Mobile phone apps view private data more than necessary, says French study

Mobile phone users lack control over apps' access to private data, two government agencies said

Mobile phone apps are accessing users' private data and transmitting it to remote servers far more than appears strictly necessary, while users have inadequate tools to monitor or control such access, according to a new study by two French government agencies.

The French National Commission on Computing and Liberty (CNIL) studied the behavior of 189 apps on six iPhones equipped with monitoring software and analysis tools developed by the French National Institute for Research in Computer Science and Control (INRIA). The goal was to improve general understanding of the way apps use private data, not to point the finger at particular developers, CNIL President Isabelle Falque-Pierrotin said Tuesday at a news conference to present the research.

Rather than study apps in laboratory conditions, CNIL took a real-world approach, asking six volunteers to put their own SIM cards in the phones and use them as they would their own between mid-October and mid-January. One volunteer downloaded almost 100 apps, and one added just five to those installed by Apple.

One in 12 of the apps accessed the address book, and almost one in three accessed location information. On average, the users had their location tracked 76 times a day during the study. Foursquare and Apple's own Maps app requested location information the most often -- perhaps understandable given their purpose -- with AroundMe and Apple's Camera app close behind.

The iPhone's name was accessed by one app in six, something the researchers found inexplicable because it serves almost no purpose and is far from a unique identifier, although since it often contains the user's given name, it could be considered personally identifiable information.

Facebook's app apparently made little attempt to access such private information -- but then, said the researchers, it has no need, as its users already tell it so much anyway.

The data accessed by far the most in the study was the iPhone's Universal Device Identifier (UDID), a serial number permanently associated with a particular phone. Almost half the apps accessed it, and one in three of those sent it over the Internet unencrypted. The app of one daily newspaper accessed the UDID 1,989 times during the study, sending it 614 times to its publisher.

CNIL spokesman Stéphane Petitcolas demonstrated how users might regain control with a new settings tool to limit how apps access all kinds of private information, much as Apple allows users to control access to location information today. Apple hasn't seen the tool yet, but INRIA would consider sharing the code if the company was interested, said Claude Castelluccia, director of the research team.

Buyers of iPhone apps have little idea what information or functions their apps will access. Google's Play Store shows what information and functions an app will access -- but the choice is all or nothing. Older versions of the BlackBerry OS gave users more freedom to choose which APIs (application programming interfaces) they would allow an app to access, at the risk of breaking the app, but in BlackBerry 10 that granular control is available only for native apps: For Android apps the choice is once again take it or leave it.

Apple is taking baby steps toward giving users that kind of control. In iOS 5 they could prevent individual apps from accessing their location, and in iOS 6 they will have another option as Apple seeks to wean developers off using the UDID to identify users and target advertising.

Instead, Apple wants developers to use the Advertising Identifier it introduced in iOS 6. This is not permanently associated with a phone or person, and users who don't want to be tracked can change it whenever they wish -- as long as they think to look in Settings/General/About/Advertising rather than the more obvious Settings/Privacy.

That option wasn't available to the participants in the CNIL-INRIA study, though, which for technical reasons was conducted using iOS 5. The next phase of research will use iOS 6, now that INRIA has updated its monitoring app to use the new version.

To monitor how the apps accessed private information, INRIA had to jailbreak the iPhones and install a special app to intercept the Apple APIs through which apps request access to private information, said INRIA researcher Vincent Roca. The researchers chose to work on iPhones because they already had experience developing for iOS. They are now developing an app with similar capabilities for Android phones, which they have to root in order to install it.

INRIA's monitoring app recorded each intercepted request in a database on the phone, along with the private information requested, so that it could identify it in outbound network traffic. The iOS 5 app could only monitor unencrypted network traffic, but the version for iOS 6 can now hook the network APIs before the traffic is encrypted, Roca said.

The app also forwarded intercepted requests to a central server for the study -- without the related private information, as even experimental subjects are entitled to their privacy, the researchers emphasized.

INRIA and CNIL are only just beginning to analyze the data they collected from the six iPhones: There's 9 gigabytes of it, covering 7 million privacy events over the three-month period.

One thing the study has already revealed is that some access to private data is accidental. An app to identify the closest Paris swimming pool (the city has 38 within a radius of about 5 kilometers) accessed location information far more than necessary to perform its function, apparently due to a programming error, CNIL's Petitcolas said.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags telecommunicationiosiPhoneAndroidmobileinternetprivacyanalyticsmobile applicationsAppleAndroid OSconsumer electronicsFrench National Institute for Research in Computer Science and Control (INRIA)securitysmartphonesMobile OSesFrench National Commission on Computing and Liberty (CNIL)advertisingapplications

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?