Tens of Thousands of iPhone Apps May Access User Contacts, Track Location Without Owner’s Clear Knowledge 

SYDNEY & AUCKLAND – July 17, 2012 –  Almost one in five iOS applications can access your Address Book while some 41 per cent can track your location and more than one in three store your data without encrypting it, according to Bitdefender research.

A months-long Bitdefender study of more than 65,000 apps distributed widely on the Apple App Store revealed tens of thousands that tap contact info, track a user’s location, and access some data without a user’s explicit permission.

While many apps clearly use these privileges to function, others have no obvious use for the data they may be collecting, ranging from accessing a user’s phone book to tracking usage. By default, apps on the App Store only ask for permission to access location–related services and not when accessing the Address Book or other functions.

Bitdefender’s analysis included 65,000 of the more popular apps in the App Store and found that only 57.5 per cent encrypt stored data while the rest don’t, potentially placing the user’s data at risk after accessing it.  Some 41.4 per cent of the apps analysed can track a user’s location, meaning that most iPhone owners are likely to have at least one app on their device capable of knowing where they are.

Location tracking used in contextual ads that display based on geo position is highly controversial, yet common. This type of information can be sold to companies to help build effective marketing campaigns. Note that Bitdefender’s study did not cover all available apps so the numbers and ratios may change when extrapolated to the whole App Store.

The research also revealed 18.6 per cent of the apps can access a user’s Address Book, including all contact details. The only legitimate reason for an app to access the user’s Address Book would be to transfer contacts or merge social media contact details with your on-device phone numbers. It’s unlikely that almost a fifth of all apps need Address Book info to function. Chances are high that many apps access Address Books without the user’s knowledge.

Bitdefender also found that 30.7 per cent of the apps analysed can display ads and 16.4 per cent can connect to Facebook. Other functions include tracking usage through Flurry analytics, Google Analytics of Mobclix analytics. Some apps use all three analytics software. Hundreds of apps analysed also use an iPhone’s UDID, or Unique Device Identifier, which can identify the owner, while hundreds more use background voice-over-IP, Open Feint usage tracking and more.

It’s worrying that stored data encryption on iOS apps is low and location tracking so prevalent.  Without notification of what an app accesses, it’s difficult to control what information users give up. We see a worrying landscape of poor user data encryption, prevalent location tracking and silent, unjustified, address book access.

Private data may be used to determine an individual’s behaviour patterns including, but not limited to, profiling for marketing activities. Collection algorithms and patterns are sometimes used reveal much more, including user identity. There is no publicly accessible database for user education and awareness on these privacy concerns.