Why the study showing that jailbreak apps leak less private data than App Store apps is flawed

Following the Path debacle which led the world to realize that many apps indeed upload some of your private data to their servers, much ink has been spilled about the subject. To the point that Congress sent Apple a letter to express their concern, but also to ask for more details about the situation. Apple later commented on the matter saying that apps will now need explicit user permission to access contacts.

In the meantime, a year-old study by a group of researchers at the University of California at Santa Barbara showing that jailbreak apps leak less data than App Store apps was uncovered. For a site like us, and for many jailbreakers alike, this study was a blessing as we could once again claim that jailbreaking can actually make your device more secure.

The problem is that this study is flawed and proves nothing…

Using a tool they developed (PiOS), the researchers analysed 825 free applications available in the App Store, and 582 jailbreak apps available on the BigBoss repo.

Their findings?

Our results demonstrate that a majority of applications leak the device ID. However, with a few notable exceptions, applications do respect personal identifiable information. This is even true for applications that are not vetted by Apple.

One might think that numbers speak for themselves. Although marginal, Cydia apps indeed leak less private data than App Store apps. But the major flaw in this study is that most Cydia apps actually aren’t apps. They are tweaks, mods, add-ons, or plugins. Call them whatever you want, but 99% of jailbreak packages available in Cydia on the BigBoss repo aren’t applications per say.

A quick or thorough look at packages available on the BigBoss repo show that a vast majority of them are tweaks, meaning that they don’t come as a standalone application, but they just improve on bits and pieces of the operating system (ie. Mail Enhancer, AnyAttach, BadgeClear, etc…). Furthermore, many packages from the BigBoss repo aren’t anything more than ringtones, soundboards, and SMS alert tones.

This being said, very few of these tweaks actually need to get access to any of your private data to work. They offer completely different functionalities that don’t rely on any data. They just build on top of what’s already there. And because they don’t get access to your data, well, that makes it much harder for them to leak that data.

As a jailbreak advocate, I’d love to be able to claim that this study by UCSB researcher proves that Cydia apps are actually safer than App Store apps, but it’s just not the case. The nature of packages available on Cydia, and more specifically on the BigBoss repo, is a major flaw to the study, rendering it erroneous and irrelevant.