Mobile phone apps view private data more than necessary, says French study

Mobile phone users lack control over apps' access to private data, two government agencies said

Mobile phone apps are accessing users' private data and transmitting it to remote servers far more than appears strictly necessary, while users have inadequate tools to monitor or control such access, according to a new study by two French government agencies.

The French National Commission on Computing and Liberty (CNIL) studied the behavior of 189 apps on six iPhones equipped with monitoring software and analysis tools developed by the French National Institute for Research in Computer Science and Control (INRIA). The goal was to improve general understanding of the way apps use private data, not to point the finger at particular developers, CNIL President Isabelle Falque-Pierrotin said Tuesday at a news conference to present the research.

Rather than study apps in laboratory conditions, CNIL took a real-world approach, asking six volunteers to put their own SIM cards in the phones and use them as they would their own between mid-October and mid-January. One volunteer downloaded almost 100 apps, and one added just five to those installed by Apple.

One in 12 of the apps accessed the address book, and almost one in three accessed location information. On average, the users had their location tracked 76 times a day during the study. Foursquare and Apple's own Maps app requested location information the most often -- perhaps understandable given their purpose -- with AroundMe and Apple's Camera app close behind.

The iPhone's name was accessed by one app in six, something the researchers found inexplicable because it serves almost no purpose and is far from a unique identifier, although since it often contains the user's given name, it could be considered personally identifiable information.

Facebook's app apparently made little attempt to access such private information -- but then, said the researchers, it has no need, as its users already tell it so much anyway.

The data accessed by far the most in the study was the iPhone's Universal Device Identifier (UDID), a serial number permanently associated with a particular phone. Almost half the apps accessed it, and one in three of those sent it over the Internet unencrypted. The app of one daily newspaper accessed the UDID 1,989 times during the study, sending it 614 times to its publisher.

CNIL spokesman Stéphane Petitcolas demonstrated how users might regain control with a new settings tool to limit how apps access all kinds of private information, much as Apple allows users to control access to location information today. Apple hasn't seen the tool yet, but INRIA would consider sharing the code if the company was interested, said Claude Castelluccia, director of the research team.

Buyers of iPhone apps have little idea what information or functions their apps will access. Google's Play Store shows what information and functions an app will access -- but the choice is all or nothing. Older versions of the BlackBerry OS gave users more freedom to choose which APIs (application programming interfaces) they would allow an app to access, at the risk of breaking the app, but in BlackBerry 10 that granular control is available only for native apps: For Android apps the choice is once again take it or leave it.

Apple is taking baby steps toward giving users that kind of control. In iOS 5 they could prevent individual apps from accessing their location, and in iOS 6 they will have another option as Apple seeks to wean developers off using the UDID to identify users and target advertising.

Instead, Apple wants developers to use the Advertising Identifier it introduced in iOS 6. This is not permanently associated with a phone or person, and users who don't want to be tracked can change it whenever they wish -- as long as they think to look in Settings/General/About/Advertising rather than the more obvious Settings/Privacy.

That option wasn't available to the participants in the CNIL-INRIA study, though, which for technical reasons was conducted using iOS 5. The next phase of research will use iOS 6, now that INRIA has updated its monitoring app to use the new version.

To monitor how the apps accessed private information, INRIA had to jailbreak the iPhones and install a special app to intercept the Apple APIs through which apps request access to private information, said INRIA researcher Vincent Roca. The researchers chose to work on iPhones because they already had experience developing for iOS. They are now developing an app with similar capabilities for Android phones, which they have to root in order to install it.

INRIA's monitoring app recorded each intercepted request in a database on the phone, along with the private information requested, so that it could identify it in outbound network traffic. The iOS 5 app could only monitor unencrypted network traffic, but the version for iOS 6 can now hook the network APIs before the traffic is encrypted, Roca said.

The app also forwarded intercepted requests to a central server for the study -- without the related private information, as even experimental subjects are entitled to their privacy, the researchers emphasized.

INRIA and CNIL are only just beginning to analyze the data they collected from the six iPhones: There's 9 gigabytes of it, covering 7 million privacy events over the three-month period.

One thing the study has already revealed is that some access to private data is accidental. An app to identify the closest Paris swimming pool (the city has 38 within a radius of about 5 kilometers) accessed location information far more than necessary to perform its function, apparently due to a programming error, CNIL's Petitcolas said.

Peter Sayer covers open source software, European intellectual property legislation and general technology breaking news for IDG News Service. Send comments and news tips to Peter at peter_sayer@idg.com.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacymobilesmartphonesinternetAppleAndroidadvertisingiosiPhoneanalyticsmobile applicationsapplicationstelecommunicationconsumer electronicsMobile OSesAndroid OSFrench National Commission on Computing and Liberty (CNIL)French National Institute for Research in Computer Science and Control (INRIA)

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Peter Sayer

Peter Sayer

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?