Feeds

2 out of 3 Android apps use private data 'suspiciously'

Google protections 'insufficient'

  • alert
  • submit to reddit

Choosing a cloud hosting partner with confidence

Google's Android operating system doesn't provide controls to adequately protect users' sensitive data, according to a study that found two-thirds of applications monitored used phone numbers, geolocation, and other information “suspiciously.”

The study – by computer scientists at Pennsylvania State University, Duke University, and Intel Labs – randomly selected 30 of the most popular apps from Google's Android Market that access personal information and closely tracked how much of it they transmitted. Fifteen of the apps reported users' locations to remote advertising servers and seven applications broadcast the handset's device number or phone number to outside servers.

In almost all the cases, the information was collected without informing users about what was happening. In some cases, information was reported as frequently as every 30 seconds.

The study may be the best evidence yet that Android users have little way of knowing what happens to the wealth of information stored on their phones when they install any one of the 70,000 or so apps available in the Google-sanctioned Market. The search giant is quick to say that before Android apps can be installed, users see a screen informing them what personal information can be accessed by the software. But as the researchers point out, knowing what an app is capable of is different than what knowing what it actually does.

“This finding demonstrates that Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data,” they wrote in a paper to be presented at next month's Usenix Symposium on Operating Systems Design and Implementation in Vancouver. “For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity.

A Google spokesman said users should install only applications they trust and said suspicious apps can be uninstalled at any time. But his statement didn't address how users can make informed decisions about which apps are trustworthy and which are not.

And to be fair, there's no way of knowing what liberties apps on competing platforms take with users' personal information. The researchers were able to monitor Android apps only because the operating system is open source. That allowed them to develop TaintDroid, software that labels, or taints, data from privacy-sensitive sources so it can be monitored in real time. There are no guarantees apps for Apple's iPhone or Research in Motion's Blackberry would fare any better if subjected to the same scrutiny.

A PDF of the paper is available here and a list of frequently asked questions is here. The apps monitored by TaintDroid were randomly chosen from a list of 358 from the Android Market that have access to both the internet and privacy-sensitive sources such such as location, camera, and phone.

The researchers declined to identify any of the 20 applications that sent user data, and so far TaintDroid isn't available to the public. That means you'll have to continue putting your blind trust in Android developers for the time being. ®

Internet Security Threat Report 2014

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Edward who? GCHQ boss dodges Snowden topic during last speech
UK spies would rather 'walk' than do 'mass surveillance'
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
Carders punch holes through Staples
Investigation launched into East Coast stores
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.