Mobile and IoT applications have greatly enriched our daily life by providing
convenient and intelligent services. However, these smart applications have
been a prime target of adversaries for stealing sensitive data. It poses a
crucial threat to users’ identity security, financial security, or even life
security. Research communities and industries have proposed many Information
Flow Control (IFC) techniques for data leakage detection and prevention,
including secure modeling, type system, static analysis, dynamic analysis,
textit{etc}. According to the application’s development life cycle, although
most attacks are conducted during the application’s execution phase, data
leakage vulnerabilities have been introduced since the design phase. With a
focus on lifecycle protection, this survey reviews the recent representative
works adopted in different phases. We propose an information flow based
defensive chain, which provides a new framework to systematically understand
various IFC techniques for data leakage detection and prevention in Mobile and
IoT applications. In line with the phases of the application life cycle, each
reviewed work is comprehensively studied in terms of technique, performance,
and limitation. Research challenges and future directions are also pointed out
by consideration of the integrity of the defensive chain.

