Study: select Android apps sharing data without user notification
byDarren Murph||September 30th 2010 at 4:06pmSeptember 30th 2010 4:06 pm
Come one, come all -- let's gather and act shocked, shall we? It's no secret that Google's Android Market is far easier to penetrate than Apple's App Store, which is most definitely a double-edged sword. On one hand, you aren't stuck waiting a lifetime for Apple to approve a perfectly sound app; on the other, you may end up accidentally downloading some Nazi themes that scar you for life. A curious team of scientists from Intel Labs, Penn State and Duke University recently utilized a so-called TaintDroid extension in order to log and monitor the actions of 30 Android apps -- 30 that were picked from the 358 most popular. Their findings? That half of their sample (15, if you're rusty in the math department) shared location information and / or other unique identifiers (IMEI numbers, phone numbers, SIM numbers, etc.) with advertisers. Making matters worse, those 15 didn't actually inform end-users that data was being shared, and some of 'em beamed out information while applications were dormant. Unfortunately for us all, the researchers didn't bother to rat out the 15 evil apps mentioned here, so good luck resting easy knowing that your library of popular apps could be spying on you right now.
Update: A Google spokesperson pinged up with an official response to the study, and you can peek it after the break.
Update 2: Looks as if the full study (PDF) has been outed, with the 30 total apps named. Here they are: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC - Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote. Thanks, Jordan!
Update 4: And here comes The Weather Channel's comment: "Regarding our Android app – Our customers and their privacy are very important to us. In our Android application, TWC does not share any of your personally identifiable information with advertisers or third parties. TWC does track location – which users consent to at install – for the purpose of providing you the most relevant and accurate weather conditions based on your location."
Update 5: And there's more, this time from Barcode Scanner: "Barcode Scanner has never collected or sent personal information. There is no "third party" server to receive such info any way. Barcode Scanner has never requested location information, or phone or user ID ("phone state" permission in the TaintDroid paper). It didn't help that the paper originally reported that the app had these permissions -- it has been fixed since. The app can't send information it can't collect in the first place. The application has always been open source; anyone can inspect exactly what it does (http://code.google.com/p/zxing). We have a complete statement on app permissions (http://code.google.com/p/zxing/wiki/FrequentlyAskedQuestions). Finally, the authors of the paper have in fact confirmed Barcode Scanner was not one of the "guilty" apps: http://appanalysis.org/letter_oct-01-10.html"
Update 6: The hits just keep on coming. Today, the developers of Astrid have both addressed privacy concerns and added a detailed EULA to the newest build. They've also added the ability for users to opt-out of analytics through the settings menu
"On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices
about how to handle user data.
When installing an application from Android Market, users see a screen that explains clearly what information the application has permission to access, such as a user's location or contacts. Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. Any third party code included in an application is bound by these same permissions. We consistently advise users to only install apps they trust."
On background, note that this trust relationship between the user and the software maker exists regardless of the platform - even in desktop software and more controlled application environments. It is not specific to Android. As an industry, we've never been able to 100% guarantee what a software maker (on any platform) will do with data to which they are entrusted. Importantly, by limiting resource access at a technical level to those that the user explicitly approves, Android has taken an important step forward compared to what we have with traditional software (which could generally access all computing resources at will, without the user knowing) or even other mobile operating systems. None of the applications studied in this research operated outside of the Android Permissions model, so in each case, a user would have already granted the application access to the resources listed (e.g. location, device ID, etc)."