The spy in your pocket: Researchers name data-slurping mobe apps
Step up, LocalScope, you're the winner (not in a good way)
Android app developers are more promiscuous with your personal data than iOS devs, according to research that examined more than 100 popular apps to sniff the way they handed data to third parties.
However, both iOS and Android developers are quite happy to scrape personal data and fire it off to third parties without asking permission.
The privacy boffins also found that 93 per cent of the Android apps they tested connected to "a mysterious domain, safemovedm.com, likely due to a background process of the Android phone". (The Register's quick search associates that domain with an app called "Hotspot Login Assistant".)
The research, led by Harvard research analyst Federal Trade Commission research fellow Jinyan Zang, with collaborators from MIT and Carnegie-Mellon, is published at the open-access Technology Science.
"Our results show that many mobile apps share potentially sensitive user data with third parties, and that they do not need visible permission requests to access the data", they write, something that needs to be changed.
The researchers focused their attention on the kinds of apps most likely to handle personal data, and sniffed what the apps were sending using HTTP/HTTPS proxies.
On average, the Android apps they tested shared "potentially sensitive" data to 3.1 third-party domains, while iOS apps connected to 2.6 third-party domains.
Here are the kinds of sharing that happen:
- Name and e-mail address – each shared by 73 per cent of Android apps tested, compared to 16 per cent of iOS apps.
- Location – iOS apps were worse, with 47 per cent of the apps sharing location data versus 33 per cent of Android apps.
- Health – three out of 30 "medical, health and fitness" apps shared search terms and user inputs with third parties.
Google and Facebook are the favourite recipients for data harvested from Android apps, the research found. The most promiscuous Android apps – those that connected to the most third-party domains – were Text Free (free calls and text over Wi-Fi, 11 domains), Glide (video messaging, 8 domains), Map My Walk (9 domains), and Drugs.com (7 domains).
In the iOS world, Apple, Yahoo! and the SalesForce Marketing Cloud-operated exacttargetapis.com were the big-three recipients of personal data.
Walgreens (online pharmacy) sent data to 5 domains, while other offenders included Map My Run and Nike+ Running (4 domains each), Fruit Ninja (also sending data to 4 domains), Urgent Care and Pinterest (also 4 domains). However, the stand-out offender in the iOS world was the Localscope iPhone location browser, which spaffs data to a stunning 17 third-party domains.
Mind you, things are just as bad over on the boring-old World Wide Web. In research published in October, University of Pennsylvania doctoral researcher Tim Libert found that 90 per cent of a million websites he tested leaked personal data to third parties without alerting users. ®
Sponsored: Becoming a Pragmatic Security Leader