[ajmurmann]

> I'm not a mobile developer, but it would be interesting if iOS provided a service that allowed data to never leave the phone

I'm not sure I follow. Do you mean the app wouldn't be allowed to send any data over the network? As soon as the app can send any data, it's trivial to hide in there whatever the app wants to send home.

[websap]

My idea is that Apple encourages Apps and features / adds badges for those apps that only store data locally. The local storage should be able to identify different types of data. They provide an API that allows data to be queried so that whenever an App queries some critically of confidential data it throws a big warning.

[ohazi]

The developer would just query the sensitive field either immediately or at a seemingly reasonable moment (along with dozens of other sensitive and non-sensitive fields), put everything into a blob, and then send it to the server as an opaque web request to some innocuous looking endpoint like POST /login.

You either have to completely trust the developer today and forever after, or you need to make some fundamental advancements in homomorphic cryptography. "Secure data store that can be queried with a permissions box" doesn't work.