Android, iPhone Apps Pose Privacy Problems

Two recent studies find privacy controls for Android devices and iPhones lacking.

Thomas Claburn, Editor at Large, Enterprise Mobility

October 4, 2010

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Smartphones many not be a smart choice if you want privacy. Two reports published last week indicate that both Android and iPhone apps may reveal more details about users' identities, whereabouts, and online activities that users might wish or expect.

A report titled "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" says that of 30 third-party Android apps studied, two-thirds revealed suspicious handling of sensitive data and half reported users' locations to the servers of third-party advertisers.

The term "TaintDroid" refers to an Android extension developed by the report's authors that monitors information flow on Android devices in real-time. The researchers responsible for the paper, from Duke University, Intel Labs, and Penn State University, are presenting their findings this week at the Usenix OSDI conference.

The information uses documented by the researchers are not necessarily harmful. But they underscore the gap between privacy controls and user expectation. Mostly, the study validates the need for mobile phone security tools like TaintDroid as a means of verifying app integrity.

"Resolving the tension between the fun and utility of running third-party mobile applications and the privacy risks they pose is a critical challenge for smartphone platforms," the paper states. "Mobile-phone operating systems currently provide only coarse-grained controls for regulating whether an application can access private information, but provide little insight into how private information is actually used."

A separate paper entitled "iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs)" indicates that of 57 iPhone apps reviewed, 68% sent the device's UDID back to a remote server upon launch and 18% sent unknown encrypted data back to remote servers.

The paper's author, Eric Smith, assistant director of information security and networking at Bucknell University, says that that in some cases, a UDID can be used to determine a user's identity. He notes rather ruefully that while Intel's Pentium 3’s Processor Serial Number scheme caused outrage when it was announced in 1999, no one seems to be much concerned about the iPhone UDID as a means of potential identification. And he faults Apple for failing to provide a way for iPhone users to delete application cookies -- unaffected by mobile Safari's "Clear Cookies" function -- or to block UDIDs from being transmitted.

The privacy risk posed by a UDID is that such the number can potentially be used to identity the user and track his or her mobile browsing across Web sites and mobile applications.

"Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible -- and technically, quite simple -- for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies," concludes Smith.

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights