Bitdefender’s research of more than 65,000 iOS apps on the Apple App Store revealed that tens of thousands of apps access contact information and other data without explicit user permission.
Catalin Cosoi, chief security researcher at Bitdefender, explained that the company used its Clueful app, which enables iPhone owners to learn what apps may be using personal data inappropriately, to collect data for the study.
Interestingly, Apple decided to remove the Clueful app from its App Store once Bitdefender collected its iOS app statistics.
“Some apps can upload your entire contact list [from the address book] to the developer cloud….You have absolutely no idea what the developer can do with that information”, Cosoi told Infosecurity. The developer might sell the personal data to marketers and advertisers, or even hackers.
“There might be privacy infringement that the user should be aware of when installing or using an iOS application”, he added.
Bitdefender also found 30.7% of the iOS apps analyzed can display ads and 16.4% can connect to Facebook. Other functions include tracking usage through Flurry analytics, Google Analytics or Mobclix analytics. Some apps use all three analytics software. Hundreds of apps analyzed also use the iPhone’s unique device identifier, which can identify the owner, while hundreds more use background voice-over-IP, Open Feint usage tracking, and other capabilities.
One application sends unencrypted passwords over an unprotected WiFi. “So you are using your smartphone at a conference, for instance, and you log into a specific service using that application. If an attacker is in the same network as you, the password you sent in the clear over the network can be intercepted by the attacker, who can then use the password to log into your account”, Cosoi explained.
“Users do not always know what applications are doing in the background while looking very pretty in the foreground. Once you know all the secrets about an application, you can decide whether you want to keep it if you already have it installed or whether you want to install it if you don’t have it already”, he said.
Apple did not return Infosecurity's request for comment on this story.