Feeds

2 out of 3 Android apps use private data 'suspiciously'

Google protections 'insufficient'

  • alert
  • submit to reddit

SANS - Survey on application security programs

Google's Android operating system doesn't provide controls to adequately protect users' sensitive data, according to a study that found two-thirds of applications monitored used phone numbers, geolocation, and other information “suspiciously.”

The study – by computer scientists at Pennsylvania State University, Duke University, and Intel Labs – randomly selected 30 of the most popular apps from Google's Android Market that access personal information and closely tracked how much of it they transmitted. Fifteen of the apps reported users' locations to remote advertising servers and seven applications broadcast the handset's device number or phone number to outside servers.

In almost all the cases, the information was collected without informing users about what was happening. In some cases, information was reported as frequently as every 30 seconds.

The study may be the best evidence yet that Android users have little way of knowing what happens to the wealth of information stored on their phones when they install any one of the 70,000 or so apps available in the Google-sanctioned Market. The search giant is quick to say that before Android apps can be installed, users see a screen informing them what personal information can be accessed by the software. But as the researchers point out, knowing what an app is capable of is different than what knowing what it actually does.

“This finding demonstrates that Android's coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data,” they wrote in a paper to be presented at next month's Usenix Symposium on Operating Systems Design and Implementation in Vancouver. “For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity.

A Google spokesman said users should install only applications they trust and said suspicious apps can be uninstalled at any time. But his statement didn't address how users can make informed decisions about which apps are trustworthy and which are not.

And to be fair, there's no way of knowing what liberties apps on competing platforms take with users' personal information. The researchers were able to monitor Android apps only because the operating system is open source. That allowed them to develop TaintDroid, software that labels, or taints, data from privacy-sensitive sources so it can be monitored in real time. There are no guarantees apps for Apple's iPhone or Research in Motion's Blackberry would fare any better if subjected to the same scrutiny.

A PDF of the paper is available here and a list of frequently asked questions is here. The apps monitored by TaintDroid were randomly chosen from a list of 358 from the Android Market that have access to both the internet and privacy-sensitive sources such such as location, camera, and phone.

The researchers declined to identify any of the 20 applications that sent user data, and so far TaintDroid isn't available to the public. That means you'll have to continue putting your blind trust in Android developers for the time being. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.