University Study Reveals Apps from the App Store Leak More Private Data than Cydia


Last week’s discovery of Path’s unauthorized uploading of our personal data to their servers has had many people questioning how safe our information really is. Forbes now points to a 15 page study called PiOS: Detecting Privacy Leaks in iOS Applications written by a team of international university researchers.

The team consists of Manuel Egele from the Vienna University of Technology in Austria; Christopher Kruegel from the University of California, Santa Barbara; Engin Kirda from the Institute Eurecom, Sophia Antipolis; and Giovanni Vigna from the University of California in Santa Barbara. Together they created an application called PiOS to determine which apps accessed our private data:

Using PiOS, we analyzed 825 free applications available on the iTunes App Store. Moreover, we also examined 582 applications offered through the Cydia repository. The Cydia repository is similar to the App Store in that it offers a collection of iOS applications. However, it is not associated with Apple, and hence, can only be used by jailbroken devices. By checking applications both from the official Apple App Store and Cydia, we can examine whether the risk of privacy leaks increases if unvetted applications are installed.

Below is a chart in which the team concludes based on their tests, more App Store apps had access to a user’s UDID (universal device identifier) than those from Cydia:

An interesting conclusion that one can draw from looking at Table 3 is that, overall, the programs on Cydia are not more aggressive (malicious) than the applications on the App Store. This is somewhat surprising, since Cydia does not implement any vetting process.

The article also notes what Cydia creator Jay Freeman has to say about data privacy:

“If you care about this kind of thing, you should jailbreak your phone,” says Freeman. “Instead of Apple making decisions about what’s good and bad, you decide. People think jailbreaking is about deciding that things Apple doesn’t like are good. But it also allows you to decide that things Apple likes are bad. We provide you the tools to block the functionality you don’t believe apps should have on your phone.”

Users can download and install ContactPrivacy written by Edmontonian Ryan Petrich or Freeman’s own app, PrivaCy to control their data. Both apps are available in Cydia. It appears more and more apps now access to your data whether or not a prompt appears asking for access. Should Apple do more to protect our data, or is the responsibility on developers not to ask?