Don’t expect Apple to keep your data secure

With many app developers relying on third-party, there’s only so much Apple can do to stop iOS applications collecting personal information

App use has soared in recent years: data collected by Nielsen suggests people are spending more time on Tinder, WhatsApp et al than ever before. In 2014, the global information and measurement company found US Android and iPhone users aged 18 and over dedicated 65 percent more time each month to app use than they did two years before. Many predict this percentage will grow.

With the proliferation of apps, never has it been so important for developers to protect the security of their inventions. Unfortunately, as technology advances, it has become more difficult for them to do this, and, in October last year, one of the worst security flaws yet was exposed.

Nasty bit of kit
SourceDNA, a security analytics company, discovered major weaknesses in Apple’s App Store, which it had been investigating in order to test the legitimacy of the apps it offered. The investigation found 256 apps violated Apple’s privacy policy by secretly collecting data such as users’ email addresses and phone IDs. In total, the compromised apps had been downloaded one million times. This put a similar number of users at serious risk of fraud, as people often employ the same email address and password combinations on multiple accounts, including for online banking.

Data gathering has become so surreptitious that even individual developers can remain unaware their apps are being exploited

Interestingly, the apps’ developers were not the ones hijacking the data. Speaking about the investigation, Nate Lawson – founder of SourceDNA – said data gathering has become so surreptitious that even individual developers can remain unaware their apps are being exploited. Breaches of data can happen when developers use third-party technology to bring their creations to life. In the case of the App Store breach, SourceDNA found all the affected apps had used software development kits made by Chinese ad firm Youmi. It was actually the kit that was collecting the data and, as a result, all the apps using Youmi’s product had to be removed from the App Store.

Speaking to The New Economy, Lawson said: “This illustrates a big risk from third-party libraries. Developers put these widgets in their apps to do something useful, but the author of that code may have made a mistake (leading to a security hole) or added something extra. When the app is caught extracting this information, it gets removed from the App Store even though its developer wasn’t at fault.”

Look closer
Lawson believed it would become very difficult for Apple, or its rivals, to catch these sorts of apps in the future. “The methods used were relatively accessible, so it’s likely we’ll see it again”, he said, adding there will be new ways in which third parties can gain information, such as fingerprinting devices.

Apple is taking a vigilant approach in dealing with the data breach, but the onus is ultimately on developers to fight back against bad practices in the app world – not least because, so long as they exist, such violations compromise an app’s chances of survival in a saturated marketplace.

Lawson encouraged developers to adopt a process that automatically checks their app before it is published, as well as making sure to audit their software supply chain. They could also call upon specialist companies such as SourceDNA to help them do this, but they must never be complacent; even the safest of apps could come under attack from crafty third parties.

Related topics: , ,