iPhone apps are spyware: PANIC!

Some iPhone applications are phoning home with some scarily detailed information about you and your usage patterns. In IT Blogwatch, bloggers dissect the news, and wonder if it's the spyware story all over again.

By Richi Jennings. August 18, 2009.

Your humble blogwatcher has selected these bloggy morsels for your enjoyment. Not to mention a sensible bit of Samsung...

Marianne Schultz sez your iPhone can phone home:

After the recent hubbub surrounding the Palm Pre and its daily sharing of user location and other information with Palm, ... the iPhone Dev Team has revealed that some third-party apps for the iPhone act in a somewhat similar fashion.


In a blog post this morning, the Dev Team explained that code from analytics firm Pinch Media within some iPhone apps is "specifically designed to track your geographical location through time, then upload that data to Pinch Media." They ... note that the app will first ask permission to use your location information. Once this permission is granted, user location information is transmitted to whomever is tracking the app's usage via Pinch Analytics. ... Gender and birthday information may also be gathered and sent, if available.

Over to the anonymous gnomes on the Dev Team:

Although we have yet to find an application by Apple that tracks your location, there are certainly a number of “free” applications in the official AppStore that are designed to do just that. Case in point: there’s this rather cute/gimicky app that lets you determine the tip for your waiter or waitress by tilting your phone as you pass it around the restaurant table. But ... it uses a library by Pinch Media that is specifically designed to track your geographical location through time, then upload that data to Pinch Media. (Oh and it also shows you an ad, as an extra bonus).

  Being an approved app, it must first ask you for permission to use your location. If you tap “Don’t Allow”, it will ask you again in about a minute, the next time its ad changes. So you either stop using this app (because it pesters you so much about the location question), or you finally submit and tap “OK”. From that point on, your location and path info (your actual physical path through your area each time you launch the app) belongs to Pinch Media, Inc. We think that’s a Pinch too much.

And 0th3lo has been tracking Pinch for a while now:

Once an iPhone application is pinchmedia enabled, on every execution of the application the following information is stored in a local SQLlite database:

  • iPhone's unique ID
  • iPhone Model
  • OS Version
  • Application version (in this case, camera zoom 1.x)
  • If the application is cracked/pirated
  • If your iPhone is jailbroken
  • time & date you start the application
  • time & date you close the application
  • your current latitude & longitude
  • your gender (if facebook enabled)
  • your birth month (if facebook enabled)
  • your birth year (if facebook enabled)
Your data is continually tracked ... they will record every use of the application for the life of that application on your phone. When finally you do have a connection, this information is sent automatically. ... At no point are you told what the pinchmedia enabled application is doing, at no time are you given an option to "opt-out".

Sarah Perez adds balance:

Pinch Media is ... frustrated by these accusations. They argue that no location can be sent back without the user's explicit opt-in. Since you have to press a button that explicitly allows the application to access your location, how could this possibly be without the user's consent? The company also claims that the blog posts by this 0th3lo person are "full of factual inaccuracies" (although they didn't detail specifically which parts are inaccurate). They even hint that the blogger's motivations are less about exposing user privacy violations and more about retaliating against the company because Pinch Media recently launched tools which allow developers to identify pirated (aka stolen) applications.


Still, not all applications using analytics on the back-end are to be feared. For the most part, the data being recorded is anonymous and helps the developers make better apps. The problem is that, as of today, there's no way to know which apps are the safe ones.

Let's read Rene Ritchie's rousing rant, regarding "Spyware":

In a web increasingly dominated by companies seeking to aggregate (hopefully anonymized?!) user data as a way to monetize (providing free or cheap apps in exchange for the shared data and tolerance for advertising), how broadly can that term [Spyware] now be applied? Many, especially tech-savvy, users are happy to let Google’s Gmail scan their email and serve ads in exchange for the service (and don’t even get us started on Chrome parsing all URLs a user enters through Google, or their purchase of DoubleClick…)


Perhaps Apple could give us app-specific Location settings, much as we now have app-specific Notification settings? That way, there’d be a list of apps that use location, and we could individually turn off those with which we don’t want to share our location. How about it, Apple?

So what's your take?

Get involved: leave a comment.

Don't miss out on IT Blogwatch:

And finally...

Richi Jennings is an independent analyst/consultant, specializing in blogging, email, and spam. A 24 year, cross-functional IT veteran, he is also an analyst at Ferris Research. You can follow him as @richi on Twitter or richij on FriendFeed, pretend to be Richi's friend on Facebook, or just use good old email: itblogwatch@richij.com.

Shop Tech Products at Amazon