Some of the most popular apps written for Google’s Android phones do not tell users what is done with data they gather, according to a new study. The research, conducted by a team of computer scientists from Intel Labs, Penn State, and Duke University chose 30 out of the 358 most popular Android apps that, when installed, ask for permission to get at location, camera and audio data.
Half of 30 applications studied share location information and unique identifiers with advertisers.
Information about the data gathering was collected using software developed by the team. App creators should provide more information what will be done with harvested data, they say.
05/10/2010
Using an extension to the Android operating system called TaintDroid, created by the team, they logged what the applications did.
This revealed that 15 of the apps sent location information to advertisers but did not inform users that data was being shared with those firms. Some apps gathered and dispatched location information even when an application was not running and some sent updates every 30 seconds.
One application gathered data and sent it as soon as it was installed but before it was run for the first time.
TaintDroid also found that seven of the apps shared unique identifiers, known as IMEI numbers, when sending data. Others despatched phone numbers or SIM card serial numbers.
The researchers said that while many Android apps ask for permission to gather information they did not do enough to inform users what was going to be done with that data or who it would be shared with.
They criticised the fact that users must “blindly trust” applications to play fair with data that they gather.
“Android’s coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data,” wrote the researchers in a paper about their work.
In a statement, Android creator Google said users necessarily entrusted all computing devices with some of their information.
“Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer,” it said. “We also provide developers with best practices about how to handle user data.”
It added that when apps are installed they show a screen detailing what information that program will access and users must give permission for installation to go ahead. Google said warnings were also given when apps are updated.
“We consistently advise users to only install apps they trust,” it said.
The research and the TaintDroid program are due to be presented at the Usenix symposium on Operating Systems Design and Implementation (OSDI 10).
To read the full report, click here (PDF File):
http://appanalysis.org/tdroid10.pdf