Although we are often skeptical of reports from security companies, a new report today from BitDefender highlighted just how important Apple’s new data isolation privacy initiative is in iOS. Starting with the public release of iOS 6 this fall, users will now be prompted to allow access to apps that want personal data such as contacts, calendars, reminders, and photos. However, until then, BitDefender claimed approximately 18.6-percent of the 65,000 iPhone apps included in its study can still access a user’s address book data, while 41 percent can track location.
Even more troubling is that only 57.5-percent of apps encrypt that cropped private data. MobileEntertainment (via COM) quoted BitDefender Chief Security Researcher Catalin Casoi:
In related news, BitDefender’s iOS tool for detecting these apps called Clueful was recently removed by Apple from the App Store. The app had been available since May, and the issue of apps collecting data without user permission clearly still exists, but its unclear why Apple decided to remove the Clueful app. BitDefender mentioned on its blog that it’s looking into the issue.
After an outcry from various consumer groups and government bodies, Apple promised earlier this year to implement stricter privacy controls and notifications for app developers requesting private user data. Apple will now do so as part of its data isolation privacy initiative in iOS 6. Many apps, like Path and Instagram, already implemented warnings for users on its own. However, in a recent beta, Apple described the changes coming to iOS 6:
According to the “Security” section of the release notes:
- Apple now requires user permission in iOS 6 before apps can access private data (9to5mac.com)
- iOS 6 brings Complete My Album/Season directly to the Music and Videos apps, making it easier to discover new music and TV episodes (9to5mac.com)
In iOS 6, the system now protects Calendars, Reminders, Contacts, and Photos as part of Apple’s data isolation privacy initiative.
Users will see access dialogs when an app tries to access any of those data types. The user can switch access on and off in Settings > Privacy.
There are APIs available to allow developers to set a “purpose” string that is displayed to users to help them understand why their data is being requested.
There are changes to the EventKit and Address Book frameworks to help developers with this feature..