Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 16th, 2012 in Current News, Mobility by Simply Security | Be the first to comment | Tags: Privacy

Apple has been unable to escape data privacy concerns despite the overwhelming popularity of its iOS devices.

The continuing popularity of the iPhone and iPad has been both a blessing and a curse for Apple. As sales figures continue to soar, increased scrutiny from data privacy experts have unearthed several unsavory revelations regarding the iOS ecosystem.

The controversy touched off earlier this month when developer Arun Thampi discovered that photo-sharing application Path was uploading the full contents of his iPhone's address book to its servers without requesting user permission to do so.

"I'm not insinuating that Path is doing something nefarious with my address book, but I feel quite violated that my address book is being held remotely on a third-party service," Thampi explained in a blog post. "I love Path as an iOS app and I think there are some brilliant people working on it, but this seems a little creepy."

In response to the resultant outpouring of concern, Path chief executive and co-founder Dave Morin quickly attempted to defuse the situation by acknowledging how sincerely his company values customer trust and announcing that the entire collection of user-uploaded contact information would be purged from its servers. An updated version of the Path app now prompts users to opt in or out of sharing the contents of their address books when attempting to locate friends who may also be using the service.

But even as Path corrected its course, Morin's assertion that the contact searching processes will continue to be a vital part of the mobile media industry has inspired a deeper investigation of iOS data security principles.

"Path got caught red-handed uploading users' address books to its servers and had to apologize. But the relatively obscure journaling app is not alone," cautioned Venture Beat writer Jennifer Van Grove in a related report. "In fact, Path was crucified for a practice that has become an unspoken industry standard."

Van Grove went on to suggest that Facebook, Twitter, Instagram, Foursquare and Yelp were just a few of the more popular iOS applications that have been handling address book content without adequate permissions. What's more, developers could likely have designed the applications in a way that would mask personally identifiable data during transmission, yet chose not to. Some of the worst offenders even transfer plain text information over unencrypted connections, making data all the more vulnerable to prying eyes.

Twitter has been particularly hard hit by critics suggesting that its data security provisions are not on par with its industry-leading stature. According to the Los Angeles Times, the "Find Friends" feature of the microblogging site's mobile application not only downloads the full contents of users' address books, but stores this data on its servers for 18 months. Twitter's privacy policy has handled log data in a similar fashion.

"Log data may include information such as your IP address, browser type, the referring domain, pages visited, your mobile carrier, device and application IDs and search terms," the company stated.

Twitter has since promised to amend its data privacy language to improve transparency of data collection measures, and has also clarified that it only stores the email addresses and phone numbers of imported contacts. However, the surrounding controversy has not gone unnoticed by data security researchers and consumer privacy advocates.

Last week, Representatives Henry Waxman and G.K. Butterfield – both ranking members of the House Energy Commerce Committee – wrote to Apple chief executive Tim Cook regarding the effectiveness of iOS application development rules and regulations.

"Claims have been made that 'there's a quiet understanding among iOS app developers that it is acceptable to send a user's entire address book, without their permission, to remote servers and then store it for future reference,'" the Congressmen noted. "The fact that the previous version of Path was able to gain approval for distribution through the Apple iTunes Store, despite taking the contents of users' address books without their permission, suggests that there could be some truth to these claims."

As a result, Waxman and Butterfield formally requested that Cook's team answer several poignant questions to Congress by the end of the month. Apple has moved quickly to patch the vulnerabilities in question, but legislators are hoping to hear the full extent of the company's data security and privacy policies and application vetting protocols.

The problems continue to mount for Apple on a parallel front after recent reports suggested that Google has been by circumventing the data privacy settings governing the Safari web browser.

Initially uncovered by Stanford University researcher Jonathan Mayer, it appears as though Google is one of several companies that have constructed workaround coding that consequently tracks browser cookies on iOS devices. According to the Washington Post, the strategy was originally intended to confirm whether or not a user was signed into Google services; however, the additional cookies have only just been discovered.

Google insists that the practice aligns with its aims to provide registered users with relevant, targeted ads, according to the Post, and that anyone who has opted out of the company's web-based advertising program would not be affected. Nevertheless, some are already suggesting that this latest misstep could earn Google another visit from Federal Trade Commission regulators.

With Google, Twitter, Facebook and Apple all implicated in the latest data privacy controversy, there is no escaping the need for intelligent debate on the topic and the creation of more evolved strategies for protecting consumer data that can stand up to the dynamics of the modern computing landscape.

As ZDNet contributor Adrian Kingsley-Hughes recently noted, the scattered nature of data storage and reliance on permission-based privacy models have made it easier than ever before for software to collect treasure troves of customer data. As a result, he suggested that it may be smarter to switch default settings to block data-collecting features and move beyond the oversimplified "clicking a box" mode of granting access.

"This would send a message to developers telling them that limitless, covert access to stored user data is no longer a default," the columnist explained. "At best, they're going to have to work to get access to it, and at worse, they're not going to get access to any of it. Take away the expectation, and most developers will give up on the idea of data harvesting."

Data Security News from SimplySecurity.com by Trend Micro