Third-party mobile app libraries access sensitive info without user permission, warn researchers
WASHINGTON, D.C.--Third-party libraries used by app developers across the mobile industry may access privacy-sensitive information without seeking consent or even against the user's choice, researchers from Microsoft warned at the USENIX Security 2013 conference held here last week.
In a paper presented at the conference, Benjamin Livshits and Jaeyeon Jung with Microsoft Research wrote that "a popular iOS application, Path, had been found to upload the entire address book of an iPhone user by default."
A Pew Research Center survey of 2,254 adults conducted last year found that 43 percent of adults have downloaded apps to their smartphones. Of those, 57 percent have either declined to install or uninstalled an app due to concerns about sharing their personal information with the app.
Mobile app development best practices require developers to get opt-in consent from users before accessing sensitive information, the researchers noted.
To ensure best practices are observed in mobile apps, the researchers have developed an automated way to insert missing mobile app permission prompts.
"Runtime consent dialogs (sometimes called runtime permission prompts) are commonly used by mobile applications to obtain a user's explicit consent prior to accessing privacy-sensitive data. However, mobile operating systems differ in terms of their approach to raising these consent dialogs," the paper observed.
The researchers' system is able to automatically compensate for differences in operating systems and automatically insert the prompts in coding. They said that their approach succeeds in placing the prompt in about 95 percent of cases.
This article was updated on Aug. 19, 2013, to provide a direct quotation from the paper on the researchers' views concerning the Path iOS application.