TaintDroid
Latest
Study: select Android apps sharing data without user notification
Come one, come all -- let's gather and act shocked, shall we? It's no secret that Google's Android Market is far easier to penetrate than Apple's App Store, which is most definitely a double-edged sword. On one hand, you aren't stuck waiting a lifetime for Apple to approve a perfectly sound app; on the other, you may end up accidentally downloading some Nazi themes that scar you for life. A curious team of scientists from Intel Labs, Penn State and Duke University recently utilized a so-called TaintDroid extension in order to log and monitor the actions of 30 Android apps -- 30 that were picked from the 358 most popular. Their findings? That half of their sample (15, if you're rusty in the math department) shared location information and / or other unique identifiers (IMEI numbers, phone numbers, SIM numbers, etc.) with advertisers. Making matters worse, those 15 didn't actually inform end-users that data was being shared, and some of 'em beamed out information while applications were dormant. Unfortunately for us all, the researchers didn't bother to rat out the 15 evil apps mentioned here, so good luck resting easy knowing that your library of popular apps could be spying on you right now. Update: A Google spokesperson pinged up with an official response to the study, and you can peek it after the break. Update 2: Looks as if the full study (PDF) has been outed, with the 30 total apps named. Here they are: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC - Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote. Thanks, Jordan! Update 3: Flixter, the company that makes Movies, has chimed in with this: "At Flixster, we do not and never have sold any personal or identifiable confidential information with anyone. We do use non-identifiable location information (e.g. metro-area) to show more relevant ads, as does almost every mobile app that relies on advertising. Users have to opt-in to sharing their location when they install the app, and how we use information is explained in detail (for those that care) in our privacy policy." Update 4: And here comes The Weather Channel's comment: "Regarding our Android app – Our customers and their privacy are very important to us. In our Android application, TWC does not share any of your personally identifiable information with advertisers or third parties. TWC does track location – which users consent to at install – for the purpose of providing you the most relevant and accurate weather conditions based on your location." Update 5: And there's more, this time from Barcode Scanner: "Barcode Scanner has never collected or sent personal information. There is no "third party" server to receive such info any way. Barcode Scanner has never requested location information, or phone or user ID ("phone state" permission in the TaintDroid paper). It didn't help that the paper originally reported that the app had these permissions -- it has been fixed since. The app can't send information it can't collect in the first place. The application has always been open source; anyone can inspect exactly what it does (http://code.google.com/p/zxing). We have a complete statement on app permissions (http://code.google.com/p/zxing/wiki/FrequentlyAskedQuestions). Finally, the authors of the paper have in fact confirmed Barcode Scanner was not one of the "guilty" apps: http://appanalysis.org/letter_oct-01-10.html" Update 6: The hits just keep on coming. Today, the developers of Astrid have both addressed privacy concerns and added a detailed EULA to the newest build. They've also added the ability for users to opt-out of analytics through the settings menu
