| > You should really read this Usenix paper I have read it. It describes an attack on the app review process, i.e. a trojan. Their apps require the user to grant privileges. For example, their GreetingCard app requests access to the user's address book, and the user has to grant it. > iOS apps (over 250) that were App Store approved were able to retrieve personal user data including email addresses This is not true. Here's the blog: https://sourcedna.com/blog/20151018/ios-apps-using-private-a... The data they collected was list of installed apps, serial numbers, and some sort of AppleID numeric identifier. In particular, they did not (could not) collect email addresses. It's bad that the SDK was collecting this stuff, but this data is fairly innocuous. Last I checked, Android provides information like the list of installed apps and various serial numbers without requiring elevated permission. If you think it's possible to get the user's email address through an iOS private API, I challenge you to tell me what that private API is. > For example you need to declare android.permission.GET_ACCOUNTS permission to get the user's primary email. Not on iOS apparently This is wrong. On iOS, the only way to access the user's email is through the Address Book framework, which prompts the user at the time of access. > your app gets a broad set of permissions on iOS by default This is completely false. iOS has a comprehensive on-demand permissions model, which is widely recognized as better than the install-time permission model on Android. This is why Android is switching to iOS style on-demand permissions in Marshmallow. > you aren't calling a private method on Android without declaring the necessary permission Please stop confusing private methods with elevated permissions. You CAN call private methods without elevated permissions, as my code above demonstrates. |
[Edited for unnecessary stuff]
Oh the article you linked has Apple response that is quoted verbatim below - it references user email addresses. Specifically.
“We’ve identified a group of apps that are using a third-party advertising SDK, developed by Youmi, a mobile advertising provider, that uses private APIs to gather private information, such as user email addresses.."
> Please stop confusing private methods with elevated permissions. You CAN call private methods without elevated permissions, as my code above demonstrates.
What I wrote was you are not going to be able to call an Android API via private invocation and succeed if the API requires a specific permission and your app hasn't declared it.
All of this only goes to prove that Apple's security in iOS is not extraordinary as you claim - it is fallible like every other platform except with the exception of fingerprints which are currently believed to be secure - but that's now the case with Android as well - in M they are using ARM Trust Zone with no app access.