wouldn't allow this to happen.

iPad2 16 GB
iPhone 5 32 GB

Reply

iPad2 16 GB
iPhone 5 32 GB

Reply
post #6 of 63
And what percentage of the paid apps do as well?

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #7 of 63
Why does the article title assume the app is "snooping" contacts. The apps that do this are most likely doing it for a feature. Most IM apps probably access the list of contacts. The whole article has a tone that this is somehow bad.
post #8 of 63
Maybe Apple needs to think about ringfencing certain parts of the phone so you enter an password if you allow an app to access certain parts of the phone.

For now I'm thinking is that I'm going to only want to use apps from companies that I trust and who have privacy policies or just that 'big company' accountability that you wont get from a no-name app.

Another thing I was thinking is that maybe iAds ... if Apple are the only recipient of some parts of your information is now possibly going to look like the only free ad sponsored app that can be trusted as long as Apple does the right thing by users.

The next part of the story I want to know about this is which ad companies are the current ones that are pulling out lots of information and what does iAd do in comparison.
post #9 of 63
Quote:
Originally Posted by solipsism View Post

Have the ability without the users knowledge or consent? If so, that is pretty shitty.

Does this mean that the code is actually executed or that a hacker could access the unused code?
post #10 of 63
Whoop-de-doo!

I can exceed every speed limit in the state with my old pickup truck. Does that mean it's unsafe?

Apple runs like a rabbit to keep up with checking on the apps approved. Android sits around beating their breast about open source freedom. I'll stick with the former spec, thank you.
post #11 of 63
Seems that the real issue here is that the internet grew faster than people could figure out how to regulate it. You can't record a phone conversation, you can't track people with cameras, or even follow them around (at least usually), yet you can do this. And you can do it on any computerized device. The only solution will be when rules are drawn up that make it illegal to track people. Put it under the laws designed to protect privacy. Never happen mind you, as there is now far too much money involved.

Notice how you can do a google search, then for days afterwards specific ads for that product appear everywhere? And, searches at work follow me home, I don't know what I did to allow Google to track me like that, but they are looking far too hard at what I do for comfort.

Anyone with legal experience know where this issue stands? I hear something of it every now and again, but its mostly quiet. I know that by using servers (like google), there is some justification that they are using that goes something like this: in trade for the free service, we keep and use the data you transmit. However, taking contacts, that should be outright theft, should it not, if that is in fact what is happening?
post #12 of 63
Nice scary infographic about “mobile threats.” With “3rd Party Code” and “Accessing Your Location” called out in scary boxes Why are these bad things? Because... they’re in scary boxes! See how scary?

As for Contacts, if that’s without permission, then it’s a problem, and I’m glad Apple controls the App Store so they can address it. But the poster doesn’t say it’s without permission—and wouldn’t they probably have said that if it’s true? I’ll be interested to know. (I for one am GLAD my Navigon GPS app can access my contacts to direct me where I tell it to go! I’d hate to have to re-enter every contact manually )

The location thing is bogus—it’s NOT a threat, because you have to give permission. So I wonder about the contacts thing too. Why aren’t they stating it more clearly, if their intent is to show threats?

I suspect there IS some room for Apple and Google to improve here, but burying it in fearmongering seems to cloud the important issues. But... reality is complex, while simple is more marketable

I do like that Apple’s location warning pops up when you USE that feature the first time, not when you install an app. If Android’s warnings are only on install, then they’ll be ignored and not much protection.
post #13 of 63
Love to see the 'Keepers of the Fruit' response to this, as we await the flood of 'Walled Garden Defenders' to arrive...
"Why iPhone"... Hmmm?
Reply
"Why iPhone"... Hmmm?
Reply
post #14 of 63
....what kind of BS FUD reporting is this? Garbage. On the heals of discovering an app on Android that steals a lot of info without notice or permission, accessing contacts as a stated function in an iPhone app, with full knowledge and permission, gets even mentioned in the same breath in a security article. Absolute garbage.

Accessing the contacts and pinpointing your GPS location, is the whole point to the app. These functions are the reason users downloaded them in the first place. Obviously Lookout, and Apple Insider are only interested in creating controversy and FUD because that is their business model.
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
2011 13" 2.3 MBP, 2006 15" 2.16 MBP, iPhone 4, iPod Shuffle, AEBS, AppleTV2 with XBMC.
Reply
post #15 of 63
At least 14% of the free apps I download had better access my contacts as that is why I downloaded them. Messaging apps, voice dictation apps, mapping apps, and many other types work best when they can access your contacts. Throw in social location apps and you have a bunch more that can access both your contacts and location. What is the point of this article? Oh, wait, this is supposed to show that the iOS platform is just as vulnerable to attack as Android, thus mitigating the embarrassing article this morning. I get it now. Good luck with that.
Apple has no competition. Every commercial product which competes directly with an Apple product gives the distinct impression that, Where it is original, it is not good, and where it is good, it...
Reply
Apple has no competition. Every commercial product which competes directly with an Apple product gives the distinct impression that, Where it is original, it is not good, and where it is good, it...
Reply
post #16 of 63
There's a distinction missing in all these articles.

Apps that CAN access certain data -vs- those that simply DO.

Of course I want to know if an app is taking it upon itself, "secretly" in the background, to snoop and transfer my personal data (such as my contact list) offsite to a server somewhere. That is quite simply "malicious" data theft.

However, I know of a number of apps that have the ability to access my contacts. Mail for example, and quite a few others. But they don't do so unless I implicitly tell them to, for example, "Send to a friend" functions, which when evoked pop up and access my contact list to choose the recipient.

That's innocuous functionality. And to present such an app's functions as something sinister isn't right. Now, if that same app uses that function to "scrape" my contact list and send it off to someone? That's a different story altogether.

Right now, the entire body of reporting feels a bit alarmist to me. Not all apps having that ability are bad... let's find and ID the bad ones that are actually stealing data, and isolate them from the many that offer a "feature" as a harmless convenience.
post #17 of 63
Quote:
Originally Posted by nagromme View Post

Nice scary infographic about “mobile threats.” With “3rd Party Code” and “Accessing Your Location” called out in scary boxes Why are these bad things? Because... they’re in scary boxes! See how scary?

As for Contacts, if that’s without permission, then it’s a problem, and I’m glad Apple controls the App Store so they can address it. But the poster doesn’t say it’s without permission—and wouldn’t they probably have said that if it’s true? I’ll be interested to know. (I for one am GLAD my Navigon GPS app can access my contacts to direct me where I tell it to go! I’d hate to have to re-enter every contact manually )

The location thing is bogus—it’s NOT a threat, because you have to give permission. So I wonder about the contacts thing too. Why aren’t they stating it more clearly, if their intent is to show threats?

I suspect there IS some room for Apple and Google to improve here, but burying it in fearmongering seems to cloud the important issues. But... reality is complex, while simple is more marketable

I do like that Apple’s location warning pops up when you USE that feature the first time, not when you install an app. If Android’s warnings are only on install, then they’ll be ignored and not much protection.

Totally agree. This is just more FUD from the Android camp for the most part. Security researchers are known for their binary personalities and extremist positions also, so there's that grain of salt to take into account also.

I find it especially interesting that they even *talk* about location sharing as if it was a threat. Location sharing is the thing the average user is *most* frightened of, but also the thing that is least likely to be a security threat the way Apple has implemented it.

They don't mention the warning that the user gets when it's used, and they don't mention the fact that Apple added that icon to the status bar that tells you explicitly when an app is accessing your location data.

How much more biased can they get?
post #18 of 63
Quote:
Originally Posted by Prof. Peabody View Post

How much more biased can they get?

It's only a start. More coming.

Which of us is the fisherman and which the trout?

Reply

Which of us is the fisherman and which the trout?

Reply
post #19 of 63
iOS vs Android. It's rather like the Mac vs PC wars all over again... beginning with creating unnecessary perceptions of vulnerability and hazard... tons o' FUD.

And, once again, one is very prone, while the other, not so much...

I'm glad I don't own an Android phone. That "open market" of apps is a security nightmare waiting to happen. Or, more accurately, not waiting to happen...
post #20 of 63
"Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data."

BUT, the big difference is that the app can't (if Apple is doing their job, that is) do anything malicious with the info. Besides, the only bad thing that could result is spam emails and solicitation phone calls. Much better than having passwords stolen.
post #21 of 63
Quote:
Originally Posted by DaHarder View Post

Love to see the 'Keepers of the Fruit' response to this, as we await the flood of 'Walled Garden Defenders' to arrive...

Um, the Android breach of personal info to China yesterday makes that defense unnecessary.
Hope you and your new Chinese friends enjoy your Android.
post #22 of 63
Quote:
Originally Posted by Povilas View Post

It's only a start. More comming.

anything to protect the hive, my friend.
post #23 of 63
Quote:
Originally Posted by Cubert View Post

"Lookout also discovered that 14 percent of the surveyed free applications available for Apple's iPhone have the capability to access a user's contact data."

Well there's the rub. There's no distinction made whether they actually do or not, or simply that they CAN "access a user's contact data". Well, sure! How many apps do you have that CAN access that data if you ask them to? To forward something, send as an email, etc.? Mail does. Tons of my apps do, by design, on purpose, and because we specifically want them to have that "access".

Making that feature sound scary by default is "bad journalism"... They use different words almost synonymously. "Access", and "Capture" or "Collect". There's a huge difference in the action and intent between those concepts.

They should be focused on those apps that "capture" or "collect" and transmit personal data without a user's implicit permission.

Can anyone name one iOS app that does? I'd love to know about it...
post #24 of 63
Apple REALLY needs to add finely-tunable controls that put the device OWNER in control of ALL access an app makes. This should be in the Settings for EACH app, as well as a GLOBAL setting.
post #25 of 63
Quote:
Originally Posted by libertyforall View Post

Apple REALLY needs to add finely-tunable controls that put the device OWNER in control of ALL access an app makes. This should be in the Settings for EACH app, as well as a GLOBAL setting.

yeah eventually all the data should be like iOS's GPS where the users have total control over it. And explicitly ask the user every-time it's triggered.
post #26 of 63
Quote:
Originally Posted by libertyforall View Post

Apple REALLY needs to add finely-tunable controls that put the device OWNER in control of ALL access an app makes. This should be in the Settings for EACH app, as well as a GLOBAL setting.

No. That's a security black hole by relying on the user to customize each application's security settings.

Making a set of security policies that all Developers adhere to is an intelligent solution.
post #27 of 63
What are we talking about, here? Which malicious apps are in the app store that steal personal user information and send the data off to bad people in Schengen China? Hello! Hello! Is this thing on?
Apple has no competition. Every commercial product which competes directly with an Apple product gives the distinct impression that, Where it is original, it is not good, and where it is good, it...
Reply
Apple has no competition. Every commercial product which competes directly with an Apple product gives the distinct impression that, Where it is original, it is not good, and where it is good, it...
Reply
post #28 of 63
Quote:
Originally Posted by 8CoreWhore View Post

....what kind of BS FUD reporting is this? Garbage. On the heals of discovering an app on Android that steals a lot of info without notice or permission, accessing contacts as a stated function in an iPhone app, with full knowledge and permission, gets even mentioned in the same breath in a security article. Absolute garbage.

Accessing the contacts and pinpointing your GPS location, is the whole point to the app. These functions are the reason users downloaded them in the first place. Obviously Lookout, and Apple Insider are only interested in creating controversy and FUD because that is their business model.

Precisely.
Blindness is a condition as well as a state of mind.

Reply
Blindness is a condition as well as a state of mind.

Reply
post #29 of 63
Quote:
Originally Posted by GQB View Post

Um, the Android breach of personal info to China yesterday makes that defense unnecessary.
Hope you and your new Chinese friends enjoy your Android.

Personally, Android has been nothing short of 'enjoyable' from day one, and (unlike the norm in here) I don't going around speaking for the experiences of others.

Additionally: Given the fanatically unreasonable attitudes displayed by far too many regarding these matters, the article recently posted on foxnews.com (sadly) might not be too far off the mark http://techcrunch.com/2010/07/29/apple-religion/
"Why iPhone"... Hmmm?
Reply
"Why iPhone"... Hmmm?
Reply
post #30 of 63
Quote:
Originally Posted by DaHarder View Post

Love to see the 'Keepers of the Fruit' response to this, as we await the flood of 'Walled Garden Defenders' to arrive...

it certainly beats living under the bridge and chasing goats now doesn't it?

At least you have a good view and can post your silliness quickly from there.
post #31 of 63
Quote:
Originally Posted by DaHarder View Post

Personally, Android has been nothing short of 'enjoyable' from day one, and (unlike the norm in here) I don't going around speaking for the experiences of others.

Additionally: Given the fanatically unreasonable attitudes displayed by far too many regarding these matters, the article recently posted on foxnews.com (sadly) might not be too far off the mark http://techcrunch.com/2010/07/29/apple-religion/

That meme has to be tossed off too at intervals now doesn't.
post #32 of 63
It does seem like a rather enormous oversight to not require a user's permission to access any of their data such as contacts. Hopefully Apple will remedy that soon.

-kpluck

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply

Do you use MagicJack?

The default settings will automatically charge your credit card each year for service renewal. You will not be notified or warned in anyway. You can turn auto renewal off.

Reply
post #33 of 63
Quote:
BUT, the big difference is that the app can't (if Apple is doing their job, that is) do anything malicious with the info. Besides, the only bad thing that could result is spam emails and solicitation phone calls. Much better than having passwords stolen.

Wow, that is the weakest standard I've ever heard of before in the personal data protection arena.

Amazing how years of battling against organized crime stealing people's personal info goes up in smoke because people fall in love with irresponsible products and value convenience over safety.

Apple and Google releasing internet appliances without strict personal data protection is a huge step backwards. You may love that your "apps" automatically slurp up your contacts, but I am NOT happy to that my friends who use iPhones/Pads are unwittingly exposing my contact info to international data criminals (such as the Chinese incident on record), and that it's called a "feature," and that I have NO way of stopping them.
post #34 of 63
Quote:
Originally Posted by ihxo View Post

yeah eventually all the data should be like iOS's GPS where the users have total control over it. And explicitly ask the user every-time it's triggered.

You mean something like this?

Mac has issued a salutation. Cancel or allow?
You are pointing out Vistas flaws. Cancel or allow.
You are coming to a sad realization. Cancel or allow.

Yep, that'll work well when most users on either platform regard these as annoyances - not help.
post #35 of 63
Wouldn't be surprised in a future update if the first time a program wants to access your contacts it will need to ask. Internally it may need to hold on to some sort of key to access the contacts database. This still doesn't help you if the app should be legitimately accessing contacts. This article is falsely implying that Apple did something wrong with respect to security. Their certainly is room for improvement but at least the phone isn't left in the open with no safety like Android. The fact that they don't have a malware problem despite having majority smartphone share should speak for itself.

Apple is in a much better situation then Google if they did have a problem too. If an app did manage to sneak through the approval process, Apple could black list it later. They already have a blacklist system in-place for malware. There just hasn't been an instance of them using it yet. Apple is also scanning apps to see what APIs they are using. If you have a flashlight app that accesses contacts they probably know something is up.
post #36 of 63
Quote:
Originally Posted by scH4MMER View Post

Wow, that is the weakest standard I've ever heard of before in the personal data protection arena.

Amazing how years of battling against organized crime stealing people's personal info goes up in smoke because people fall in love with irresponsible products and value convenience over safety.

Apple and Google releasing internet appliances without strict personal data protection is a huge step backwards. You may love that your "apps" automatically slurp up your contacts, but I am NOT happy to that my friends who use iPhones/Pads are unwittingly exposing my contact info to international data criminals (such as the Chinese incident on record), and that it's called a "feature," and that I have NO way of stopping them.

You can't live in a reinforced nuclear-resistant bunker AND have big bay windows that give you a lovely view of the neighborhood, and instant access to everything. You pick and choose what you desire as your user experience.

You can in fact lock-down both the Android phones and the iPhone. You can choose to NOT access the internet which is by far the largest attack vector for these devices. You can choose to not load any apps that allow access to any user data on the phone. You can choose to not text. It's all about your choices. But you HAVE to choose, security or convenience. They are NOT mutually incompatible, but darn close.
post #37 of 63
Quote:
Originally Posted by DaHarder View Post

Personally, Android has been nothing short of 'enjoyable' from day one, and (unlike the norm in here) I don't going around speaking for the experiences of others.

Additionally: Given the fanatically unreasonable attitudes displayed by far too many regarding these matters, the article recently posted on foxnews.com (sadly) might not be too far off the mark http://techcrunch.com/2010/07/29/apple-religion/

...Go over to CNET or just google the name AndroidFTW (just like I typed it) and tell me they are not treating Android and Google as a whole as a religion. That Fox article is flame bait waiting to happen. Point is you can find "religious" fanatics associated with a lot of different material things. Where do you think the term "crackberry" came from?
post #38 of 63
Quote:
Originally Posted by zeasar View Post

They are using the term "capability", isn't ANY app is "capable" of accessing your contacts if the coder wishes so? And wouldn't that translates to 100% of apps are "capable" of accessing the sensitive information on the phones?

Exactly, I don't understand what this statistic is trying to point out. ANY app CAN access the Contacts if it wanted to. It is an open API for iPhone app developers.
post #39 of 63
Quote:
Originally Posted by LewysBlackmore View Post

You can't live in a reinforced nuclear-resistant bunker AND have big bay windows that give you a lovely view of the neighborhood, and instant access to everything. You pick and choose what you desire as your user experience.

You can in fact lock-down both the Android phones and the iPhone. You can choose to NOT access the internet which is by far the largest attack vector for these devices. You can choose to not load any apps that allow access to any user data on the phone. You can choose to not text. It's all about your choices. But you HAVE to choose, security or convenience. They are NOT mutually incompatible, but darn close.

But the openness of the Android phone is like living on the south side of Chicago with the doors unlocked and no security system with a chest full of gold in your living room. I understand the benefits of an open system... but you at least need to have some sort of security mechanisms. Having a store that does simple security validation will help. It doesn't need to be closed for that, but it doesn't work so well if you allow alternative runtimes. Personally the biggest reason I like the AppStore isn't related to security. It keeps more people honest so they buy their software. That has created a more competitive market with lower prices. Video game companies have been saying this about piracy for years... I just never believed them that the price would actually drop. Guess I was wrong, but I expect that this is partially due to indies.
post #40 of 63
I know of two in the App Store off the top of my head (but they warn you before hand).

Dragon Dictation and Vlingo. I am sure there are plenty others and possibly even some that don't warn you before hand. Again living inside a walled garden does not mean your data is entirely safe.

I mean come on, developers are a lot smarter than those who Apple employs to review apps. Developers can work around many things if they are so inclined. It has happened many times before. Some of you need to stop being so naive about Apple. Yes Android is much worse but Apple is not Fort Knox by any stretch of the imagination. Hackers have been exploiting iOS software since it debuted in 2007.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › Study finds 14% of free iPhone apps can snoop contacts