This analysis was first published in SvD Näringsliv, in Swedish, on April 13th, 2022.
Personal data from millions of users has been funneled out of Android apps to the US defense industry. The leak plays one company perfectly into its hands — Apple.
Have you scanned barcodes with an Android app called “QR & Barcode Scanner”? Or tried to avoid speeding tickets with “Speed Camera Radar”? Then you may have paid a higher price than you originally intended.
The independent security company AppCensus raised the alarm last week that personal data was being sent from eleven different Android apps without users’ knowledge. Google has now removed the apps from its Play Store, but they may still be installed and in use on phones around the world. In total, millions of people are affected by the leak, which may also have hit users in Sweden.
Perhaps even more seriously, The Wall Street Journal has found a link between the IT company Measurement Systems, the firm that collected the data, and companies working with the US defense industry. Measurement Systems had explicitly asked for data from users in the Arab world, and targeted apps that were big in the region, including several aimed at the Koran.
Events like this happen relatively often. In this case, several of the app developers seem to have been unaware of exactly what data was being forwarded. They had been contacted by Measurement Systems and asked to install a few extra lines of code in their apps. The payment was based on how many users they had. Naive, you might think — but not uncommon. And nearly impossible for a regular user to detect.
Data leaks like this seem to have only losers, but there is actually one exception: Apple. The exposure plays the company and its app store, the App Store, right into its hands. Apple argues that every app must be reviewed carefully before individual users can download it. In the closely watched trial against Epic Games last spring, Apple’s CEO Tim Cook testified that they reviewed about 100,000 apps a week, of which 40,000 were rejected. Without this, Tim Cook said, the App Store would become “a toxic mess”. Google’s app store does screening too, but a less extensive one. And it actually missed these eleven apps in this case.
The news comes at the right moment for Apple. They won nine out of ten counts in the case against Epic Games (the last is now being appealed), but there is also legislation on both sides of the Atlantic that threatens their business model and way of working. Apps leaking personal information to unauthorized parties can happen in Apple’s ecosystem too, but far more rarely. Apple’s challenge has been exactly this — to show that their monopoly on app stores on the iOS operating system is something that benefits users as much as, or more than, it benefits Apple themselves.
Apple’s work on security and privacy has created a somewhat thankless position for the tech giant. The fact that iOS has been so spared from viruses and other attacks may have created the impression that it isn’t even much of a problem anymore. But cybersecurity experts often recommend using iPhone and iPad because their way of handling potential viruses and other threats is in many ways superior to the competition — including PCs, Android, and for that matter even Apple’s own Mac products.
The Measurement Systems data leak is a reminder that attacks and intrusions happen daily — often without those involved even noticing. And it raises the question of where the protection for the user should sit.
Is it the platform and the store that should ensure users’ privacy is upheld? That’s Apple’s line. Or should you be free to choose among stores and handle the question yourself? The answer to that question, which legislators must now address, will determine what the app stores of the future look like and how they work.
Source: PCMag