Ad Providers Containment Chamber

No application is really free; it is always paid from either yours or somebody else's pocket.

You pay for paid apps; advertisers (usually) pay for free apps. Last year's explosion of cheap Android phones brought to Market many people who are not willing or able to pay for application. Logical solution for developers was to introduce in-applications ads, but now iOS owners would like some stuff for free, thank you. With ads came privacy issues.

Worst of Both Worlds

In the recent article about zero day exploits brokers, I found something that surprised me a bit: iOS exploits are better paid than Android ones. iOS is a closed source operating system; although it is harder to learn about its inner workings, it is also harder to fix it quickly. On the other hand, Android is based on Linux, which is open source; hundreds of eyes are looking at potential security holes in code and new versions are "released early, released often". OS should be as fortress and exploits should be rare and expensive, but it is quite opposite.

What privacy?

Feeling naked in front of ad providers?

If I owned very evil malware company, I would make ​​an application that needs access to both contacts and Internet for some legitimate purpose. I will suck all the data that I can. If the user revokes the rights, he will lose functionality, and if he grants them back, application will continue sending his private data to me for my evil plans.

That's what I wrote couple of days ago as preparation for one article. And then the reality caught me.

British Sunday Times published, as some say, typical tabloid article about Android Facebook application with excessive rights; it can read your text messages and snap a snapshot of your surroundings whenever it likes (article is not free, so check this). Facebook opposed these claims fiercely. Not going into discussion what they really did or didn't do with the data, this scenario is perfectly plausible. Be it Android or iOS, once you allow certain permission, application can use it at its own discretion until you uninstall it (Android) or revoke the permission (iOS).

Permissions Scientific Way

If we put together everybody's 2 cents about improvement of iOS permissions from both visual and logical perspective, it would be huge pile of money. My 2 cents included. However, some people actually did some hard work to figure out how good is the current approach and what could be done to improve it.

University of California, Berkeley has Securtiy Research Lab, and that lab runs Smartphone Security project. These gals and guys took problem very seriously and made very interesting publication titled "The Effectiveness of Application Permissions" (don't be repelled by its dull scientific formatting). Key part is analysis of permissions of almost thousand Android applications and thousand Chrome plugins, trying to discover how permissions are used in the real world. I'll stick to the Android part.

Disinfected for Your Convenience

Social application Path took contacts data impolitely, without asking first.

We know that because somebody snooped unencrypted data, but it was almost OK because it is social application. There are some others applications that did the same. What we don't know is how many application with totally unsocial purpose passed App Store's manual checks and sent data somewhere encrypted without being detected.