Just one day after we posted the top ten most common iPhone passcodes, Apple has yanked the app that generated them. According to the developer, though, he was only following Apple’s own rules.
In an email to Daniel Amitay, Apple Tuesday said the app was “surreptitiously harvesting user passwords.” In his defense, Amitay blogs that his app falls under Section b. of the iTunes EULA. The section states:
b. Consent to Use of Data: You agree that Application Provider may collect and use technical data and related information, including but not limited to technical information about Your device, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to You (if any) related to the Licensed Application. Application Provider may use this information, as long as it is in a form that does not personally identify You, to improve its products or to provide services or technologies to You.
“First, these passcodes are those that are input into Big Brother, not the actual iPhone lock screen pass codes,” Amitay writes. “Second, when the app sends this data to my server, it is literally sending only that number (e.g. “1234”) and nothing else. I have no way of identifying any user or device whatsoever.”
The developer said he’d planned on using the data collected to update his Big Brother app, warning users not to pick the common pass codes.
When we originally posted this story, we originally arched an eyebrow at Amitay’s publication of iOS passcodes, but once we saw it was not only anonymously collected, but data mined from his own app, we felt more comfortable with it. What do you think, though? Did Amitay act disreputably, or was he providing a valuable lesson in passcode security using data he had been given permission by Apple to use as he saw fit?
Ed Sutherland is a veteran technology journalist who first heard of Apple when they grew on trees, Yahoo was run out of a Stanford dorm and Google was an unknown upstart. Since then, Sutherland has covered the whole technology landscape, concentrating on tracking the trends and figuring out the finances of large (and small) technology companies.
26 responses to “Apple to iPhone Passcode Finder App: Get Lost”
The data was collected anonymously + it was used for research purpose. I think instead of banning it, Apple should encourage users to strengthen security.
But the developer should have proved his point for the anonymous part..not many would have believed I guess.
After reading the article yesterday, I downloaded the app to see if there was any indication that it was monitoring my passcode. There was not. If it were not for your article I would not know. The app is also location aware. That has the potential to inform the developer not only my passcode but also where my phone is!
I think it right Apple pull the app, at least until the developer makes it clear to user what he is doing, and therefore gains explicit permission from the user.
I deleted the app as soon as I had run the test. The passcode I inserted for the test was fuku.
Well done Apple, but I am horrified it got through their testing proceedure. How many other apps are monitoring data that I do not want sending to someone’s server?
Bottom line is he is an idiot and deserves whatever he gets. All Apple has done is ban the app, not the developer, so his punishment for what was basically a foolish and insulting stunt, is to make another app. If it was me making the decision, I would have banned him for life from even submitting anything else.
As long as he was doing it in secret though, he can’t really say he has the users ‘explicit assent’ to use the information.
His personal intent has nothing really to do with it, it’s just about what laws/rules he broke. His explanation is nice to have after the fact, but essentially irrelevant in the determination of right/wrong.
Ironically, he was probably ‘done in’ by the very tech bloggers he gave the information to in order to self-publicise. Tech bloggers being what they are, completely exaggerated his story and misrepresented his password harvesting as being system passwords instead of passwords to apps.
So if not for the lame and typically inaccurate and hyperbolic reporting of tech bloggers, he might not have caused such a storm or even been noticed by Apple at all.
It’s not like the world needed someone to inform the public that “1234” is an insecure password.
I usually find I agree with your posts prof. Informed and balanced, unlike so much of the knee jerk or just jerk reactions I frequently see. When I spot your icon while scrolling, I always stop to read your informed opinion. Sage!
Most people using the app would have put their system password in.
I don’t think there was any wrongdoing… however, I have not reviewed his code.
That is true. I agree
But you know, even though he is caught, and his app just got kicked out of Apple Store, he still is getting the attention.
Though I am not very sure whether the attention is really going to help him or not – unless he has other apps – for which then I would suggest that the “Big Brother Camera Security” app became a loss leader for.
If you really watch Apple news closely, you will actually know that Apple themselves watch your every move. While this app only got your passcode, Apple knows your contact #, your location (precise) and almost everything you do
That is exactly why they were sued in December. And the investigation was carried out by WSJ (Wall Street Journal). Read: http://ow.ly/5iFJQ if you are interested.
To which Steve Jobs, just as a CEO would, denied: http://www.cultofmac.com/steve…
If you actually watch the news closely you would know that in fact that is all false. Apple is not watching your every move and never has.
The good folks at GotoCamera have made it a lot simpler to use a surveillance app over your iPhone, without demanding much of your time and money. And what’s more, it’s FREE! This FREE app gives you 1-click access to your cameras, archives, and settings.
You can get started by creating an account (also free) at http://www.gotocamera.com. Follow the simple set-up instructions and set up your basic webcam to start monitoring your pets, family, home,
business, and just about anything.
Since your home monitoring is an extremely personal matter, GotoCamera ensures absolute security with your account. (much more secure than Hotmail, Yahoo, etc).
Once you’re set-up, you can use your iPhone to view your webcams instantly, see stored recordings and also change your motion detection settings. See what the world’s media have to say about
GotoCamera:
VENTUREBEAT: “…a system designed for the everyman…”
COMPUTER ACTIVE: Gotocamera makes it extremely easy to access your webcam over the internet using a web browser, with none of the rigmarole that network cameras entail.
It doesn’t matter if they had published the list or not. I think it was a pointless exercise. There will always be pins that are the ten most common, regardless of what they are. If everyone who used those pins saw that list and changed their codes, all that would happen is the top ten list would be different than it used to be. Now because this company published the list, those pins are more vulnerable (to an extent). If they hadn’t mined the data and published it, those pins probably would have been fine. That said, anyone who picks 0000 as their pin either doesn’t care if someone else accesses their information, or is entirely stupid.