A new look into how Android apps handle the data they access on smartphones may make you stop and think before downloading the latest, greateast app. In a random study of popular Android apps, researchers found two-thirds of the apps were using owners’ data in ambiguous ways, including 50 percent that were sending owners’ data to third-party advertisers without requiring user consent. Have Android apps taken the system’s highly-touted open source status too far?
Researchers from Intel Labs, Duke University and Pennsylvania State University discovered the security breaches using TaintDroid, a proof-of-concept tool they created that analyzes in real-time what potentially sensitive information is collected.
For their study, the team randomly chose 30 out of 358 popular apps from the Android Market. Their research found “68 instances of potential misuse of users’ private information across 20 applications.” More specifically, they found 15 apps sent location information to advertisers without user consent, 9 apps transmitted a user’s International Mobile Equipment Identity number, and 2 apps transmitted a user’s phone number and ICC ID – both of which are, of course, unique identifiers.
Among the apps included in the study were user favorites such as The Weather Channel, Blackjack, Hearts, BBC News, MySpace, Yellow Pages, Coupons, Trapster, Solitaire, Movies and Ringtones.
The findings reignite the debate over Android’s security controls, mainly that users lack control over where or how their information is shared. In the current system, users must give their consent to share information. Critics point out, however, that once that approval is granted during the app installation process, the user is not given any further details about when or who their information will be used.
So how can you stay safe from the prying eyes of your favorite apps? Android users should confirm their permissions by checking the Android Market under menu and security, while iPhone users should regularly check and update which of their apps are using location information. All smartphone users should practice general, common sense safety as well, including verifying the authenticity of developers’ websites and reading their app updates.
And don’t log on to the TaintDroid site just yet in hopes of downloading that app. It is still just a monitoring tool that would require modifications on your device’s firmware to work. But its creators have said they plan to turn the program into an open source project so something could be on the market in the future. In the meantime, you can view a video demo of TaintDroid here.