Study: Android Apps Sending Private Data To Advertisers
By Barry Levine / Top Tech News. Updated September 30, 2010.
Some applications based on the open-source Android operating system are secretly opening up too much to advertisers. That's the word from a new study conducted by a research team from Duke University, Penn State University, and Intel Labs.
The study was conducted using the team's new, real-time privacy monitoring tool, TaintDroid. The team reported that TaintDroid was used to monitor the behavior of 30 popular third-party Android applications, and it discovered 68 instances of "potential misuse of users' private information across 20 applications."
The team noted that many Android apps, as well as those for other smartphones such as Apple's iPhone, grab data from remote cloud services and combine that with data with local sensors, such as a GPS receiver, a camera, a microphone, or an accelerometer. This creates useful and legitimate functions for owners, the study noted, but sometimes private information is sent back to the cloud.
The study cited the hypothetical example of a user who allows her location information to be used by an application, but, because only "coarse-grained controls" are available, the user has no way of knowing that her location information will be sent to a location-based service, to advertisers, to the application developers, or to others.
TaintDroid labels, or "taints," data originating from sources it considers private, and then logs the data as it travels through program variables, files and messages. The team said such tracking often has a high performance overhead, but they have integrated several techniques and utilized Android's virtualized architecture to incur a runtime overhead of less than 14 percent.
For individual apps, the report said, the latency impact from TaintDroid was negligible. However, it noted that TaintDroid's tracking can be circumvented by malicious application developers, in which case other techniques would need to be used.
Locations, Phone Numbers
In half of the 30 tested applications, users' locations were sent to remote advertising servers. Seven apps captured and relayed device IDs, phone numbers, and SIM card serial numbers.
Andrew Frank, research director at Gartner, wasn't surprised apps are sending information to advertisers and others. The key issues, he said, are the kinds of information being sent, and the quality of user or parental controls.
Frank said, as a general principle, users should be able to easily opt-in or opt-out about what kind of data they permit to be collected and sent. "Clearly, Social Security numbers, as one example, need to be kept private," he said, but a user might be fine with allowing his or her location to be sent to an advertiser in order to receive useful ads about nearby businesses.
An industry-based, self-regulating body would be the best solution in the long term, Frank said. He added that the Internet Advertising Bureau is one of the organizations best positioned to take this role.