Slideshow

In Pictures: 9 iPhone and iPad apps that invade your privacy, and 1 that doesn't

Most iPhone and iPad apps appear harmless and fun, but don't fall for them. Some apps are virtual Trojan horses that swipe personal data when you're not looking. Appthority has put together a list of some of the worst offenders and you may be shocked to learn that a couple of the most popular apps made the list, such as Facebook and Angry Birds Star Wars. Be sure to check out the app at the end of the list for the one most honest.

  • "When we're looking to download the latest mobile app, we're generally not thinking about what it will do with our personal information. But many apps collect user information and share it with third parties, such as ad networks and analytics companies, in order to make a profit. They often access contact lists and calendar details, track our location and more. Plus, as many of us start using our own mobile devices for work use, we're putting company data at risk simply from the apps we've already downloaded. As more people bring their own mobile devices and apps into the workplace, security and education on app risk will become increasingly important."- Domingo Guerra, President & Co-founder, Appthority

  • Facebook What it does: The free Facebook app is one of the most popular social networking apps on the App Store. What are the risks: • Sends sensitive data in clear text (no encryption). • Has access to a user's Location and Contacts Book. • Uses Google Maps and transmits source or destination location values unencrypted over HTTP. • Includes file paths to source code files in debug information, stored within the app's executable. These file paths include usernames and information related to the app developer. Note: The app now handles user authentication better when using a Facebook account to log into third-party sites or services. The app used to have authentication tokens that never expire; the authentication tokens now expire in 1 hour.

  • QR Pal What it does: QR Pal - QR Code Scanner and Barcode Reader (free) is an iPhone app that lets users scan, store and share QR codes, and compare product prices with a built-in barcode reader. QR Pal rewards users with monthly cash prices. What are the risks: • Not compiled as a Position Independent Executable (PIE), which could expose the app to memory corruption attacks. • Sends some sensitive data in clear text (no encryption). • Can access a user's Location, Calendar and Contacts Book. • Includes file paths to source code files in debug information, stored within the app's executable. These file paths often include usernames or other information related to the app developer or development company.

  • iTorcia What it does: Have you ever downloaded a flashlight app from the Apple App Store and got a weird request for access your location? iTorcia is a popular flashlight app that Appthority calls "suspect." What are the risks: • Includes the device's Unique Device Identifier as a query string parameter in the URL that is sent unencrypted via HTTP. • Accesses user's Location, Calendar and Contacts Book. • Includes file paths to source code files in debug information, stored within the app's executable, which often include usernames and information related to the app developer. • Incorporates Flurry Analytics framework, a service used to collect usage data, as well as Millennial Media, AdMob, DoubleClick and other analytics and ad network frameworks.

  • Stagecoach Group Media and Investor What it does: Stagecoach Group Media and Investor (free), with separate iPad and iPhone versions, serves up the latest investor and financial media information. Armed with the latest share price, corporate news, financial reports and even corporate videos, users presumably can make better investment decisions. What are the risks: • The app was not compiled as a Position Independent Executable (PIE), which could expose the app to memory corruption attacks. • Can access a user's Location, Calendar and Contacts Book. • Sends some sensitive data in clear text (no encryption).

  • Salon-Finder What it does: Salon-Finder (free) is an iPhone app that helps salons and customers "connect, build loyalty and be pampered," according to its Facebook page. Got a broken nail? Find a salon and get it fixed. No worries. Well, there are a few things to worry about. What are the risks: • Not compiled as a Position Independent Executable (PIE), which could expose the app to memory corruption attacks. • Sends some sensitive data in clear text (no encryption). • Can access a user's Location and Contacts Book. • Includes file paths to source code files in debug information, stored within the app's executable. These file paths often include usernames or other information related to the app developer or development company.

  • Angry Birds Star Wars What it does: Be careful of free (or nearly free) game apps. Nothing is really free, is it? The most popular game on the iPhone and iPad is Angry Birds Star Wars. Some of the app's risks might turn you into an angry bird, too. What are the risks: • Can access a user's Location, Calendar and Contacts Book. • Incorporates Flurry Analytics framework, a service used to collect usage data. • Includes file paths to source code files in debug information, stored within the app's executable. These file paths often include usernames or other information related to the app developer or development company. • Uses several ad networks, such as InMobi, AdMob, iAd, Google's Double Click and Millennial Media.

  • StoneWater Church What it does: Religion-based apps promise to make daily deliveries of truth. StoneWater Church (free) gives "life-changing messages of Jesus Christ" over the iPhone and iPad. But I wouldn't have too much faith in the privacy and security of this app. What are the risks: • Not compiled as a Position Independent Executable (PIE), which could expose the app to memory corruption attacks. • Uses Google Maps (location tracking) and transmits source or destination location values unencrypted via HTTP. • Can access a user's Location, Calendar and Contacts Book. • Includes file paths to source code files in debug information, stored within the app's executable. These file paths often include usernames or other information related to the app developer or development company.

  • WhatsApp Messenger What it does: This popular messaging app, which lets users send free instant messages to other smartphones, disappeared from the App Store earlier this month. We're not sure why. But one thing is certain: It was a risky app. What are the risks: • Sends some sensitive data in clear text (no encryption). • Can access a user's Location and Contacts Book. • Sends some sensitive data in clear text (no encryption). • Has ability to read SMS message body. • Has access to location data from FourSquare and Google Maps.

  • SD EPSCoR What it does: We've seen gaming, social networking, even a religion-based app present some risks to privacy and security. Education and research apps should be safe, right? Wrong. South Dakota Experimental Program to Stimulate Competitive Research (free) provides news updates, announcements, media and funding opportunities. But the makers of this app need to study up on security. What are the risks: • The app was not compiled as a Position Independent Executable (PIE), which could expose the app to memory corruption attacks. • Can access the device's Camera, Location and Calendar. • Integrates into Facebook. • Incorporates Flurry Analytics framework, a service that collects usage data. • Uses 8 ad networks. • Sends all data in unencrypted clear text.

  • Kindle What it does: With all the fear and loathing about iOS apps in this slideshow, we'd like to end on a positive note. You'd think that Kindle, the popular reading app from Amazon, would be a prime candidate for personal data grabs. But Kindle's security profile scored very well in Appthority's testing. Why it's safe: • App does what it's supposed to do without hidden requests, data collection or functions. • Links to the Security framework, which provides access to security facilities including the keychain. • Encrypts all data, both incoming and outgoing.

Show Comments