Scrutinizing mobile apps: privacy violations, bloat, and poor security


Troy Hunt installed the HTTP proxy Fiddler on his network and used it to examine the way that iPhone apps performed. What he discovered was a series of shockingly poor implementation decisions that massively bloat the bandwidth needed to load and use apps (important for users whose mobile phone plans contain strict bandwidth caps); poor password security (important for mobile users who roam to untrusted WiFi networks); and aggressive, over-the-top surveillance of your activities by apps that harvest every click, as well as your location, and send them to third parties.

I doubt that these issues are unique to iOS devices. Rather, they represent facts in evidence about the limits of software "curation" to guarantee robust, safe, secure software. It's vanishingly unlikely that any app store with hundreds of thousands (or millions) of apps will be able to subject them to the kind of scrutiny that Hunt engages in here. Combine that with the opacity of the platform, which makes it hard for independent auditors (and users!) to discover what their mobile devices are doing and how they're doing it, and you've got a recipe for a mobile ecosystem that subjects users to high bandwidth fees, invasions of privacy, and compromise of their passwords.

Expert curation of code is a good step towards secure mobile computing, but it's insufficient to keep users safe. Unless platforms are designed with the objective of allowing scrutiny of their inner workings -- something that is at odds with business-models that rely upon establishing exclusive rights to approve and distribute software for a platform -- then they should be assumed to be running apps that are riddled with these sorts of defects.

Suddenly monetisation with powerful data starts to make more sense.

But this is no different to a tracking cookie on a website, right? Well, yes and no. Firstly, tracking cookies can be disabled. If you don’t like ‘em, turn ‘em off. Not so the iOS app as everything is hidden under the covers. Actually, it’s in much the same way as a classic app that gets installed on any OS although in the desktop world, we’ve become accustomed to being asked if we’re happy to share our activities “for product improvement purposes”.

These privacy issues simply come down to this: what does the user expect? Do they expect to be tracked when browsing a cook book installed on their local device? And do they expect this activity to be cross-referenceable with the use of other apparently unrelated apps? I highly doubt it, and therein lays the problem.