Google Android Apps Found to be Sharing Data
September 30, 2010
Some of the most popular apps written for Google’s Android phones do not tell users what data they are gathering, says a study by US researchers.
Half of 30 applications studied share location information and unique identifiers with advertisers.
Information about the data gathering was collected using software developed by the team.
App creators should provide more information what will be done with harvested data, they say.
The team of computer scientists from Intel Labs, Penn State, and Duke University chose 30 out of the 358 most popular Android apps that, when installed, ask for permission to get at location, camera and audio data.
Using an extension to the Android operating system called TaintDroid, created by the team, they logged what the applications did.
This revealed that 15 of the apps sent location information to advertisers but did not inform users that data was being shared. Some apps gathered and despatched location information even when an application was not running and some sent updates every 30 seconds.
One application gathered data and sent it as soon as it was installed but before it was run for the first time.
TaintDroid also found that seven of the apps shared unique identifiers, known as IMEI numbers, when sending data. Others despatched phone numbers or SIM card serial numbers.
The researchers said that while many Android apps ask for permission to gather information they did not do enough to inform users what was going to be done with that data or who it would be shared with.
They criticised the fact that users must “blindly trust” applications to play fair with data that they gather.
“Android’s coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data,” wrote the researchers in a paper about their work.
Mobile security analyst Nigel Stanley from Bloor Research said the loose permission system could prove a boon for hi-tech thieves.
“The blanket permissions a user gives on installing an app can give carte blanche to malware and spyware providers to collect as much private data as they want, under the protective nicety of a simplistic warning from the operating system,” he said.
In a statement, Android creator Google said users necessarily entrusted all computing devices with some of their information.
“Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer,” it said. “We also provide developers with best practices about how to handle user data.”
It added that when apps are installed they show a screen detailing what information that program will access and users must give permission for installation to go ahead.
“We consistently advise users to only install apps they trust,” it said.
The research and the TaintDroid program are due to be presented at the Usenix symposium on Operating Systems Design and Implementation (OSDI 10).