Apple is taking baby steps toward giving users that kind of control. In iOS 5 they could prevent individual apps from accessing their location, and in iOS 6 they will have another option as Apple seeks to wean developers off using the UDID to identify users and target advertising.
Instead, Apple wants developers to use the Advertising Identifier it introduced in iOS 6. This is not permanently associated with a phone or person, and users who don't want to be tracked can change it whenever they wish -- as long as they think to look in Settings/General/About/Advertising rather than the more obvious Settings/Privacy.
That option wasn't available to the participants in the CNIL-INRIA study, though, which for technical reasons was conducted using iOS 5. The next phase of research will use iOS 6, now that INRIA has updated its monitoring app to use the new version.
To monitor how the apps accessed private information, INRIA had to jailbreak the iPhones and install a special app to intercept the Apple APIs through which apps request access to private information, said INRIA researcher Vincent Roca. The researchers chose to work on iPhones because they already had experience developing for iOS. They are now developing an app with similar capabilities for Android phones, which they have to root in order to install it.
INRIA's monitoring app recorded each intercepted request in a database on the phone, along with the private information requested, so that it could identify it in outbound network traffic. The iOS 5 app could only monitor unencrypted network traffic, but the version for iOS 6 can now hook the network APIs before the traffic is encrypted, Roca said.
The app also forwarded intercepted requests to a central server for the study -- without the related private information, as even experimental subjects are entitled to their privacy, the researchers emphasized.
INRIA and CNIL are only just beginning to analyze the data they collected from the six iPhones: There's 9 gigabytes of it, covering 7 million privacy events over the three-month period.
One thing the study has already revealed is that some access to private data is accidental. An app to identify the closest Paris swimming pool (the city has 38 within a radius of about 5 kilometers) accessed location information far more than necessary to perform its function, apparently due to a programming error, CNIL's Petitcolas said.
Sign up for CIO Asia eNewsletters.