Mobile and IoT applications have greatly enriched our daily life by providing convenient and intelligent services. However, these smart applications have been a prime target of adversaries for stealing sensitive data. It poses a crucial threat to users identity security, financial security, or even life security. Research communities and industries have proposed many Information Flow Control (IFC) techniques for data leakage detection and prevention, including secure modeling, type system, static analysis, dynamic analysis, textit{etc}. According to the applications development life cycle, although most attacks are conducted during the applications execution phase, data leakage vulnerabilities have been introduced since the design phase. With a focus on lifecycle protection, this survey reviews the recent representative works adopted in different phases. We propose an information flow based defensive chain, which provides a new framework to systematically understand various IFC techniques for data leakage detection and prevention in Mobile and IoT applications. In line with the phases of the application life cycle, each reviewed work is comprehensively studied in terms of technique, performance, and limitation. Research challenges and future directions are also pointed out by consideration of the integrity of the defensive chain.