Anyone who installs an iPhone app entrusts the developer with some user data – consciously or unconsciously. The fact that some providers use these to make money from profiling for marketing purposes is an infamous but well-known detail. A study by security analyst Covertlabs also reveals that some app developers are completely inadequate in securing the personal information they collect: in almost 200 apps, they were able to extract user-related data from cloud storage and online databases – including names, email addresses and cell phone numbers. To draw attention to this, they set up a website that is similar to Apple’s App Store. But instead of the most popular apps, the rankings collect the worst data slingers. The portal lists a total of 191 apps, 189 of which store their data in inadequately secured data storage. The top 10 includes LLM-based image and song creators, a dating app, a coloring book and AI chat apps, for example for life advice or as a partner simulation. There is also a Korean learning app. It is aimed at school students – the underused database reveals 9.3 million user accounts.
Email address, cell phone number, prompts
How serious the individual data leaks are varies: An app for image enhancement (for better selfies) stores, among other things, the email addresses and cell phone numbers of its almost 1 million users in a database to which the security company CovertLabs gained access using simple means. Other apps save the user input (prompts) with which they want to generate images, songs and texts. The results are sometimes as embarrassing as chat transcripts from AI-supported partner simulations – fortunately, CovertLabs limits the exhibits to a few innocuous entries and has removed anything that is too personal.
Breach of trust or already illegal?
Creating and storing intimate details in inadequately protected cloud storage and databases is unlikely to turn out to be more than a trivial offense. In many countries, including the EU, service providers are obliged to particularly protect personal details and to promptly inform all users of unauthorized access. The examples in this collection raise the question in advance of whether the providers of the apps presented are even able to detect illegitimate data access. Many of the apps can currently still be found in the iOS App Store.
