Android Apps Disclose More Than Users Know

Half of applications studied share location information and unique identifiers with advertisers, many without disclosing this to users.

12 Essential Android Apps For SMBs
(click for larger image and for full photo gallery)
Is your Android App quietly phoning home?

In fact, half of studied Android applications share location information and unique identifiers with advertisers or servers, oftentimes without disclosing this to users, according to a study of 30 Android apps conducted by researchers from Duke University, Intel Labs, and Pennsylvania State University. Their research is due to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation in Vancouver, British Columbia.

The researchers made their discoveries after building a software application, TaintDroid, designed to track how different Android applications actually handle data and unique identification information. "Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications," they said.

Note that this wasn't a random sample of applications, but rather the researchers starting with the 50 most popular applications in each of 22 Android Market categories, and culling that list to just the ones which require Internet permission, together with permission to access location, camera, or audio data, which worked out to about a third of all applications. From there, the researcher randomly selected "30 popular applications" across 12 categories, then tested them.

From an advertising standpoint, they found that "half of the studied applications share location data with advertisement servers." Of these, only two offered an end-user licensing agreement, but neither indicated that they were collecting data. Furthermore, "approximately one third of the applications expose the device ID, sometimes with the phone number and the SIM card serial number."

In summary, said the researchers, "Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data."

Responding to the report's findings, a Google spokesperson said: "In all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data."

As those best practices note, "application developers are ultimately responsible for how they handle users' information." In particular, Google recommends they maintain a privacy policy, minimize required permissions, give users a choice about what data gets shared, not collect unnecessary information, and not send any data off of the device.

In short, caveat emptor. "We consistently advise users to only install apps they trust," said the Google spokesperson.