The Apple iOS development scene has gotten to a point where it will always be under the watchful gaze of outsiders looking in.
And considering the emergence of mobile technology and software, it is hardly surprising. Mobile tech players play an important role in our everyday lives such that they are bound to come under intense scrutiny. Recent happenings surrounding the beautiful Path application have also made sure that all eyes remain firmly fixed on application security and how developers react to recent media reports.
With that in mind, it seems rather poignant that a recent study by a research team at the University of California and the International Security Systems Lab have uncovered some information which may come as a huge shock to most. The two teams have produced a report which shows that applications on the Cydia store for jailbroken iOS devices are less likely to leak and transmit private user data than their official App Store counterparts.
There is no denying that jailbreaking is not only extremely popular, but is also big business, but one of the main concerns certain people had about circumventing Apple security within iOS is that it would make the operating system and applications less secure and more vulnerable to privacy leaks or loss of data. The researchers have found this to be the polar opposite, with one in five free App Store applications purposely uploading private data back to the developers. A custom tool known as PiOS was created by the teams, which according to the report’s title is designed to detect privacy leaks in iOS applications. The PiOS tool was ran on 1,407 free applications, with the App Store accounting for 825 of that total and the BigBoss repository in Cydia making up the other 526.
Out of the 825 free App Store applications which were analyzed by PiOS, 21% of them make a copy of the user’s UDID number and uploaded it back to the developer for one reason or another. The UDID is a series of letters and numbers which is unique to each device. A worrying four percent of the apps tested tracked the device location via GPS and sent it back to the developer, with 0.5% of the tested applications uploading the user’s address book which is what caused the original Path debacle.
These findings were in direct contrast to the Cydia applications which were tested from the BigBoss repository, which is one of the default repos which comes pre-installed on Cydia. Only 4% of the jailbroken apps tested leaked the unique UDID identifier with only one application actually tracking the user’s location and sending that back to the developer. It is also worth noting that the one application which tracked location was actually called MobileSpy, and was designed to do just that.
One reason for this could be the fact that people who create software for jailbroken devices are more in tune and conscious of app security concerns, after all, the jailbreak creators have to overcome Apple’s own security to actually perform a jailbreak so therefore it is logical to accept that they will have an in-depth knowledge of this. In the case of Path, which was hauled over the coals for uploading a users address book, the company CEO actually stated that their was no specific Apple guidelines which prevent developers from this type of behavior and even went as far as to claim it was “industry standard practice”. The problem could ultimately boil down to developers understanding and then implementing the development guidelines, but at the end of the day it is clear that Apple should perhaps be doing more to prevent applications that leak private data from being allowed in the App Store.
Cydia creator Jay Freeman has also had his say on privacy concerns recently, being quoted as saying:
If you care about this kind of thing, you should jailbreak your phone, instead of Apple making decisions about what’s good and bad, you decide. People think jailbreaking is about deciding that things Apple doesn’t like are good. But it also allows you to decide that things Apple likes are bad. We provide you the tools to block the functionality you don’t believe apps should have on your phone.”
Next time you decide to download a free-of-charge app from the App Store, maybe you will stop and wonder if it will send any of your private data to the developer. Food for thought.