Egele and his colleagues defined a violation of privacy as an incident where a program reads sensitive data— addresses, phone numbers, e-mail account information—from the device and sends that data over the Internet without asking permission. The researchers had no way to discover if the user was tricked into giving consent.
“The description of privacy that we came up with is that we did not want sensitive data from the mobile device extracted without the user knowing,” Egele says. “But we cannot tell if it is malicious or not.”
The researchers developed software to test each program’s functionality and to determine if it collected and transmitted sensitive information without informing the user. They also had to decipher how certain apps function with only limited information.
An interesting insight from the research: apps from the App Store were more likely to surreptitiously access user data than apps from the unpoliced Cydia repository, says Egele.
Miller says Apple should improve its process for vetting applications. “There is not an easy solution to the problem, but having a central clearinghouse (like Apple) is the best way to do it,” he says. “But right now, Apple’s probably not doing it right.”