Although we are often skeptical of reports from security companies, a new report today from BitDefender highlighted just how important Apple’s new data isolation privacy initiative is in iOS. Starting with the public release of iOS 6 this fall, users will now be prompted to allow access to apps that want personal data such as contacts, calendars, reminders, and photos. However, until then, BitDefender claimed approximately 18.6-percent of the 65,000 iPhone apps included in its study can still access a user’s address book data, while 41 percent can track location.

Even more troubling is that only 57.5-percent of apps encrypt that cropped private data. MobileEntertainment (via COM) quoted BitDefender Chief Security Researcher Catalin Casoi:

“It is worrying stored data encryption on iOS apps is low and location tracking is so prevalent. Without notification of what an app accesses, it is difficult to control what information users give up… “We see a worrying landscape of poor user data encryption, prevalent location tracking and silent, unjustified, Address Book access.”

In related news, BitDefender’s iOS tool for detecting these apps called Clueful was recently removed by Apple from the App Store. The app had been available since May, and the issue of apps collecting data without user permission clearly still exists, but its unclear why Apple decided to remove the Clueful app. BitDefender mentioned on its blog that it’s looking into the issue.

After an outcry from various consumer groups and government bodies, Apple promised earlier this year to implement stricter privacy controls and notifications for app developers requesting private user data. Apple will now do so as part of its data isolation privacy initiative in iOS 6. Many apps, like Path and Instagram, already implemented warnings for users on its own. However, in a recent beta, Apple described the changes coming to iOS 6:

According to the “Security” section of the release notes:

In iOS 6, the system now protects Calendars, Reminders, Contacts, and Photos as part of Apple’s data isolation privacy initiative.

Users will see access dialogs when an app tries to access any of those data types. The user can switch access on and off in Settings > Privacy.

There are APIs available to allow developers to set a “purpose” string that is displayed to users to help them understand why their data is being requested.

There are changes to the EventKit and Address Book frameworks to help developers with this feature..

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s