Recently an old story hit the news again: Apple iOS allows apps free access to the address book, without any user consent. However that isn’t really new. The story was told back in 2010. Privacy awareness and concerns, however, have massively gained momentum since then, so it is a different situation now. Apple CEO Tim Cook has been asked by two congressmen to provide answers by Feb 29th (even while it is a German link, the lower half with the letter of the congressmen is in English). See also this link.
What has happened: Apple iOS allows apps to access the address book information. Some apps store that information for a long time. And there is no user consent. That is another story within a long line of other weaknesses, like location data provided by iOS (and now patched) and several “data leaks” in Android. However, in Android it depends a little more on the implementation – but overall, it’s the same situation.
Apple responded immediately. Unfortunately, the answer is ridiculous. Apple claims the apps violate the Apple guidelines. Sorry: Apple builds in a data leak by design and then blames the others? Yes, the others like Path are a part of the problem, but the root cause is Apple’s design flaw. Apple has announced to provide a patch. But, even if privacy is a feature that can be added with a patch – it will most likely take some time as usual. And the patch won’t bring your data back.
When looking at the details from the business user perspective, it becomes even worse. You might use Office 365 together with Outlook. That means that Outlook (which makes sense in that closed environment) adds all e-mail addresses to your contacts. However, once you add that account to your iPad, they end up in that device’s local address book. We haven’t yet investigated whether they are also leaked then to other apps, but given that you can use them on your iPad with other apps like the NotePad (“Notizen” in German), this is more than likely. In other words: connecting with iOS to business apps might let your data leak. And many business users will use some of these “malicious” apps.
You still could say it’s only about e-mail addresses. But honestly: do we really know what else might leak in a system with “data leakages by design”?
That raises an important question: can companies allow their employees access corporate information with an iPad or iPhone (or other inherently insecure mobile devices)? You have to decide yourself. But there is an obvious risk. Think about using that in sensitive areas like healthcare or clinical trials in the pharmaceutical industry, where (limited) patient or trial participant data might leak.
It isn’t easy to solve these issues and to make your mobile devices more secure, especially as long as vendors don’t really help you. However there is a place to learn more about this. Mobile privacy & security is a key topic at the EIC 2012. Join our mobile privacy & security expert analysts there and find out, how the reality looks like and why many of the currently proposed solutions like Symantec Wireless Device Security or Cisco AnyConnect are not the answer to your most challenging security questions.