Popular Android Apps May Abuse Privacy Access Settings

By September 30, 2010
Cup of green ice

A large proportion of Android applications have been found to access device data more fully than expected. The mobile operating system has become very popular in recent months, with dozens of handsets hitting various carriers this year. However, with recent news, the drawbacks of its open source coding and liberal app market are now becoming clear.

Previously, a publicized wallpaper app was found to be sending user contact info to a database in China. According to Phandroid, “Jackeey Wallpaper” was flagged by telecoms security company Lookout in July 2010 as software that collected device phone number, subscriber identifier and voicemail number fields for non-malevolent tracking purposes. At least 1.1 million users downloaded Jackeey Wallpaper before Google killed it, but Computerworld quoted the search and software company that the apps were not security threats.

The most recent development in this area comes from researchers at Duke, Penn State and Intel Labs. The study showed that many popular apps transmit private user data including GPS coordinates to advertising networks without user knowledge. As Ars Technica explains, software called TaintDroid was used “to detect and report when applications are sending potentially sensitive information to remote servers.”

Of the thirty popular free apps selected at random from the Android Market, half were found to send private information to ad servers. Some examples of sent data were user location via GPS, relaying as often as every thirty seconds, even when not displaying ads.

When a user downloads from the Market, a list of what the app has access to is presented. This can include SD card contents, Internet access, etc. The trouble with this disclosure, is that many users do not bother to read it and just hit the “OK” button. If a more conscientious user reads the list, and sees that a game, for example, accesses GPS coordinates, it might be innocently using them for a multiplayer mode. These settings are not specific enough to make this type of information transparent without alienating casual users from the Market altogether.

Legal mentions © L’Atelier BNP Paribas