Although we are often skeptical of reports from security companies, a new report today from BitDefender highlighted just how important Apple’s new data isolation privacy initiative is in iOS. Starting with the public release of iOS 6 this fall, users will now be prompted to allow access to apps that want personal data such as contacts, calendars, reminders, and photos. However, until then, BitDefender claimed approximately 18.6-percent of the 65,000 iPhone apps included in its study can still access a user’s address book data, while 41 percent can track location.
Even more troubling is that only 57.5-percent of apps encrypt that cropped private data. MobileEntertainment (via COM) quoted BitDefender Chief Security Researcher Catalin Casoi:
“It is worrying stored data encryption on iOS apps is low and location tracking is so prevalent. Without notification of what an app accesses, it is difficult to control what information users give up… “We see a worrying landscape of poor user data encryption, prevalent location tracking and silent, unjustified, Address Book access.”
Update: Rogue Amoeba replied to Phil Schiller’s email in a response published on its website. The full response is below.
Following Apple’s decision to pull Rogue Amoeba’s Airfoil Speakers Touch app for a feature allowing iOS devices to stream to one another over AirPlay, Apple explained the app was removed for the feature’s use of non-public APIs. It currently only allows Apple TV and certain third-parties such as speaker manufacturers to access the AirPlay streaming protocol. The app was earlier this week allowed back into the App Store without the iOS-to-iOS streaming feature, but today we get word from Apple’s Senior Vice President of Worldwide Marketing Phil Schiller who explained in an email the reason behind removing the app.
An email to Apple’s CEO Tim Cook from concerned consumer Kevin Starbird regarding the app’s removal was met with a direct email response from Schiller. 9to5Mac independentlyconfirmed the emails are authentic. Here is Kevin’s full email addressed to Cook followed by Schiller’s response: Read more
Update: Tickets are now sold out, but the website noted: “Pending tickets are currently with other customers. They may become available, so check back soon”
Update 2: Looks like they might be looking for a bigger venue – it says now lists ‘rescheduled’
With Apple’s WWDC just around the corner, and many TBA sessions still on the latest schedule, you can at least now get tickets for Twitter’s WWDC Open House set to include “tech talks, food and beer with our iOS and native applications engineering team!” There is only 50 or so tickets still available at the time of this writing for the session that—among others—will include talks on “Patterns for Mobile-Friendly API Design,” and “how the Twitter for iPhone team ships code.”
@TwitterMobile and @TwitterEng invite you to an evening of tech talks, food and beer with our iOS and native applications engineering team! Register as soon as you can as we anticipate hitting our capacity very quickly. If you’re planning to bring a +1, please see below (#questions) so you can get in touch with us to let us know their name and info.
Twitter’s session is set to take place the opening day of WWDC on June 11 at 6:30 p.m. to 9:30 p.m. Read more
Thanks to your amazing support, we feel confident that Apple might revise its position on the Push API. We’ll submit a first version of Sparrow 1.2 including it. This might delay Sparrow 1.2 validation but we’re already working with some partners to include Push in future versions of Sparrow without needing Apple clearance.
Push is coming. With or without Apple.
The team also said version 1.2 will include localization in nine languages, landscape mode when composing, and swipe up and down gestures to move between messages.
A screenshot gallery and version 1.1 updates are below.
Apple responded today to the contacts-sharing issue with a statement indicating it plans to put some form of a setting on contact data that would allow users to control who views the data, similar to the way Apple locks down location data.
“Apps that collect or transmit a user’s contact data without their prior permission are in violation of our guidelines. We’re working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.”
The problem is that iOS apps not only have access to a user’s contacts database (including addresses and notes), but apps also have full and unencumbered access to everything in the iOS app sandbox, such as pictures, music, movies, calendars, and a host of other data. Any of this content is literally open for developers to freely transmit to their own servers while apps are open.
(note that pictures with geotags will pop up a Location dialog which can be averted in code with some well known tricks)
Moreover, approved apps also have access to the iPhone’s camera and microphone, so apps can also take pictures and make recordings without permission (although, this would be easy to detect by the user with the light from the front camera or red bar during audio). Photos, videos, and audio are transmittable securely or insecurely up to servers that you and Apple do not know about.
To developers, this is no big secret. It is not trivial, but putting that kind of functionality into an app is straightforward and only uses Apple’s publicly available and blessed developer APIs (which means this stuff will not likely be detected by Apple’s App Store approval process).
Obviously, shady developers and even government entities are probably already using such apps to gather information. Therefore, these are some scenarios: