15 JUN

iOS Developer Collects and Reveals Most Common Passcodes, Apple Pulls App from App Store

by Marianne Schultz
 

The Next Web reported earlier this week on an interesting experiment by developer Daniel Amitay who anonymously collected user passcodes through his app Big Brother Camera Security. Amitay posted the results of this anonymous data gathering on his blog and the internet was aflame yesterday with the information along with dire warnings about choosing a secure passcode for your iOS device.

From the data he collected, 1234 was revealed as the most common passcode used, followed by 0000. Note that these were not the passcodes used to access the iPhones and iPod touches sampled but simply those used to access his Big Brother Camera Security app. However, it’s likely that many of these users also use the same passcode to unlock their iPhones or iPod touches.

A chart of the most common passcodes published by Amitay:

Amitay stated today that Apple removed Big Brother Camera Security from the App Store over concerns that he was collecting this information:

Got a call from Apple last night regarding the removal of Big Brother from the App Store. Apparrently, Apple believed that I was “surreptitiously harvesting user passwords.”

Amitay has since removed this data-collecting code from the app and re-submitted it to Apple for approval though he stands firm that his app did not violate any of Apple’s guidelines since the passcode data collected came from his app alone and did not include any information to identify users.

On the surface, Amitay’s actions are a little alarming in that it’s abundantly clear developers can easily collect data on how you use their apps (not that we didn’t already know this, but this situation is a blatant reminder). I do believe that sharing information like this can help iOS device users be more mindful of the passcodes they use and could cause some to choose more secure ones. However, if Amitay did not disclose up front to users of Big Brother Camera Security that this data would be collected, his actions feel underhanded despite the lack of any malicious intent.

9 Comments

  1. Donna

    DUH!!!! We all know it but there is little WE can do about it, the companies, and government HAVE to enforce it.

  2. Donna

    And EVERY site or app wants you to register with your name and a password, is it a surprise that anyone might use one more than once? And those KEEP ALL YOUR PASSWORDS SAVE programs are in NO WAY getting my passwords think about that one!
    THEN while I’m even SIGNED into the app store they keep asking me for my password. WHY?

  3. rekzkarz

    Would’ve been way cooler if that app claimed to store your pics/videos and then posted them online somewhere for all to see.

    While Apple enforces lots of limitations on developers, there’s still lots of room for dev’s to stick in various Easter Eggs like this — or worse. So ‘user beware’.

    That said, some apps have encryption protocols & things which are built to protect users. While they may not work, or have other flaws, generally there’s an ‘assumption’ that these apps don’t have harsh backdoors built to screw the user.

    Stephenson described the security dilemma of today well when he said (paraphrasing from Stephenson’s “Snow Crash” book): it’s not that the user’s data is safe, in fact it’s completely unsafe. But there’s so much data sitting out there that targetting one particular person is much harder than finding a needle in a haystack.

  4. Robin

    Most of those make sense, but I can’t figure out the 5683 one.

  5. Steve

    This app never asked for the security code you use on your device. Everyone is simply assuming that the code you use for this app would be the same as the one you use for your device’s passcode.
    1) That cannot be against Apple terms. Many apps do this. Apple’s issue must be with collecting the data, but again it’s just the app developer capturing user data from his own app. Can’t see that as an issue either.
    2) Again, many apps use their own passcode. 1password for example does. And it isn’t always correct to assume they are the same. I don’t use the same code for 1password as I do for my device passcode. Just like you shouldn’t use the same password for every website. Commons sense.

  6. Chris

    @ Robin: 5683 spells out LOVE, if you use an alphanumeric keypad. With that in mind, if you choose a PIN number based on a word association, you’ll be less likely to forget your PIN number. But, maybe it’s best to avoid LOVE and go with something EASY to remember, like 2379. :D

Leave a comment