Smartphone apps can do more than provide you with entertainment, information or useful services -- they can also invade your privacy.
Apps can trace your Web habits, look into your contact list, make phone calls without your knowledge, track your location, examine your files and more. They can also automatically send information such as location data to mobile ad networks.
In addition, apps can gather the phone number and the unique ID number of each type of phone: the Unique Device Identifier (UDID) on the iPhone, the International Mobile Equipment Identity (IMEI) number on the BlackBerry, and (depending on the make) the IMEI or the Mobile Equipment Identifier (MEID) on an Android phone. Personal information that apps gather about you can be matched to these IDs. That means that ad networks can easily combine various pieces of information collected by multiple apps, build a sophisticated profile about you -- and then legally sell that data to other marketing companies.
It's not as if you weren't warned. Before you download an app, you often get to see the kinds of information that the app will collect about you. On Android, for example, when you tap Install to download and install an app, a screen displays the "permissions" you grant it when you install it. In order to download and install the app, you must tap OK underneath the "Accept permissions" button. BlackBerry phones also cite permissions and Apple monitors all App Store apps for safety.
But do you actually pay attention to what's gathered? Have you ever not downloaded an app based on what information it indicates it's going to harvest about you? What do those notices really mean?
In this article, we'll detail the kind of privacy threats you face when using mobile apps, offer advice on ways you can protect yourself, and take a look at possible legislation that may -- or may not -- help.
What information do apps gather?
Researchers warn that a surprisingly high percentage of smartphone apps may threaten your privacy. In October 2010, joint research by Intel Labs, Penn State and Duke University found that 15 out of 30 Android apps analyzed sent geographic information to remote ad servers without users' knowledge. Seven of them also sent the unique phone identifier; in some cases, the actual phone number and serial number were sent to app vendors. This can enable app vendors and/or advertisers to create comprehensive profiles about your likes and dislikes, the places you visit when you carry your phone, your Web surfing habits and more. They can then use those profiles however they want or sell them to others.
Meanwhile, in June 2010, security vendor SMobile Systems found that 20% of Android apps allowed third parties (that is, companies other than the app vendors themselves) to get access to private or sensitive information. In addition, the report warned, 5% of the apps could make phone calls by themselves without user intervention and 2% could send an SMS text message to a premium, for-pay number -- again without the user making the call.
Apple's iOS is not immune to such threats. In January, a class-action suit filed in San Jose charged Apple, the music-streaming service Pandora and others with "transmitting [users'] personal, identifying information to advertising networks without obtaining their consent." The suit also charged that "some apps are also selling additional information to ad networks, including users' location, age, gender, income, ethnicity, sexual orientation and political views." The case is still winding its way through the courts.
This issue is enough of a worry that federal prosecutors are currently investigating whether iOS and Android apps obtain or transmit information about users without properly disclosing what they are doing, according to the Wall Street Journal. Pandora has already received a subpoena in the probe, according to the Journal.
The most comprehensive investigation into the kind of information that smartphone apps gather and how they use it may be one conducted by the Wall Street Journal itself. The Journal examined 101 popular iOS and Android apps and found that "56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders."
For example, the Journal found that that Pandora "sent age, gender, location and phone identifiers to various ad networks." The iOS and Android versions of a game called Paper Toss "sent the phone's ID number to at least five ad companies." The list goes on.
The Journal also found that, as a general rule, iOS apps sent more personal data than did Android apps, but the newspaper also noted that "because of the test's size, it's not known if the pattern holds among the hundreds of thousands of apps available."