Misbehaving Apps: Is Privacy Dead?

Android and iOS are both very popular platforms and are installed on millions of handheld mobile devices. No matter which camp one belongs to, no-one would like to see sensitive information being transmitted over the Internet without permission. We have known for a while that some Android apps are collecting data and transmitting them without asking for permission. Many of these rogue apps go about doing it in a suspicious fashion. This problem is not exclusive to Android platform. According to a new iPhone security report, 68% of applications transmit UDIDs which can be used to dig up users’ personal information.

Not only the majority of top free and paid apps tested for this study transmitted unencrypted unique device identifiers, over 18% of them encrypted their communications. That means there are possibly many apps that are doing sneaky things when no one’s looking. This report was first publicized by Engadget:

Bucknell University network admin Eric Smith, however, theorizes that third-party application developers … could be linking your device to your name (and even your location) whenever they transmit data. Smith, a two-time DefCon wardriving champ, studied 57 top applications in the iTunes App Store to see what they sent out, and discovered that some fired off the iPhone’s UDID and personal details in plaintext (where they can ostensibly be intercepted), including those for Amazon, Chase Bank, Target and Sam’s Club, though a few were secured with SSL.

While we would like to believe that developers always know what they are doing with their apps, UDID could be used to potentially kill off privacy:

Every Apple iPhone shipped since its introduction in 2007 contains a unique, software-visible serial number — the Unique Device Identifier, or UDID. Apple provided this functionaly to allow application developers to uniquely identify the iPhone being used for purposes such as storing application preferences or video game high scores. While the UDID does facilitate the process of collecting and storing certain types of data, it also creates a tempting opportunity for use as a tracking agent or to correlate with other personally-identifiable information in unintended ways.

As we found out with Intel a few years ago, consumers do respect their privacy. While they are willing to give up certain information, they do not appreciate sneaky practices. The problem here is one can’t get rid of UDIDs like cookies. Surely, there are advertisers and other 3rd party companies that would love to build more specific profiles for iOS users and deliver more relevant ads and offers to them. But Apple is against the practice of associating device IDs with users’ personal information. Can Apple stop this practice or will it want to? That’s a whole other story.

In your opinion, how big of a problem is this for Apple? Is privacy dead or do people even care?

Image credit: stock.xchng