University Study Reveals Apps from the App Store Leak More Private Data than Cydia

Last week’s discovery of Path’s unauthorized uploading of our personal data to their servers has had many people questioning how safe our information really is. Forbes now points to a 15 page study called PiOS: Detecting Privacy Leaks in iOS Applications written by a team of international university researchers.

The team consists of Manuel Egele from the Vienna University of Technology in Austria; Christopher Kruegel from the University of California, Santa Barbara; Engin Kirda from the Institute Eurecom, Sophia Antipolis; and Giovanni Vigna from the University of California in Santa Barbara. Together they created an application called PiOS to determine which apps accessed our private data:

Using PiOS, we analyzed 825 free applications available on the iTunes App Store. Moreover, we also examined 582 applications offered through the Cydia repository. The Cydia repository is similar to the App Store in that it offers a collection of iOS applications. However, it is not associated with Apple, and hence, can only be used by jailbroken devices. By checking applications both from the official Apple App Store and Cydia, we can examine whether the risk of privacy leaks increases if unvetted applications are installed.

Below is a chart in which the team concludes based on their tests, more App Store apps had access to a user’s UDID (universal device identifier) than those from Cydia:

An interesting conclusion that one can draw from looking at Table 3 is that, overall, the programs on Cydia are not more aggressive (malicious) than the applications on the App Store. This is somewhat surprising, since Cydia does not implement any vetting process.

The article also notes what Cydia creator Jay Freeman has to say about data privacy:

“If you care about this kind of thing, you should jailbreak your phone,” says Freeman. “Instead of Apple making decisions about what’s good and bad, you decide. People think jailbreaking is about deciding that things Apple doesn’t like are good. But it also allows you to decide that things Apple likes are bad. We provide you the tools to block the functionality you don’t believe apps should have on your phone.”

Users can download and install ContactPrivacy written by Edmontonian Ryan Petrich or Freeman’s own app, PrivaCy to control their data. Both apps are available in Cydia. It appears more and more apps now access to your data whether or not a prompt appears asking for access. Should Apple do more to protect our data, or is the responsibility on developers not to ask?

Founder and Editor-in-Chief of Follow me on Twitter, and @iPhoneinCanada, and on Google+.

  • As someone who is a member of the scientific research community, I find that this study means absolutely nothing. Admittedly, I’m not an app programmer, but my understanding is as follows.

    What you’re missing here is the context of what the App Store apps do vs what the Cydia apps do. I can imagine that any app that needs to access an external server would access your DeviceID, location, or whatever. However, most Cydia apps are more about device customization which is confined to the specific device. You don’t need to access personal information to add a fifth button to your dock, but you do if you’re going to be doing any sort of interaction with the web.

    Similarly, I can’t imagine there are very many useful things that App Store apps can’t do with your Address Book that jailbreakers would actively seek out. There’s a difference between accessing your data responsibly and accessing it irresponsibly, and (in theory) as long as you’re using data responsibly you’re probably in the App Store. If you’re not using data responsibly, people won’t seek you out, even if you ARE on Cydia. I’m not naive enough to think that Apple has a clean record at keeping apps accountable for what they do with our data (I’m looking at you, Path). However, if you consider the Cydia apps as a litmus test for the types of apps that people can’t get on the App Store, it would seem that the App Store provides the kinds of apps that use personal data very well. I’m not a jailbreaker, but my impression has been that the draw is for utility tweaks, not social or data-intensive stuff that most people use on the App Store. This is a “fun with numbers” study that really only proves that they yeilded numbers that could be easily spun for click-bait.

  • You are right in your estimation of the utility tweaks being the biggest hit on Cydia, that and themeing. But by not being on cydia, you don’t see that a close third to those are security tweaks as well, from protecting your data, to fixing the holes that sometimes occur from the latest update. Most of the people who are not “worthy” of Apple’s app store do not necessarily migrate to Cydia, and don’t forget Apple has had it’s issues of late with bogus apps making it through. You do not often see that in Cydia. And I am sure we are not seeing all their data, and they are not inferring a causal relationship, its just an interesting correlation. And you don’t have to come from a research background to see that, although it helps 🙂