UPDATE (03/15/13): Big Brother Camera Security Returns To The App Store
UPDATE (06/15/11 10:25am): Call from Apple.

Got a call from Apple last night regarding the removal of Big Brother from the App Store. Apparently, Apple believed that I was “surreptitiously harvesting user passwords.” I have sent in a new update without the analytics in question, as well as appealing on the grounds that:

- Data in question was specific to my app, and not the iPhone.
- Data in question was anonymous and had no identifying markers.
- Data in question was for the purpose of improving effectiveness of future updates.

If users are choosing 1234 as their passcodes in mass, then my app by extension becomes less effective. This anonymous data helps me improve future versions.

** I should also mention that the person who contacted me from Developer Relations didn’t personally know of any articles regarding my data, nor was he involved in the decision process, so I could not speak directly to those who made the decision. I suspect that my article was heard by word of mouth and sounded like I was doing as they fear.

UPDATE (06/14/11 5:30pm): Removed from the App Store!

Yesterday I posted an analysis of the Most Common iPhone Passcodes, with passcode data taken from my Big Brother Camera Security app. As of today at 4:58pm EST, Big Brother has been removed from the App Store. I’m certainly not happy about it, but considering the concerns a few people have expressed regarding the transfer of data from app to my server, it is understandable.

I think I should clarify exactly what data I was referring to, and how I was obtaining it. First, these passcodes are those that are input into Big Brother, not the actual iPhone lockscreen passcodes. Second, when the app sends this data to my server, it is literally sending only that number (e.g. “1234”) and nothing else. I have no way of identifying any user or device whatsoever. 

Lastly, and overall, I had believed that said data was covered under section b of the iTunes EULA:

b. Consent to Use of Data: You agree that Application Provider may collect and use technical data and related information, including but not limited to technical information about Your device, system and application software, and peripherals, that is gathered periodically to facilitate the provision of software updates, product support and other services to You (if any) related to the Licensed Application. Application Provider may use this information, as long as it is in a form that does not personally identify You, to improve its products or to provide services or technologies to You.

Namely, that I’d be able to collect this data so long as it was “not personally [identifiable to] You.” Perhaps this was a misunderstanding on Apple’s part, or perhaps I missed a developer agreement where I’m not able to publish certain statistics (?), but I’m hoping to get this worked out and have Big Brother back on the App Store. I’ll gladly remove the code in question if it is what Apple has a problem with. That said, I had planned on having these common passcodes built into a next update, so as to prompt users not to choose obvious passcodes.

Feel free to email me what you guys think and whether or not you agree. (daniel@amitay.us)

AuthorDaniel Amitay

UPDATE (06/14/11 5:30pm): Big Brother Removed From App Store

(Researchers/Journalists: Looking for the original dataset? Feel free to ask)

In my last update to Big Brother Camera Security (Free), I added some code to record common user passcodes (completely anonymous, of course). Because Big Brother’s passcode setup screen and lock screen are nearly identical to those of the actual iPhone passcode lock, I figured that the collected information would closely correlate with actual iPhone passcodes.

In essence, this post is an homage to the well known Most Common Passwords on the Internet articles. Different articles pull from different sources, so naturally aren’t the same, but still demonstrate certain trends. Similar trends are evident in the data I present below.

To kick things off, out of 204,508 recorded passcodes, the top ten most common were:

Top ten iPhone passcodes: [1234, 0000, 2580, 1111, 5555, 5683, 0852, 2222, 1212, 1998]

Naturally, 1234 is the most common passcode: mimicking the most common internet passwords. To put this into perspective, these 10 codes represent 15% of all passcodes in use. Most of the top passcodes follow typical formulas, such as four identical digits, moving in a line up/down the pad, repetition. 5683 is the passcode with the least obvious pattern, but it turns out that it is the number representation of LOVE (5683), once again mimicking a very common internet password: “iloveyou.”

Interestingly, 1990-2000 are all in the top 50, and 1980-1989 are all in the top 100. I would interpret this occurrence as a subset of users that set their passcodes to the year of their birth or graduation.

To test this, I found the average expected occurrence for numbers matching a specific decade’s format:

As you can see, any passcode between 1930 and 2020 has a much higher likelihood versus the average (represented by ****): at minimum a 50% gain, at maximum a 2570% gain. This data implies a heavy age range of 11 - 21 year olds.

Following are some heat maps and corresponding graphs with the breakdown of digit occurrences by position in the passcode. I recommend clicking on the images to get a better look.

Formulaic passwords are never a good idea, yet 15% of all passcode sets were represented by only 10 different passcodes (out of a possible 10,000). The implication? A thief (or just a prankster) could safely try 10 different passcodes on your iPhone without initiating the data wipe. With a 15% success rate, about 1 in 7 iPhones would easily unlock--even more if the intruder knows the users’ years of birth, relationship status, etc.

AuthorDaniel Amitay