由巴克内尔大学互联网和信息安全机构副主任Eric Smith领导的一项关于iphone的调研数据显示68%的iphone应用程序开发者并没有做好用户隐私保护相关措施，在没有征得用户同意的情况下便私自向广告商发送用户数据。

iphone-preorder-disaster

与此同时，来自因特尔实验室、杜克大学和宾夕法尼亚州里大学的研究人员也发现，50%的android应用也具有同样的隐私泄露问题。

根据Eric Smith的调研显示，在iphone应用当中只有18%的比例对传输的数据进行了加密处理，更是只有14%被认为是干净的（没有留下数据传递的后门）。而因特尔实验室、杜克大学和宾夕法尼亚州里大学的联合抽样数据中30个应用中的15个也在未经用户的许可下向广告商传递用户的本地信息。

iphone应用的抽样调查包括：Amazon亚马逊、Chase Bank大通银行, Target, Sams Club, Best Buy, Barnes & Noble, eBay, PayPal, Bank of America美国银行, Wells Fargo富国银行, Fidelity以及America Express。

android应用的抽样调查包括：The Weather Channel, Blackjack, Hearts, BBC News, MySpace, Yellow Pages, Coupons, Trapster, Solitaire, Movies以及Ringtones。（本文由游戏邦/gamerboom.com编译）

关于iphone应用的研究：

The iPhone is heralded by its maker, Apple, as the greatest and grandest product on the market but this is one first place award Steve Jobs probably won’t put in the trophy case.  A new report puts the iPhone ahead of the Android in insecurity, finding that 68 percent of the most popular free iPhone apps send data that can be used to identify users and transmit private information to third parties.  That’s compared to the 50 percent of Android apps we reported  last week that send users’ data to advertisers without their consent.  The study revealed that the iPhone data breach goes even further, enabling some apps to send information as detailed as the user’s name.

The findings are the latest bombshell in the ongoing debate about what information can and should be released on mobile devices and what Internet giants like Facebook, Google and Apple are, and are not, doing to stem the tide of releasing users’ data.  Public concern is at a peak but has not yet slowed demand for smartphones, making the market for advertising on the devices an even hotter commodity.

The iPhone study was led by Eric Smith, Assistant Director of Information Security and Networking at Bucknell University and blogger for pskl.us.  His research found that 38 out of the 57 top iTunes apps he examined transmitted the device’s unique device identifier (UDIDs) each time the application was launched.  A further 18 percent of the apps transmitted encrypted data, meaning there is no way to know exactly what data was released, and just 14 percent of the applications were “clean.”

The iPhone applications tested included user favorites such as Amazon, Chase Bank, Target, Sams Club, Best Buy, Barnes & Noble, eBay, PayPal, Bank of America, Wells Fargo, Fidelity and America Express.

UDIDs are a 40-digit sequence of letters and numbers assigned to each mobile phone that can be used to identify users and send sensitive information to third parties.  UDIDs cannot be deleted by the user, allowing third parties and vendors to create user profiles.

Smith warned that the most popular apps like Amazon, Facebook and Twitter “inherently have the ability to tie a UDID to a real-world identity.”

Unlike the Android flap where users could take precautionary measures to protect themselves, Smith ominously warns iPhone users they are fairly helpless in safeguarding their data.

“Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information,” Smith concludes.（source：social times）

关于android应用的研究：

A new look into how Android apps handle the data they access on smartphones may make you stop and think before downloading the latest, greateast app.  In a random study of popular Android apps, researchers found two-thirds of the apps were using owners’ data in ambiguous ways, including 50 percent that were sending owners’ data to third-party advertisers without requiring user consent.

Have Android apps taken the system’s highly-touted open source status too far?

Researchers from Intel Labs, Duke University and Pennsylvania State University discovered the security breaches using TaintDroid, a proof-of-concept tool they created that analyzes in real-time what potentially sensitive information is collected.

For their study, the team randomly chose 30 out of 358 popular apps from the Android Market.  Their research found “68 instances of potential misuse of users’ private information across 20 applications.”  More specifically, they found 15 apps sent location information to advertisers without user consent, 9 apps transmitted a user’s International Mobile Equipment Identity number, and 2 apps transmitted a user’s phone number and ICC ID – both of which are, of course, unique identifiers.

Among the apps included in the study were user favorites such as The Weather Channel, Blackjack, Hearts, BBC News, MySpace, Yellow Pages, Coupons, Trapster, Solitaire, Movies and Ringtones.

The findings reignite the debate over Android’s security controls, mainly that users lack control over where or how their information is shared.  In the current system, users must give their consent to share information.  Critics point out, however, that once that approval is granted during the app installation process, the user is not given any further details about when or who their information will be used.

So how can you stay safe from the prying eyes of your favorite apps?  Android users should confirm their permissions by checking the Android Market under menu and security, while iPhone users should regularly check and update which of their apps are using location information.  All smartphone users should practice general, common sense safety as well, including verifying the authenticity of developers’ websites and reading their app updates.

And don’t log on to the TaintDroid site just yet in hopes of downloading that app.  It is still just a monitoring tool that would require modifications on your device’s firmware to work.  But its creators have said they plan to turn the program into an open source project so something could be on the market in the future.  In the meantime, you can view a video demo of TaintDroid here.（source：social times）