Android Apps Disclose More Than Users Know
Half of applications studied share location information and unique identifiers with advertisers, many without disclosing this to users.
12 Essential Android Apps For SMBs
|(click for larger image and for full photo gallery)|
In fact, half of studied Android applications share location information and unique identifiers with advertisers or servers, oftentimes without disclosing this to users, according to a study of 30 Android apps conducted by researchers from Duke University, Intel Labs, and Pennsylvania State University. Their research is due to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation in Vancouver, British Columbia.
More Hardware Insights
- Data Discovery, Visualization and Apache Hadoop
- BYOD and Windows 7 Migration are the Questions. Is Desktop as a Service the Answer?
- The Tactical Realities of Building a Virtual Desktop Infrastructure
- Data center consolidation restructures your IT costs for continued growth: New discovery tools determine logical and physical move dependencies to help limit risk
The researchers made their discoveries after building a software application, TaintDroid, designed to track how different Android applications actually handle data and unique identification information. "Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications," they said.
Note that this wasn't a random sample of applications, but rather the researchers starting with the 50 most popular applications in each of 22 Android Market categories, and culling that list to just the ones which require Internet permission, together with permission to access location, camera, or audio data, which worked out to about a third of all applications. From there, the researcher randomly selected "30 popular applications" across 12 categories, then tested them.
From an advertising standpoint, they found that "half of the studied applications share location data with advertisement servers." Of these, only two offered an end-user licensing agreement, but neither indicated that they were collecting data. Furthermore, "approximately one third of the applications expose the device ID, sometimes with the phone number and the SIM card serial number."
In summary, said the researchers, "Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data."
Responding to the report's findings, a Google spokesperson said: "In all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data."
In short, caveat emptor. "We consistently advise users to only install apps they trust," said the Google spokesperson.
Continuous data protection used to be a pipe dream for most outside the financial world because of sky-high cost and complexity. That's changing, creating new options for businesses that require different thinking about disaster recovery. Download our report here (registration required).