April 09, 2013, 6:54 PM — Mobile phone apps are accessing users' private data and transmitting it to remote servers far more than appears strictly necessary, while users have inadequate tools to monitor or control such access, according to a new study by two French government agencies.
The French National Commission on Computing and Liberty (CNIL) studied the behavior of 189 apps on six iPhones equipped with monitoring software and analysis tools developed by the French National Institute for Research in Computer Science and Control (INRIA). The goal was to improve general understanding of the way apps use private data, not to point the finger at particular developers, CNIL President Isabelle Falque-Pierrotin said Tuesday at a news conference to present the research.
Rather than study apps in laboratory conditions, CNIL took a real-world approach, asking six volunteers to put their own SIM cards in the phones and use them as they would their own between mid-October and mid-January. One volunteer downloaded almost 100 apps, and one added just five to those installed by Apple.
One in 12 of the apps accessed the address book, and almost one in three accessed location information. On average, the users had their location tracked 76 times a day during the study. Foursquare and Apple's own Maps app requested location information the most often -- perhaps understandable given their purpose -- with AroundMe and Apple's Camera app close behind.
The iPhone's name was accessed by one app in six, something the researchers found inexplicable because it serves almost no purpose and is far from a unique identifier, although since it often contains the user's given name, it could be considered personally identifiable information.
Facebook's app apparently made little attempt to access such private information -- but then, said the researchers, it has no need, as its users already tell it so much anyway.
The data accessed by far the most in the study was the iPhone's Universal Device Identifier (UDID), a serial number permanently associated with a particular phone. Almost half the apps accessed it, and one in three of those sent it over the Internet unencrypted. The app of one daily newspaper accessed the UDID 1,989 times during the study, sending it 614 times to its publisher.
CNIL spokesman Stéphane Petitcolas demonstrated how users might regain control with a new settings tool to limit how apps access all kinds of private information, much as Apple allows users to control access to location information today. Apple hasn't seen the tool yet, but INRIA would consider sharing the code if the company was interested, said Claude Castelluccia, director of the research team.