Passcode-Collecting App Pulled From App Store

Discussion in 'iOS Blog Discussion' started by MacRumors, Jun 15, 2011.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    Earlier this week, iOS developer Daniel Amitay published a report examining trends in passcodes chosen by users of his Big Brother Camera Security application. Amitay had anonymously collected over 200,000 passcodes used on his app and offered the data up as a proxy for actual iPhone passcode usage data based on the similarity of the input system style and functionality.

    [​IMG]


    Amitay now reports that his application has been pulled from the App Store by Apple, although he is unsure at this time whether the removal was due to publication of the data or his admission of collecting it in the first place.
    Amitay points to Apple's iTunes licensing agreement in support of his belief that he can collect such information, noting that he had planned on using the data collected to generate a list of common passcodes that would offer a warning of the codes being too obvious if they were chosen by a user. Consequently, it is unclear whether it is the collection itself or the publication of it that raised Apple's ire.

    Amitay is currently reaching out to Apple to address the issue and have Big Brother Camera Security returned to the App Store.

    Article Link: Passcode-Collecting App Pulled From App Store
     
  2. macrumors regular

    Joined:
    Apr 2, 2011
    #2
    Not nice to collect info from users without their approval. Though, the study may be interesting by itself. The right place and time for Data Mining techniques!
     
  3. macrumors 6502a

    ratzzo

    Joined:
    Apr 20, 2011
    Location:
    Madrid
    #3
    I approve of this, users were not aware of this happening.
     
  4. macrumors 68020

    matrix07

    Joined:
    Jun 24, 2010
    #4
    If he didn't tell users his app's gathering passcode then I say ban his app for life. Good job Apple.
     
  5. macrumors 68040

    haruhiko

    Joined:
    Sep 29, 2009
    #5
    Kudos to Apple for removing this app. In fact this developer doesn't even think that he was wrong to collect user's passcodes, he should be banned forever.:mad:
     
  6. macrumors member

    Joined:
    Sep 18, 2006
    #6
    coming from an app called "big brother," this seems a bit ironic. hope you never get an app approved again. CYA!
     
  7. macrumors 68040

    Joined:
    Apr 6, 2007
    #7
    I was shocked when I saw his original story....why on earth would Apple allow this to continue. Right move as far as I'm concerned. He shouldn't have had his entire account locked out, not just the app removed!
     
  8. mw360, Jun 15, 2011
    Last edited: Jun 15, 2011

    macrumors 6502a

    mw360

    Joined:
    Aug 15, 2010
    #8
    I can see why he thinks he's not done anything wrong, but it's incredibly naive of him to think that this wouldn't be blown up into in some malware/spyware/phishing scandal by hacks and bloggers who are more interested in outrage than facts. Apple did the right thing, and I hope the kid gets a clue in future.
     
  9. macrumors newbie

    Joined:
    Jun 6, 2011
    #9
    This developer has done nothing wrong, besides show the stupidity of users who use passcodes such as these. The unsolicited collection of data is something that happens everyday. Whenever you shop at WalMart, they record your credit card number and what you bought so they can refund you if need be. BUT they can easily bring up a purchase history and work out what your shopping style is, what you like to buy, what kinds of thing you buy. That's an invasion of privacy to a degree, but do you care?

    The HUGE difference here is the developer can't tie up passcodes to individuals. What he wanted to do was look at the bigger picture. Apple published that they've sold x million iPads. OMG My iPad is in that statistics! That's MY data THEY HAVE NO RIGHT! See how stupid that is?

    Information is taken from you all the time, whether or not you know it, and for most purposes it's used for seeing trends in large datasets, not to target you personally. Until your personal privacy is breached there's no need to cry. Apple are bending to consumer pressure because of a large volume of complaints they've probably received about the App.
     
  10. macrumors newbie

    Joined:
    Jun 15, 2011
    #10
    Not fair

    It's not fair to Collect the user infromation with the users knowing about that. but i dont think that the result of the test, will be reliable if the useres knew about the tracking ? :)
     
  11. macrumors 6502

    PorterRocks

    Joined:
    Jan 31, 2010
    Location:
    Idaho
    #11
    As others have said, Apple did the right thing by removing the app. Why would this guy think it was ok to collect passcodes and then publish them? He should be banned from the app store. We don't need people like him collecting that kind of data without the users' consent.
     
  12. macrumors 6502

    Illusion986

    Joined:
    Mar 12, 2009
    #12
    Dev got what was coming to him. But cant believe he is that naive to think that he is that right. Hopefully less and less apps like this will slip thru the cracks.
     
  13. macrumors regular

    Joined:
    Feb 20, 2007
    Location:
    Switzerland
    #13
    What is the big advantage of Apple's curated App Store? Oh right, that Apple checks all apps for such things before making them available to the public.

    As much as I don't approve of what this developer did, I also fear that there are thousands of apps out there, installed on millions of iOS devices, that send much more private data than just a passcode for the lock screen, unasked.

    Apple gets 30% of the revenue, they could be a bit more thorough when testing apps...
     
  14. macrumors 6502a

    42streetsdown

    Joined:
    Feb 12, 2011
    Location:
    Gallifrey, 5124
    #14
    People will always make big deals about these 'privacy' issues. It's the same thing as the whole location cache. People'll freak out because they think that somehow they're somehow special and that their info matters.

    Should this dev have told his users about this study of his prior to do it? probably. Did it hurt anyone at all? NO
     
  15. macrumors 6502

    Joined:
    Jul 22, 2008
    Location:
    UK
    #15
    That's just not realistically possible. For a start, you'd need to packet sniff all wi-fi packets and trawl through the data looking for something that looked like a 4 digit code in this case. Moreover, the minute Apple started doing this, any developer with malicious intent would immediately switch to sending all data over SSL/TLS. When the data is encrypted, the app could be sending anything and there would be no way to know.

    Apple are doing the right thing - their API's heavily limit the damage a rogue developer can do but to try to go any further would just be a waste of everybody's time.
     
  16. macrumors 6502a

    ghostlyorb

    Joined:
    Jan 9, 2010
    Location:
    Virginia, USA
    #16
    I think it was wrong to not tell everyone.. then come out with a list and be like BAM I COLLECTED YOUR PASSWORDS. I think he didn't break the rules.. but still. It's common courtesy.
     
  17. macrumors 6502a

    mw360

    Joined:
    Aug 15, 2010
    #17
    Any developers want to comment on whether it's realistic to attempt something more sinister? I always assumed that because Apple has your name address and bank details you're wide open to arrest and prosecution if someone works out that your app is stealing data. Its not like uploading malware anonymously to P2P networks.
     
  18. mroddjob, Jun 15, 2011
    Last edited: Jun 15, 2011

    macrumors member

    Joined:
    Jun 29, 2010
    #18
    You do realise that app developers are allowed to collect data from people using their apps as long as its anonymous? And the user agreement that we as users sign up to could be classed as letting us know that this can happen in any app. So technically i think he's still working within the EULA. I'm not saying i agree with what he did, but theres no need to flame the guy and call for life time bans etc. if he genuinely wanted to use the data to improve his application by stopping people using common passcodes. I'm sure analysis of passwords to persuade people to use less common passwords is/has been a common thing on the internet.

    Also IMO it's not like he set out to trick people into using the same phone lock passcode for his app,(maybe i'm wrong and there were ulterior motives to it). But really, we shouldn't be using the same passwords for things, do you use the same pin code for your atm as your phone, or the same password for online banking and your macroumous login?

    Edit: ok re-read the article and he did say that because of the similarity in the code screen he thought it may correlate with real codes, but still from the EULA apple does give the developers the right to do it and we still blindly accept the agreement and really he can't do anything with the data to harm anyone, and i think it helps to bring to light the importance of not using easy to guess common passwords (at the read the EULAs we accept)
     
  19. macrumors newbie

    Joined:
    Jun 6, 2011
    #19
    It was more like "I COLLECTED PASSWORDS."

    Stop personalising it... seriously. No one was harmed, no one's had their phones unlocked, no one's had their credit card details stolen. This hysteria is hilarious to watch! :p
     
  20. macrumors 6502

    Joined:
    Feb 25, 2011
    Location:
    The land of the cucumbers
    #20
    if 1234 became send to his server, there has te be something in that message, confirming it was a passcode + from which ip it came ... The server could of course not save that information, but he can't argue that only 1234 is being send to the server ...
     
  21. macrumors G4

    Rodimus Prime

    Joined:
    Oct 9, 2006
    #21
    Well sent threw home Internet it would be much more exact than if over 3G because the cells will share a common ip.
    Also if the sever is not logging that info then it is just 1234 with no way to id it.

    Now I do not agree with how he did it but it is good info for the public to know what the common ones are because criminals already know the common ones. This just brings it more to the general public attention what dumbass pins are.
     
  22. macrumors 68020

    jclardy

    Joined:
    Oct 6, 2008
    #22
    I don't think anonymous data collection should be forbidden, but when collecting something that could be "personal" information it should be.

    In this case it is a users PIN code. While most were probably meaningless, some people may have used the same code to unlock their phone, the same code they use for their bank card or some other important number.

    And the issue for me isn't so much that he collected it, it is that the code was probably sent in plaintext over a normal HTTP connection. So if someone was around you with a packet sniffer they could easily grab your unlock code. Of course the chances of this happening are essentially zero (A person must be sniffing the wifi that you are on, you must be using this app, and you must be setting your unlock code) it is still something you probably shouldnt do.

    I'm fine with developers collecting simple anonymous data like "how many times did I open this app" or something along those lines, but I'd rather not have my device broadcasting security codes or passwords.
     
  23. macrumors P6

    dukebound85

    Joined:
    Jul 17, 2005
    Location:
    5045 feet above sea level
    #23
    Did you not read the article?
     
  24. macrumors 68040

    Joined:
    Apr 6, 2007
    #24
    Theres nothing stopping you collecting any data you wish. Apple simply look at the app, check it works as described and hit the sell button.

    I was made aware of a pretty big bug in one of my own apps a few years ago, and Apple never picked up on it during review (I had accidentally submitted a busted copy of the App that locked up the iPhone when run).

    There's nothing at all stopping devs collecting any info they wish as Apple simply cant check that kind of stuff. If I wanted to I could quite easily track a users location. I wouldn't as not only is it immoral, but my apps have no need to touch gps at all.
     
  25. macrumors G4

    Rodimus Prime

    Joined:
    Oct 9, 2006
    #25
    This is why I wish apple would do something like Android market where when you go to install an app it list the thing app needs access to. So something like this app would send up red flag when it needs full Internet access.
     

Share This Page