Forbes magazine recently published an article called Unauthorized iPhone And iPad Apps Leak Private Data Less Often Than Approved Ones. The article reports on the research we had conducted as the International Secure Systems Lab that aimed at analyzing how and where iPhone apps transmit users’ private data. In that work, we found that one in five of the free apps in Apple’s app store uploads private data back to the apps’ creators that could potentially identify users and allow profiles to be built of their activities. We also discovered that programs in Cydia, the most popular platform for unauthorized apps that run only on “jailbroken” iPhones, tend to leak private data far less frequently than Apple’s approved apps.

The tool we built is called PiOS, and is able to analyze private data leaks from iOS apps. PiOS uses static analysis to detect data flows in Mach-0 binaries, compiled from Objective-C code. Unfortunately, this is not a trivial task. In fact, it is quite challenging due to the way in which Objective-C method calls are implemented. We have analyzed more than 1,400 iPhone applications. Our experiments show that, with the exception of a few bad apples, most applications respect personally identifiable information stored on user’s devices. This is even true for applications that are hosted on an unofficial repository (Cydia) and that only run on jailbroken phones. However, we found that more than half of the applications surreptitiously leak the unique ID of the device they are running on. This allows third-parties to create detailed profiles of users’ application preferences and usage patterns.

The research ideas that lead to the PiOS tool are also enabling Lastline’s Previct to analyze phone apps and protect them againt malicious activity.

As smart phones become mainstream and become an indispensable part of our lives, we believe that this feature of Previct will be critical in protecting organizations and users against attacks.