IDG News reports on a new study from the French National Commission on Computing and Liberty (CNIL) and the French National Institute for Research in Computer Science and Control (INRIA) concerning privacy protections in apps for mobile devices, such as smartphones or tablets. (Recently, the Article 29 Working Party released a joint “Opinion 02/2013 on apps on smart devices.”) IDG reports:
Mobile phone apps are accessing users’ private data and transmitting it to remote servers far more than appears strictly necessary, while users have inadequate tools to monitor or control such access, according to a new study by two French government agencies.
[CNIL] studied the behavior of 189 apps on six iPhones equipped with monitoring software and analysis tools developed by the French National Institute for Research in Computer Science and Control (INRIA). The goal was to improve general understanding of the way apps use private data, not to point the finger at particular developers, CNIL President Isabelle Falque-Pierrotin said Tuesday at a news conference to present the research.
Rather than study apps in laboratory conditions, CNIL took a real-world approach, asking six volunteers to put their own SIM cards in the phones and use them as they would their own between mid-October and mid-January. […]
One in 12 of the apps accessed the address book, and almost one in three accessed location information. On average, the users had their location tracked 76 times a day during the study. […]
The iPhone’s name was accessed by one app in six, something the researchers found inexplicable because it serves almost no purpose and is far from a unique identifier, although since it often contains the user’s given name, it could be considered personally identifiable information. […]
The data accessed by far the most in the study was the iPhone’s Universal Device Identifier (UDID), a serial number permanently associated with a particular phone. Almost half the apps accessed it, and one in three of those sent it over the Internet unencrypted. The app of one daily newspaper accessed the UDID 1,989 times during the study, sending it 614 times to its publisher. […]
Buyers of iPhone apps have little idea what information or functions their apps will access. Google’s Play Store shows what information and functions an app will access—but the choice is all or nothing. Older versions of the BlackBerry OS gave users more freedom to choose which APIs (application programming interfaces) they would allow an app to access, at the risk of breaking the app, but in BlackBerry 10 that granular control is available only for native apps: For Android apps the choice is once again take it or leave it. […]
[The CNIL-INRIA study] for technical reasons was conducted using iOS 5. The next phase of research will use iOS 6, now that INRIA has updated its monitoring app to use the new version.