http://feedproxy.google.com/~r/9To5Mac-MacAllDay/~3/rsVjEN-RRr0/
Sent to you by Bill Boulware via Google Reader: Apple's iOS problem:
Contacts uploading is just the tip of the iceberg. Apps can upload all
your photos, calendars or record conversations via 9to5Mac by Seth
Weintraub on 2/15/12
Apple today responded to the contacts sharing issue today with a
statement that seemed to indicate that they are going to put some sort
of setting on contact data that would allow users to control who sees
that data, in much the same way that Apple locks down location data.
"Apps that collect or transmit a user's contact data without their
prior permission are in violation of our guidelines. We're working to
make this even better for our customers, and as we have done with
location services, any app wishing to access contact data will require
explicit user approval in a future software release."
Congress getting involved was probably the motivation for such a move.
But Congress isn't going to like what they hear.
The problem is that iOS apps not only have access to a user's contacts
database (including addresses and notes) but apps have full,
unencumbered access to everything in the iOS app sandbox. That includes
all of your pictures, music, movies, calendars and a host of other
data. Literally any of this is freely open for developers to transmit
to their own servers while apps are open.
Additionally, legal, approved apps also have access to your iPhone's
camera and microphone so apps can take pictures and make recordings
without your permission (though these would be a lot easier to detect
by the user). Photos, videos and audio can then be transmitted securely
or insecurely up to servers that you and Apple don't know about.
To developers, this is no big secret. It isn't trivial, but putting
that kind of functionality into an app is pretty straightforward and
uses only Apple's publicly available and blessed developer APIs (which
means this stuff won't likely be detected by Apple's App store approval
process). With private APIs however, developers could possibly rummage
through your email, call history, visual voicemail, SMS or just about
anything else on your phone. Apple is more likely (but not always) able
to catch these types of apps usage.
Obviously shady developers and even government entities are probably
already using apps like this to gather information. Some scenarios:
- A Spam marketing firm creates a free fart/flashlight app that, while
using it, sucks up your whole contact addressbook and shoots it over
the net to their servers securely
- A shady government creates a free photo app that automatically
uploads any pictures geotagged in a particular area to their servers.
Free intelligence gathering. That also means users can be followed by
their picture taking without location services being turned on.
Some important things to note:
- Apps can only spy and slurp down your info when they are open. Just
installing an app doesn't let this happen.
- Obviously, most developers would never consider doing something like
this. Most companies would never try to do this either. Word getting
out would destroy them immediately. But there are a lot of developers
out there and it is trivial to get on Apple's development platform.
- Apps like Path got busted only because they are transmitting data
insecurely so you can actually watch the data being transmitted. That
means that not only was Path able to collect your contacts DB, but
anyone that is sniffing the network you are on could also see this
information. On the other hand, security experts and Apple can't really
see what is being transferred securely so it is harder to ferret out
nasty applications
- This isn't specifically an iOS problem. Any desktop application can
suck up all of your data and send it off to some server somewhere far
away (including email). Android handles this a little differently. If
an app wants access to your contacts, it asks permission when it is
installed. Most people don't look at this but the onus is on the user
to approve access. So that is protection in name only.
What can Apple do about this?
There isn't an easy answer. Obviously Apple plans to implement a
Location type control in Settings for your contacts list. But they
can't do that for /everything/.
If Apple decided it needed to block access to these features, it would
almost instantly break a whole lot of apps that aren't doing anything
illegally. Apple could institute controls for everything meaning that
you'd have to expressly give every app individual permission to access
location, contacts, camera, photos, etc.
Opening Facebook would take 10 minutes.
It will be interesting to see what Apple does.
Things you can do from here:
- Subscribe to 9to5Mac using Google Reader
- Get started using Google Reader to easily keep up with all your
favorite sites
[Non-text portions of this message have been removed]
Aucun commentaire:
Enregistrer un commentaire