Click image to embiggen
You might not think much about the small applications you might download for your iOS devices that ask to “phone home” (i.e. send information from your device to some known or unknown source). But, new research done at Bucknell University by Eric Smith shows that sometimes applications would transmit data over the network in plain text, allowing network eavesdroppers to potentially steal critical information.
Studying over 57 different applications from the App Store, Smith discovered that besides the UDID (the unique identifier assigned to every iOS device), some applications would also send transmit personally identifiable information over the network, and in some of the instances, the information was transmitted without any encryption at all.
“For example, Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner. The CBS News application transmits both the UDID and the iPhone device’s user-assigned name, which frequently contains the owner’s real name,” says Eric Smith in his report.
With some technical, but widely available software like Wireshark, a network eavesdropper could easily access the data being transmitted from your device to the application’s home server. This is where the potential security risk exists. Because only a few applications use SSL encryption for the transmission, the personal data is sent over the network in plain, readable text.
Hopefully Apple will be able to address this issue in the future by potentially requiring app developers to give full disclosure about the type of data they are collecting and transmitting, or by creating a way for developers to collect this data and transmit it in a more secure manner.
You can read the full report by Eric Smith by clicking here [PDF link].
via Ars Technica
Follow this article’s author, Cory Bohon on Twitter.