ICO issues warning over iPhone apps

The Information Commissioner’s Office (ICO) has warned that iPhone users should not have their personal information collected unless they are aware of it.

When asked about recent research into iPhone security, a spokesman for the ICO told TechEye: Individuals should be made aware of what personal information is being collected about them and by who.

“If there is any way to relate the information to an individual then they should be made aware of this and they can then decide whether to use the application in question.

The comments followed a security expert issuing a stark warning on iPhone security earlier this month.

The study by Eric Smith, assistant director for information security and networking at Bucknell University in Lewisburg, Pennsylvania, found that 68% of the most popular freebie iPhone apps were transmitting the Unique Device Indentifier, or UDID, back to a remote server owned either by the application developer or an advertising partner.

In addition, some apps even sent personal details such as the logged-in user’s real name in plain text.

Smith found that 38 of 57 applications were sending the UDID each time the app was launched. 

Of the remainder, 14% of apps were not sending this type of data while the rest sent encrypted communications.

The report added that “a substantial number” of applications collected both the phone’s UDID and some form of user login data which tied to a stored user account.

It explained: “These applications, such as Amazon, Facebook or Twitter, inherently have the ability to tie a UDID to a real-world identity. This ability, combined with the demonstrated widespread collection of UDID usage data, illustrates the ease of real-time user tracking.”

In the report, entitled iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Indentifiers (UDIDs), Mr Smith said: “While some iPhone owners may purposefully want some trusted vendors to have access to their addresses, phone numbers, credit cards, and real names, they should be alarmed at the prospect of these same companies sharing their personal information with others. 

“Is there any reason why the developer of a video game should know your home address?”

He added that privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that “it would be feasible – and technically, quite simple – for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies.  

“Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information.    

“Since our study focused on applications which are available free of charge, it was not surprising to find that a large portion of the UDID leakage we observed was directly tied to advertisements and advertising networks. 

“Several patterns emerged from our data which suggest that a handful of companies are in control of the in-app advertising market on the iPhone platform.”

The report included the fact that every Apple iPhone shipped since its introduction in 2007 contained one of the unique software-visible serial numbers – the UDID. 

Mr Smith also raised concerns over “extremely long-lived tracking cookies” which could be planted and continue to track individual’s data long after they had got rid of the device. Two culprits were the BBC News app that included a tracking cookie that expired in four years and the ABC News app – its cookie didn’t expire for 20 years.

He warned: “The existence of these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals’ new phones as they upgrade to the newest iPhone model every few years.”

The warnings echoed those in a report last week where researchers showed how a large number of Android apps were covertly transmitting GPS and phone data to advertisers.

The research from Duke University, Pennsylvania State University and Intel Labs again looked at popular free applications – and found that half of them were sending sensitive information to advertisers, including the GPS-tracked location of the user and their telephone number.

Mr Smith concluded his report by warning that the iPhone’s UDID was “eerily similar to the Pentium 3’s Processor Serial Number (PSN)”.

But he noted that while the Intel Pentium 3’s PSN elicited a storm of outrage from the public and government over the inherent privacy risks associated with the ease at which a particular device can be remotely identified, no such concern had yet been raised about this same problem on the iPhone platform.  

He added: “Curiously, many of the same governments who threatened to ban the Pentium 3 in 1999 have since endorsed the use of the iPhone.

 “Since UDIDs can be readily linked to personally-identifiable information, the ‘Big Brother’ concerns from the Pentium 3 days should be a concern for today’s Apple mobile device users as well.”