It only effects Jailbreaked iPhones with have not changed the default root password of “alpine”.

The Virus software is installed on a PC or MAC and then scans for connected iPhones via WiFi. It does not install anything on the iPhone, but it is able to remotely access the users data.

Change iPhones root password to secure the device:
http://cydia.saurik.com/password.html

Further Readng:
http://www.ihackintosh.com/2009/11/iphoneprivacy-a-first-malicious-iphone-malware-detected/

PinchMedia has responded to the spyware accusation:
http://www.pinchmedia.com/blog/pinch-media-user-privacy-and-spyware/
http://www.pinchmedia.com/blog/improved-opt-out-methods-for-pinch-analytics/

Related post by an iPhone user:
http://www.sfgate.com/cgi-bin/blogs/ybenjamin/detail?entry_id=46054

A developer has created an iPhone opt-out APP for Pinchmedia, Mobclix, Flurry, Medialets:
http://cydia.saurik.com/package/com.saurik.privacy

AS developers are using GA gadgetTracking to monitor usable of their APP, I suspect an APP that blocks GA tracking on iPhones could follow!
http://code.google.com/apis/analytics/docs/tracking/gadgetTracking.html#trackingYourGadget

Cheers

Phil.

I agree Developers understand cookies; they know their uses & implications.

However they are not experts in privacy, data storage & protection, this is especially true for small scale applications designed for iPhones.

I presume that a developer wants to know: “How many times has my application being installed, how often is it used & what elements are most popular?” or “how can I resell other iPhone APPs to these users?”

I suspect the storage of IP`s, IMEI, cell phone number could be accidental; as the developer sets the APP to “POST-all” available information. However, personal information can only be stored for the purpose for which it was intended to be used, and it should not be used for different purpose (e.g if a customer buys a mobile APP, then later gets an SMS message with an offer for a new mobile phone contract, this could be seen as data miss-use).

If the developer stores email address or cell phone number, that allow users to be contacted in the real world, then the developer needs to allow for user access requests & needs to be registered with ICO (or equivalent) failure to register could result in a warning & then a £1,000 fine.

Do you think developers are aware of the fine for privacy non-compliance? I would guess, the answer would be no, most developers have not even heard of P3P, let alone privacy laws.

Personally, I think that widget tracking on iPhones (or via tools such as addthis.com on websites) presents more of a problem that 1st, 3rd party or Flash cookies, as they are silently tracking and not being “open” about purpose or data usage.

As you have suggessed above increase transparency is the key, it helps build user trust & long term encourages users to download more APPs without fear the APPs are “doing anything nasty” behind the scenes.

Hope that is useful.

Phil.

On a comical note, did you see the recent Google Opt-Out Village parody video?
http://mashable.com/2009/08/11/google-opt-out-village/

ICO in UK get increase powers to fine from April 2010
http://www.out-law.com/default.aspx?page=10188

ICO registration for £35
http://www.dotmailer.co.uk/resource_centre/email_marketing_and_the_law/dpa_data_controller.aspx

BTW: the GoogleToolbar has an interesting new feature, if you opt-out of “internet based advertising targeting” which updates the doubleclick cookie, so that if you clear cookies. The toolbar automatically re-drops cookie with the opt-out saved, effectively creating an undeletable cookie.

At present I see very little debate about mobile apps and certainly there is a lack of transparency.

Phil: Thanks for detailed response and links. I would disagree that developers are unaware of privacy – they are end-users like everyone else. Studies have shown, that the more tech savvy a web user is, the more likely they block/delete their cookies i.e more aware of the privacy implications.

In my view there is no problem in tracking individuals per se, but this should be an opt-in process, as per Google toolbar and any other Google service i.e. transparent. Educating the end-user and allowing them to opt-in, is a very different approach to tracking individuals by default, then allowing them to opt-out should they figure out the implications…

My take on web analytics privacy:
Personally I would like to see 3rd-party cookies deprecated by browsers so the debate becomes simplified and everyone knows where they stand. If a world of only 1st-party cookies existed, the privacy issue of using them, all but disappears.

However, Shared Objects (i.e. Flash cookies) are flying completely under the radar as the browser does not control them. In my view that’s a no-no. The end-user should have complete control of their privacy settings in one place.

If these mobile app do store personal data, then the user should be given the option to “opt-out” of tracking at the point of install and be able to change this setting within the apps settings.

This is simular to the Google Toolbar user tracking opt out on web browsers.

Thanks

Phil.

On a related note: Phorm the behavioural targeting company which processed raw server logs on an ISP`s network router and used this data to server banner adverts, was force to offer an “opt-out” of tracking service, due to public pressure.
http://www.theregister.co.uk/2008/04/09/ico_phorm_tougher/