Apple is eating dirt over how iOS apps share your data with publishers, primarily personal address books harvested by a certain company named Path. But is Google any better with the way Android apps behave? We asked the app experts.
The verdict? "Yes" with a gaping caveat.
For the record, Apple vows to fix the leaky-app-data problem with new rules for iOS app makers to follow regarding app behavior and clear permissions for access to personal data stored on iOS devices. But didn't happen before Washington lawmakers weighed in on the controversy. Soon iPhone and iPad apps won't be able to use your address book without your permission.
Android Any Better?
Are Android users safe from such problems, and is Apple's proposed fix a better implementation than Google offers? Let's investigate.
Unlike Apple's system, which simply allows apps to access your contacts without any prompt or prior permission (note some iOS developers are now implementing voluntary dialogue boxes), Android apps that want to use such privileges have to ask for them in a dialogue box before you install the app. This means that if you don't want a certain app to have access to your contacts (or location or sites you browse on your phone), your only option is not install the app.
Android's explicit disclosure of what parts of your smartphone an app wants to access is also enforced when you select automatic updating for apps. If an app changes permissions in a new version, it will be automatically be marked as a manual update. That means you'll have to review and accept the new terms the same way you did when you first downloaded the app. However, the Android method has its own weakness.
Android's Fatal Flaw: User Ignorance
"A lot people blindly click through the permission requests when installing Android apps," says Greg Plumbly, managing director of Portable Pixels, a London-based mobile apps development firm. "It's a bit like on Windows when these warnings popped up so often people just got in the habit of clicking OK," he adds.
In the desktop software environment, a measly two percent of people read the end-user license agreements (EULAs) shown during software installations, according to a 2009 study by Carnegie Mellon University's CyLab. (You can read the PDF version of the study here) Shame on us computer and Internet users. Not paying attention to EULAs can bite you in the rear end with vengeance.
Does pre-installation permission request make Android less susceptible to apps uploading your contacts to remote servers without your consent? Not really, because you already agreed to it when you installed the app, along with a bunch of other requests, and there is no granular control over which permissions you give to apps-- it's a case of all or nothing for Android users.
It's still unclear how Apple might implement more transparent app disclosure along what type of granular opt-in and opt-out controls iOS users have.
Peter Harrison, CTO at UK-based mobile security firm BlackBelt SmartPhone Defence, agrees: "The Android approach is certainly safer than no prompt at all. Unfortunately you cannot agree individual permissions--either you give the app everything it wants or you don't give any permissions.
"However, the big weakness is that most users simply agree to permission requests without thinking about it, possibly without even reading the requested permissions. They certainly don't think about whether the app really needs the requested permission," Harrison adds.
"The proposed Apple solution to prompt in a similar way than it already does for location-based services and push notifications, in order to access address book info is a good one, and probably should have been in place some time ago," Portable Pixels' Greg Plumbly says. This way, users get granular control over access to their address book, every time an app requests it, making you aware when the app actually uses such data.
But this approach has its own perils, BlackBelt's Peter Harrison warns: "Prompting for individual address book requests could be safer but the same risk exists--many users may simply agree to the request without thinking about the consequences. This particularly applies if the user sees the prompt regularly. The user may get into the habit of simply acknowledging the requests without checking which app is requesting permission."
Can Apple do a better job than Google? Will Apple now be just as good as Google? Can the other 98 percent of the human race be trained to read EULAs? Hmmmm.