Monday, August 17, 2009

Dear iPhone Users: Your Apps are Spying on You

Dear iPhone Users: Your Apps are Spying on You: "

Recently, Palm came under fire when programmer Joey Hess discovered the Pre's smartphone OS was sending users' GPS locations back to Palm on a daily basis. Although this information was disclosed in the company's privacy policy, the majority of the phone's owners were unaware. The incident raised questions about consumer privacy and the extent to which both handset makers and developers were gathering data on mobile users.



If you think you aren't affected by these types of troubles because you don't own a Pre, think again. Multiple iPhone applications - yes, even the ones approved by Apple - are also busy tracking your personal data and 'phoning home.' Which applications? What data? As an end user, determining this information is difficult. But some iPhone developers have been digging into this issue and the results of their findings may surprise you.


Sponsor





Is Pinch Media Spyware? One Developer Says 'Yes'



As far as we know right now, Apple itself is not performing any user tracking via its pre-installed applications. However that doesn't mean that you're not being tracked by someone, somewhere. There are a number of applications available now in the iTunes App Store which track your user data, including things like location, your iPhone's unique ID, the phone's model, whether it's 'jailbroken,' and possibly even your gender, birth month and year, and whether the application is Facebook-enabled.



Specifically, a mobile analytics company called Pinch Media is being singled out for being more intrusive than others when it comes to this sort of tracking. Mobile analytics firms like Pinch allow developers to insert code into their application for the purpose of tracking and analyzing how their users interact with applications. In general, this type of tracking is relatively harmless for the end user and helpful to the developer. It reveals stats like: how long did the user play the game or use the app? Do users access this feature more than that one? What time of day are users launching the app? And so on. The results of this type of tracking allow developers to make their apps more usable and help them redesign or tweak aspects of the apps that may not be working.



However, in Pinch Media's case, the user tracking goes a bit further according to one iPhone developer. He says applications using Pinch Media track the following information:




  • iPhone's unique ID


  • iPhone model


  • OS version


  • Application version (in this case, camera zoom 1.x)


  • If the application is cracked/pirated


  • If your iPhone is jailbroken


  • Time & date you start the application


  • Time & date you close the application


  • Your current latitude & longitude


  • Your gender (if Facebook enabled)


  • Your birth month (if Facebook enabled)


  • Your birth year (if Facebook enabled)



What's worse is that you're often never told that the app will be performing this level of detailed tracking and you're often never given the opportunity to opt-out. The data recorded is continuously tracked every time you use the application. This violation of user privacy is so egregious that the developer even goes so far as to call Pinch Media 'iPhone spyware.'



In addition, a recent post on the iPhone Dev Team blog, the site hosted by the developers who release the jailbreaking and unlocking applications for the iPhone, also calls out Pinch Media for tracking your location even when it's unnecessary to do so. In the example they cite, a tip calculator app was identified as tracking your geographical location through time and uploading that data to Pinch Media.



It's Not Pinch Media That's to Blame, It's Developers



However, in the comments of the blog post, one developer using Pinch Media analytics fights back, claiming that his applications do request permission before gathering statistics. He bristles at the suggestion that they should be called 'spyware.'



Pinch Media is also frustrated by these accusations. They argue that no location can be sent back without the user's explicit opt-in. Since you have to press a button that explicitly allows the application to access your location, how could this possibly be without the user's consent? The company also claims that the blog posts by this 0th3lo person are 'full of factual inaccuracies' (although they didn't detail specifically which parts are inaccurate). They even hint that the blogger's motivations are less about exposing user privacy violations and more about retaliating against the company because Pinch Media recently launched tools which allow developers to identify pirated (aka stolen) applications. That would be something that this particular developer, an active member of the hackulo.us forums (a forum for pirated apps), would not be fond of.



The company assures us that their product complies with all major privacy laws, saying that no personally identifying information is stored and the user opts in through the Licensed Application EULA, which specifically permits the gathering of information and sending it to third parties. In fact, says a company spokesperson, the tracking done by their company is even less intrusive than web analytics, where information is gathered without anyone's consent or opt-in, pointing to ads on this very website as an example of that.



Is This Really an Issue?



At the end of the day, is this sort of tracking all that invasive? Well, tracking a unique identifier such as the iPhone's UUID is not exactly comparable to the type of tracking you see on the web today. It's not anonymous data - it's an exact ID that's unique to each physical device that Apple manufactures. And Pinch Media is not the only analytics company to track this information. Also, when tracking your location data on the iPhone (0th3lo says Pinch Media calculates this to 8 decimal points), that can be far more exact and accurate than any sort of geographically-based IP address look-up on the web. Instead of getting a general location, location data on a GPS-enabled mobile can identify your precise latitude and longitude.



But should you be concerned? Perhaps. Although Apple requires that applications ask if they can use your location upon launch, there aren't necessarily requirements for app developers to disclose what data they're tracking beyond location data, how often it's tracked, and what they're doing with that data when it's received. They also don't require that developers ask for your consent before this sort of detailed monitoring takes place.



Still, not all applications using analytics on the back-end are to be feared. For the most part, the data being recorded is anonymous and helps the developers make better apps. The problem is that, as of today, there's no way to know which apps are the safe ones.



Want more? Thanks to @0th3lo, here's an ongoing list of applications that 'phone home' and what data is being tracked. Some apps on this list are: AroundMe, Aussie Rules LIVE, Camera Zoom, Discover, Flick Fishing, iiQuota, Mummy's Revenge, Police Scanner, Stickwars, The Moron Test, TouchGrind, Touch KO, TwiterFon, FaceFighter, Grunts, SmackTalk, Postman, vDrummer, Wobble, iFarty, iAppUSA, and Lonely Planet Guide.


Discuss



"