In fact, half of studied Android applications share location information and unique identifiers with advertisers or servers, oftentimes without disclosing this to users, according to a study of 30 Android apps conducted by researchers from Duke University, Intel Labs, and Pennsylvania State University. Their research is due to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation in Vancouver, British Columbia.
The researchers made their discoveries after building a software application, TaintDroid, designed to track how different Android applications actually handle data and unique identification information. "Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications," they said.
Note that this wasn't a random sample of applications, but rather the researchers starting with the 50 most popular applications in each of 22 Android Market categories, and culling that list to just the ones which require Internet permission, together with permission to access location, camera, or audio data, which worked out to about a third of all applications. From there, the researcher randomly selected "30 popular applications" across 12 categories, then tested them.
From an advertising standpoint, they found that "half of the studied applications share location data with advertisement servers." Of these, only two offered an end-user licensing agreement, but neither indicated that they were collecting data. Furthermore, "approximately one third of the applications expose the device ID, sometimes with the phone number and the SIM card serial number."
In summary, said the researchers, "Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data."
Responding to the report's findings, a Google spokesperson said: "In all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data."
In short, caveat emptor. "We consistently advise users to only install apps they trust," said the Google spokesperson.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.