Are you concerned your iPhone apps may be spying on you?

Are you concerned your iPhone apps may be spying on you?

Does it bother you that some apps running on your iPhone (or Android phone), that know all your contact information and perhaps even your current location, could be spying on you? The Wall Street Journal says:

An examination of 101 popular smartphone "apps"—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders.

It seems like we've been talking about this since Apple added a GPS and the App Store to the iPhone 3G and iOS 3 back in 2008 and everyone from tiny, unknown developers to giants like Google began taking advantage of the features -- in both senses of the word.

Sometimes it can be beneficial -- Google's web search, Gmail, and mobile AdMob adds try to give us ads that better reflect our interests so they're less likely to annoy us and, of course, we're more likely to click on them. Apple's now in that game as well with iAds. But what about those tiny, unknown developers using their free or cheap apps to extract your information?

Apps sharing the most information included TextPlus 4, a popular iPhone app for text messaging. It sent the phone's unique ID number to eight ad companies and the phone's zip code, along with the user's age and gender, to two of them.

Pandora is also cited as an app that transmits lots of demographic information. Apple claims they police the apps and make sure they fall within proper guidelines but the WSJ believes some, like Pumpkin Carver, can skirt the rules, and many of the developers claim they anonymize data before aggregating it and transmitting it on to advertising networks.

While permission is required to share location, no permission is required to share your iPhone (or iPad or iPod touch) UDID -- the unique identifier, effectively a fingerprint or "super cookie* that can be used to correlate and track all your activities. Angry Birds, according to the WSJ, sends both UDID and location data back to its publisher (who says they don't use it to advertise and don't share it with anyone else).

The entire article is fascinating reading especially for those concerned with privacy in the mobile information age. Personally I trust Apple and Google but I'm not sure I trust every little developer who has the same access to my data or who uses Apple's and Google's networks and systems.

What about you, any alarm bells ringing?

[Wall Street Journal, thanks Dominick!]

Have something to say about this story? Leave a comment! Need help with something else? Ask in our forums!

Rene Ritchie

EiC of iMore, EP of Mobile Nations, Apple analyst, co-host of Debug, Iterate, Vector, Review, and MacBreak Weekly podcasts. Cook, grappler, photon wrangler. Follow him on Twitter and Google+.

More Posts



← Previously

TiPb Picks of the Week

Next up →

Top 5 Christmas apps for iPhone and iPad

Reader comments

Are you concerned your iPhone apps may be spying on you?


Sorry Rene but not really information I don't know. To me its kinda obvious and some apps ask " to use your currant location " I would think that's giving them permission to do such a thing. I could b wrong dunno?

I have my iPhone Jailbroken and have FirewallIP which alerts me any network access, requesting approval for such items (doesn't tell me what it is sending as such but more just what hosts the app is contacting). This helps immensely for these pesky apps that try and report info back to places etc. I have found even expensive apps do so in some way or another. With FirewallIP I just deny the request and add a permanent deny and then am fine from then onwards.

It is not strictly a location thing - it is that some applications send identifying information every time. IOW, even if you are not signed or opting in, they still know that it is you (or at least that it is phone #24601, which they or a partner network knows is you).
The troubling thing is that there is no Apple/Google supported way not to send that #24601 identifier, so users cannot take any steps to protect their privacy.

how can a text messaging app know your gender and age? Does it have some creepy recognition algorithm that detects texts like "happy BDay, bro!" ? Or does it rely on the fact that some users will accept to give their DoB just to send texts?

bill im sure that info is stored on the phone somewhere , whether its in itunes for age verification or what not. Dont be so naive.

Sounds like more WSJ FUD. So sick of their sensationalistic bull***t. They're "uncoverings" are nothing we didn't know, and is blatant headine grabbing. Why take them seriously? Gee, when an app asks to share your location data, it's transmitting my location? Wow, what a revelation!

During the app approval process Apple needs a way to know exactly what info the app is sending back "home" and validate whether this is expected, i.e. in line with the app features.

I appreciate the WSJ doing a report on this. I think people need to be aware of this trend. It seems to only be getting worse and will continue if people don't speak up. I'm sure there are care free people out there that won't realize their info is important until they are victimized directly. I just hope people realize soon that privacy is something to cherish and once you lose it it's gone.

And what can they do with this data that will effect my life? It's not like they are going to be knocking at my door trying to sell me stuff.

Nothing new at all. Once we started using computers, our information was always known. It us a way of life that we half to accept. I am sure the WSJ shares subscribers info in some way also. If they say they do not, they better not go out on a cloudly day. Might get struck by lighting for fibbing.

At the end of the day, there's not great deal we can do about it. For now anyways. Apple know about it, the whole world knows about it. Unfortunately until someone actually makes it illegal, that's the way things are. We should just try to be more stringent about the information we store on our phones.
Or jailbreak LOL

I for one am very concerned ! The iPhone and other smartphones are quickly becoming more PC and less phone. People store emails and sensitive info on them. Atleast with a PC you can take steps to protect yourself, it's probably only a matter of time before we need a norton or mccafe app on theses "phones"

Here is how (hypothetically)
1) You sign up for the hot new game, Angry Orang-utans, which is part of the BigBro network (but, unlike websites, apps do not have to tell you that membership). For a better multiplayer experience, you tell them your name, age and gender, and they now know phone #24601 belongs to 50 year old Jean ValJean.
2) You install SuperFreeSMSApp. You do not give them any information, but every request sends that #24601 tag. Since they are also part of the BigBros network (again, without telling you), they now know that you are Jean ValJean, and that network will know who you, Jean ValJean, texts. Other apps can similarly use that #24601 to compile a fuller picture of you.
As Glenn points out, this is somewhat of a fact of a connected life, and ad networks and search engines have been doing this for years, but there are two differences here:
1) In the US, at least, websites that collect such information are required(?) to have a privacy policy disclosing the extent of their behavior. Yes, most people ignore them, but at least it is out there to see, so those who care can make informed decisions. Apps are are under no such obligation, and so can track and share without disclosure.
2) Unlike with the web, with apps, there is no way not to send your UUID, so there is no way for a user not to reveal who you are. It is not a bug, it is a feature, of current mobile devices, one that both Apple and Google tacitly support, if not encourage.
You shouldn't drop your phone and move to a log cabin, but people should be aware that mobile apps have the potential to be as intrusive and all-knowing as the worst paranoid fantasies people have about Google, and there is no disclosure or opt-out possible.

The way I see it, Pandora gives me a plethora of free music for telling an ad agency information I'd freely give to anyone.
Sounds like a good trade off.
If you're scared of someone knowing your name is Bill, you're 36, and you work for the DMV, then maybe you should burn your phone because the Feds are tracking you. Ridiculous

People don't worry government is spying on every American and Canadian.New World Order.your every move and what your saying and doing FREEDOM NOMORE BANKERS ARE IN CHARGE! Kinect Ps3 move see everything!

Year 2011 they will block the Internet and your phones! Nazi America is here! Freedom of speech no more !!!

The distopian future isn't 1984. It's Minority Report. ;) Well, without the precogs and all that, but the advertising, oh yes. Now, where are my new eyeballs...

It shouldn't, but it always amazes me how inane and naive people are determined to be. Just because someone is giving away something for free, doesn't mean that they're doing it in a completely benign fashion.
Nothing is free. How many times in history has this been proven? How many times has it come out that companies are doing things concerning and selling information about people that they said they didn't have, said they didn't sell, and said they didn't have in the first place?!? They're doing things freely that GOVERNMENTS cannot do at all.
"How Fortunate for Leaders That Men Do Not Think."
There is nothing wrong with someone developing a mechanism to counter such practices, and I applaud those that do. I personally am jailbroken and use Firewall IP to block attempts at these apps to send anything but what is absolutely needed for the functionality of the app in question.

If you're that concerned about information getting back to anyone of this particular nature, then I'd greatly appreciate you get rid of your iPhone, and any other smartphone or device that uses an internet connection. Get rid of your computers, or just use them offline if you must. Make sure to avoid cameras, look into remote wilderness property, and start planning your life as a nobody.
They don't call it living off of the grid for nothin'
Since we've been using the internet for advertisement and transmitting information, this sort of thing has been happening, have you never noticed that after surfing on the web, the ads on a lot of certain pages start to resemble things you've been looking at and frequently spend time learning/reading/watching about on the internet? Thats because its an information 'highway'... it goes both ways, not just one.

@Tony Allen
False dichotomy. There are far more shades of gray to privacy than "tell everybody everything" and "live in a mountain cabin." I am not an intensely private person, but while I personally don't mind Pandora collecting information about what music I like, I'm not sure I care for my online backgammon game to know, through creative mining of UUIDs with partners, that I have been searching for information on breast cancer lately. It is simply none of a game providers' business. It is information I need to find, and it could be damaging both personally and professionally if it gets out. It is not "living off the grid" to want to keep that circle of knowledge as tight as feasible.
While some people would only speak face-to-face with a doctor, I would not mind also consulting a search engine with a well-defined privacy policy I could inspect. Perhaps you would not mind the information getting out to anybody and everybody. That is your choice, and that is the point -- the user's position on that privacy gray scale is by definition personal, so the user should be able to draw, or at least influence, where that line is drawn. In the mobile app ecosystem, the has no way of telling where others are drawing the line, and they have no input whatsoever themselves in defining their own information.

“How Fortunate for Leaders That Men Do Not Think.”
Adolf Hitler.
@tony allen
dude, I don't use my iphone for you or anyone else. I respect the right of all you sheep to "not think" and be herded off the edge of any cliff these companies see fit to steer you to, but I'll be doing what I want with my phone and my net if you don't mind.
Those of you that think you have anything to hide, fine. But there are plenty of people being wrongfully denied health insurance by companies unwilling to risk the bottom line that pay for all this info that you seem to think is harmless.
There are companies paying for this information on the elderly. How are you going to feel when your grandparents can't get any coverage because they're deemed to be "at risk," or "not cost effective?"
How about when all this information collected is responsible for people being preyed upon? Women? Children? You? Ever think of that? There is no oversight. There is no legality. You have the money, you get the info - period. You have NO idea what is being collected, NO idea what is done with the info, and people are ok with this?!? Really??
@Dev, well said.

Rene, the product design community has been talking about location based ads before there was ever an iPhone. Btw that's also way before tipb and before your self proclaimed expertise in design and mobile products. Seriously! Get tipb to hire an actual designer working on real products and perhaps your site will illuminate actual insight.

Why is pandora listed as being able to send my location out to anyone if it doesn't even show up as a GPS using app? Is this article talking about city-level loc based on my ip address?

My biggest concern is that when all of the information is aggregated, that no longer will individuals be anonymous. When the information is aggregated, connected with online and offline information, matched up to information purchased from ad exchanges and tied to the UDID and digital fingerprint of the browsers (both which uniquely can identify individuals), a VERY detailed digital dossier will then be created.