In fact, half of studied Android applications share location information and unique identifiers with advertisers or servers, oftentimes without disclosing this to users, according to a study of 30 Android apps conducted by researchers from Duke University, Intel Labs, and Pennsylvania State University. Their research is due to be presented at next week's 9th USENIX Symposium on Operating Systems Design and Implementation in Vancouver, British Columbia.
The researchers made their discoveries after building a software application, TaintDroid, designed to track how different Android applications actually handle data and unique identification information. "Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of potential misuse of users' private information across 20 applications," they said.
Note that this wasn't a random sample of applications, but rather the researchers starting with the 50 most popular applications in each of 22 Android Market categories, and culling that list to just the ones which require Internet permission, together with permission to access location, camera, or audio data, which worked out to about a third of all applications. From there, the researcher randomly selected "30 popular applications" across 12 categories, then tested them.
From an advertising standpoint, they found that "half of the studied applications share location data with advertisement servers." Of these, only two offered an end-user licensing agreement, but neither indicated that they were collecting data. Furthermore, "approximately one third of the applications expose the device ID, sometimes with the phone number and the SIM card serial number."
In summary, said the researchers, "Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data."
Responding to the report's findings, a Google spokesperson said: "In all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data."
In short, caveat emptor. "We consistently advise users to only install apps they trust," said the Google spokesperson.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.