Feeds

2 out of 3 Android apps use private data 'suspiciously'

Google protections 'insufficient'

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Google's Android operating system doesn't provide controls to adequately protect users' sensitive data, according to a study that found two-thirds of applications monitored used phone numbers, geolocation, and other information “suspiciously.”

The study – by computer scientists at Pennsylvania State University, Duke University, and Intel Labs – randomly selected 30 of the most popular apps from Google's Android Market that access personal information and closely tracked how much of it they transmitted. Fifteen of the apps reported users' locations to remote advertising servers and seven applications broadcast the handset's device number or phone number to outside servers.

In almost all the cases, the information was collected without informing users about what was happening. In some cases, information was reported as frequently as every 30 seconds.

The study may be the best evidence yet that Android users have little way of knowing what happens to the wealth of information stored on their phones when they install any one of the 70,000 or so apps available in the Google-sanctioned Market. The search giant is quick to say that before Android apps can be installed, users see a screen informing them what personal information can be accessed by the software. But as the researchers point out, knowing what an app is capable of is different than what knowing what it actually does.

“This finding demonstrates that Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data,” they wrote in a paper to be presented at next month's Usenix Symposium on Operating Systems Design and Implementation in Vancouver. “For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity.

A Google spokesman said users should install only applications they trust and said suspicious apps can be uninstalled at any time. But his statement didn't address how users can make informed decisions about which apps are trustworthy and which are not.

And to be fair, there's no way of knowing what liberties apps on competing platforms take with users' personal information. The researchers were able to monitor Android apps only because the operating system is open source. That allowed them to develop TaintDroid, software that labels, or taints, data from privacy-sensitive sources so it can be monitored in real time. There are no guarantees apps for Apple's iPhone or Research in Motion's Blackberry would fare any better if subjected to the same scrutiny.

A PDF of the paper is available here and a list of frequently asked questions is here. The apps monitored by TaintDroid were randomly chosen from a list of 358 from the Android Market that have access to both the internet and privacy-sensitive sources such such as location, camera, and phone.

The researchers declined to identify any of the 20 applications that sent user data, and so far TaintDroid isn't available to the public. That means you'll have to continue putting your blind trust in Android developers for the time being. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.