Android Apps Caught Sending Private Data to Advertisers
A study using an application called "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones," conducted by Intel Labs, Penn State Univesity, and Duke University found that a number of Android apps were sending user data, including location, back to advertisers. In fact, the study found, one-half, or 15 out of 30 of the apps tested, shared some private data.
"TaintDroid" itself is a real-time monitoring service that researchers used to track the flow of "privacy-sensitive data" through third-party Android apps. The full study is here (.PDF). TaintDroid looks for taints, or data from privacy-sensitive sources.
The TaintDroid research found that 15 of the 30 apps send users' "geographic location to remote advertisement servers." Additionally, seven of the 30 applications send a unique hardware hardware identifier and, in some cases, even send the phone number and SIM card information. Researchers said they identified 68 cases of "potentially misused private information" by 20 apps.
In August, Google banned, then later restored a series of wallpaper apps from the Android Market, that were similarly collecting such data. In that case, Google eventually said that the developer was simply overzealous.
Google, in response to the finding, reminded that all Android Market apps indicate which "permissions" they require. They said:
The following applications were used in the study. However, researchers didn't reveal which of them were "culprits" in the study. They were: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisom Quotes Live, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote.
"TaintDroid" itself is a real-time monitoring service that researchers used to track the flow of "privacy-sensitive data" through third-party Android apps. The full study is here (.PDF). TaintDroid looks for taints, or data from privacy-sensitive sources.
The TaintDroid research found that 15 of the 30 apps send users' "geographic location to remote advertisement servers." Additionally, seven of the 30 applications send a unique hardware hardware identifier and, in some cases, even send the phone number and SIM card information. Researchers said they identified 68 cases of "potentially misused private information" by 20 apps.
In August, Google banned, then later restored a series of wallpaper apps from the Android Market, that were similarly collecting such data. In that case, Google eventually said that the developer was simply overzealous.
Google, in response to the finding, reminded that all Android Market apps indicate which "permissions" they require. They said:
When users install an Android Market app, the spokesperson said, "users see a screen that explains clearly what information the application has permission to access, such as a user's location or contacts. Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. Any third party code included in an application is bound by these same permissions. We consistently advise users to only install apps they trust."True, but just as with the end-user license agreements (EULAs) attached to software, how many people really read that?
The following applications were used in the study. However, researchers didn't reveal which of them were "culprits" in the study. They were: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisom Quotes Live, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote.
