Out-Law / Your Daily Need-To-Know

Study finds that apps secretly leak private data

Out-Law News | 01 Oct 2010 | 10:16 am | 2 min. read

Half of the apps tested by university researchers reported phone users' locations to remote advertising servers, while around a quarter collected the phone's device or phone number. Two thirds of the apps used private data suspiciously in the study.

Researchers at Pennsylvania State University, Duke University and Intel Labs found that the apps they studied provided little or no clarity or control for users over what happens to the sensitive information they gather.

The researchers created software that tracked and analysed the uses that apps in the Android mobile phone operating system. Called TaintDroid, the system monitors apps' use of private information such as a user's location, movement and phone use.

"TaintDroid [is] an extension to the Android mobile-phone platform that tracks the flow of privacy sensitive data through third-party applications," said the research paper. "TaintDroid assumes that downloaded, third-party applications are not trusted, and monitors – in realtime – how these applications access and manipulate users’ personal data."

The increasingly sophisticated ability of smartphones to run complex software has led to a dramatic rise in the use, and production, of apps, which are software programs developed by third parties for use on phone operating systems, including Android and Apple's iPhone OS. 

The researchers warn, though, that the very ability of apps to use information gathered from the phone to aid their functions can be a threat to user privacy.

"Resolving the tension between the fun and utility of running third-party mobile applications and the privacy risks they pose is a critical challenge for smartphone platforms," said the paper. "Mobile phone operating systems currently provide only coarse-grained controls for regulating whether an application can access private information, but provide little insight into how private information is actually used."

"For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity," said the study. "As a result, users must blindly trust that applications will properly handle their private data. This lack of transparency forces users to blindly trust that applications will properly handle private data."

TaintDroid digitally marks, or 'taints', privacy-sensitive pieces of data so that it can monitor when they leave a phone and which application has sent the data to an outside source.

When testing 30 randomly-selected popular Android apps that use location, camera or microphone data, TaintDroid found many instances of potential misuse of private data.

"TaintDroid correctly flagged 105 instances in which these applications transmitted tainted data; of the 105, we determined that 37 were clearly legitimate. TaintDroid also revealed that 15 of the 30 applications reported users’ locations to remote advertising servers," the research paper said. "Seven applications collected the device ID and, in some cases, the phone number and the SIM card serial number. In all, two-thirds of the applications in our study used sensitive data suspiciously."

The research found that when apps transmitted details such as the identifying code of devices or SIM cards they had not asked user permission for this, so could not have consent.

It also found that none of the 50% of applications that sent location data to third party advertising networks had users' permission to do so.