Two recent studies find privacy controls for Android devices and iPhones lacking.
Smartphones many not be a smart choice if you want privacy. Two reports published last week indicate that both Android and iPhone apps may reveal more details about users' identities, whereabouts, and online activities that users might wish or expect.
The term "TaintDroid" refers to an Android extension developed by the report's authors that monitors information flow on Android devices in real-time. The researchers responsible for the paper, from Duke University, Intel Labs, and Penn State University, are presenting their findings this week at the Usenix OSDI conference.
The information uses documented by the researchers are not necessarily harmful. But they underscore the gap between privacy controls and user expectation. Mostly, the study validates the need for mobile phone security tools like TaintDroid as a means of verifying app integrity.
"Resolving the tension between the fun and utility of running third-party mobile applications and the privacy risks they pose is a critical challenge for smartphone platforms," the paper states. "Mobile-phone operating systems currently provide only coarse-grained controls for regulating whether an application can access private information, but provide little insight into how private information is actually used."
The paper's author, Eric Smith, assistant director of information security and networking at Bucknell University, says that that in some cases, a UDID can be used to determine a user's identity. He notes rather ruefully that while Intel's Pentium 3’s Processor Serial Number scheme caused outrage when it was announced in 1999, no one seems to be much concerned about the iPhone UDID as a means of potential identification. And he faults Apple for failing to provide a way for iPhone users to delete application cookies -- unaffected by mobile Safari's "Clear Cookies" function -- or to block UDIDs from being transmitted.
The privacy risk posed by a UDID is that such the number can potentially be used to identity the user and track his or her mobile browsing across Web sites and mobile applications.
"Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible -- and technically, quite simple -- for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," concludes Smith.