Feeds

2 out of 3 Android apps use private data 'suspiciously'

Google protections 'insufficient'

  • alert
  • submit to reddit

High performance access to file storage

Google's Android operating system doesn't provide controls to adequately protect users' sensitive data, according to a study that found two-thirds of applications monitored used phone numbers, geolocation, and other information “suspiciously.”

The study – by computer scientists at Pennsylvania State University, Duke University, and Intel Labs – randomly selected 30 of the most popular apps from Google's Android Market that access personal information and closely tracked how much of it they transmitted. Fifteen of the apps reported users' locations to remote advertising servers and seven applications broadcast the handset's device number or phone number to outside servers.

In almost all the cases, the information was collected without informing users about what was happening. In some cases, information was reported as frequently as every 30 seconds.

The study may be the best evidence yet that Android users have little way of knowing what happens to the wealth of information stored on their phones when they install any one of the 70,000 or so apps available in the Google-sanctioned Market. The search giant is quick to say that before Android apps can be installed, users see a screen informing them what personal information can be accessed by the software. But as the researchers point out, knowing what an app is capable of is different than what knowing what it actually does.

“This finding demonstrates that Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data,” they wrote in a paper to be presented at next month's Usenix Symposium on Operating Systems Design and Implementation in Vancouver. “For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity.

A Google spokesman said users should install only applications they trust and said suspicious apps can be uninstalled at any time. But his statement didn't address how users can make informed decisions about which apps are trustworthy and which are not.

And to be fair, there's no way of knowing what liberties apps on competing platforms take with users' personal information. The researchers were able to monitor Android apps only because the operating system is open source. That allowed them to develop TaintDroid, software that labels, or taints, data from privacy-sensitive sources so it can be monitored in real time. There are no guarantees apps for Apple's iPhone or Research in Motion's Blackberry would fare any better if subjected to the same scrutiny.

A PDF of the paper is available here and a list of frequently asked questions is here. The apps monitored by TaintDroid were randomly chosen from a list of 358 from the Android Market that have access to both the internet and privacy-sensitive sources such such as location, camera, and phone.

The researchers declined to identify any of the 20 applications that sent user data, and so far TaintDroid isn't available to the public. That means you'll have to continue putting your blind trust in Android developers for the time being. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
German space centre endures cyber attack
Chinese code retrieved but NSA hack not ruled out
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.