Google Android apps leak private data to advertisers

Security researchers released a paper this week showing that Google Android apps leak user locations, phone numbers and other private information to advertisers, without user permission.

Researchers from Pennsylvania State University, Duke University, and Intel Labs looked at 30 randomly selected, popular Android apps, and analyzed their behavior using a software tool that runs on Android phones, called "TaintDroid," according to the paper released Thursday: "TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones" (PDF).

Two thirds of the apps, or 20 of them, displayed "instances of potential misuse of users' private information" and "used sensitive data suspiciously," according to the paper. Fifteen of the 30 reported user locations to remote advertising servers. Seven applications collected the device ID, and, in some cases, the phone number and SIM card serial numbers.

"We were surprised by how many of the studied applications shared our information without our knowledge or consent," said Penn State computer science and engineering grad student William Enck in a statement from the university. "Often, smartphone applications have obvious user interface changes when they use information like your physical location. These cases usually occur in response to the user pressing a button with clear implications. The cases we found were suspicious because there was no obvious way for the user to know what happened or why."

Applications tested include The Weather Channel, Solitaire, Manga Browser, Bump, Hearts, Blackjack, Horoscope, BBC News Live Stream, Layar, Trapster, MySpace, and Evernote. The paper gave no indication which of these applications, if any, were security offenders.

"Insufficient protection"

Two applications transmitted the device's phone number and SIM card serial number, along with the IMSI, which is a unique 15-digit code used to identify the individual user on a GSM network. "In neither case was the user informed that this information was transmitted off the phone," the paper says.

"This finding demonstrates that Android’s coarsegrained access control provides insufficient protection against third-party applications seeking to collect sensitive data," the paper says. "Moreover, we found that one application transmits the phone information every time the phone boots. While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data. Surprisingly, this application transmits the phone data immediately after install, before first use."

Nine applications transmitted the device's IMEI, a unique mobile phone ID. Seven of the nine either don't present a EULA or do not specify IMEI collection in the EULA. Two are more responsible, one displaying a privacy statement indicating the application collects the device ID, the other uses the hash of the IMEI instead of the number itself, according to the paper.

Half of apps exposed location data to ad services without requiring user consent.

Not Android-specific

While it's tempting to position this study as a failure of Android's openness over the iPhone's closed App Store, that's jumping to conclusions. The paper doesn't say anything about the iPhone or any other Android competitors. There's no way of knowing, based on this paper, whether the App Store does a better job screening for this type of security vulnerability. Indeed, many of the applications tested have versions in the iPhone App Store. And the iPhone has had its share of security problems; for example, a flaw in Citi's banking app, and a phishing scam that grabbed user credit card numers.

The paper describes the security flaws as phone problems, not Android problems.

Based on the language of the paper, I suspect they used Android here because the operating system's virtualized architecture makes it possible to run their security-monitoring app, rather than because they wanted to target Android in particular.

Indeed, a Duke University statement notes that "the findings suggest that investigating other operating systems is warranted."

"We don’t have the data to say that a majority of third-party apps are untrustworthy. This study, however, is a proof-of-concept to show the value of enhancing smartphone platforms to include real-time monitoring tools like TaintDroid to give users an awareness of how their information is being shared," says Landon Cox, a Duke assistant computing science professor, in the statement.

Update: A Google spokesman said in email: "In fact, this topic is not specific to Android but is common to how ALL software works, whether it's a mobile or a traditional desktop platform. More on this below. These researchers only studied a few apps, and they didn't test any other mobile operating systems, so there's no guarantee that others wouldn't behave in the exact same way."

All computing devices, desktop or mobile, require users to entrust some of their information to the application developer. Android includes tools to let users know about the trust relationship, and limit the amount of trust a user must grant to any particular app developer, and also provide devlopers with guidelines for handling usr data, Google said.

"When installing an application from Android Market, users see a screen that explains clearly what information the application has permission to access, such as a user's location or contacts. Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. Any third party code included in an application is bound by these same permissions. We consistently advise users to only install apps they trust," Google said.

Applications on any computing device, including desktop, iPhone, and Android, access resources on your computer. In the case of desktop computers, the application gets access to all system resources, Google noted.

"This is how all software works — it's not specific to Android, to mobile operating systems, or to open vs. closed systems," Google said. "What's different about Android is that we actually decided to indicate those resources to the user, limit an application's access to only the resources that the user approves, and give them an opportunity to decline the installation based on that list of resources. To expect Android to then be able to predict how a developer will use information to which it has explicitly been granted access is to expect it to do something beyond what has been available on any other software platform."

Update: The study doesn't demonstrate insecurity of other apps or platforms, said one of the researchers, Landon Cox, assistant professor of computer science at Duke University, in an email. It doesn't show superiority of the iPhone's closed App Store over Android openness, and it doesn't reflect smartphone security in general. "We only looked at the behavior of 30 Android apps and cannot say anything about other apps or platforms," he said.

As to why the researchers chose Android, Cox said: "Our tool and study target the Android platform because its code is open source, which makes it easier to study than other, closed-source platforms."

Mitch Wagner

Follow me on Twitter
Visit my LinkedIn page
Friend me on Facebook

is a freelance technology journalist and social media strategist.

Copyright © 2010 IDG Communications, Inc.

  
Shop Tech Products at Amazon