Using a specialized software program called TaintDroid, researchers from Duke University, Penn State University, and Intel Labs have discovered some popular Android apps sharing private user data. TainDroid uses “dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.”
Researchers chose 30 popular free Android applications at random and used TaintDroid to test them. Half of these applications sent private data information to advertising servers. This included users’ GPS location and phone numbers. Some applications were sharing GPS location as much as every 30 seconds when they weren’t even displaying any ads.
Android has measures in place for users to protect themselves. Before you can install an application, you are able to see exactly what features of your phone that app will have access to. If you don’t feel that the permissions make sense, you can always change your mind and not click Install. The problem is that many users don’t pay attention to any of these permissions, blindly trusting the developer in exchange for using the app. This is pretty much the same behavior we see with warning dialogs on computers.
The real issue is that, even if the user painstakingly screens all the permissions of every app they install, they can never tell when an app will use those permissions. For example, you would definitely want the Foursquare app to have access to your GPS coordinates, but you would expect it to only share your location when you were checking in or looking for nearby places. You wouldn’t expect it to send your location and phone number to a remote ad server when you weren’t even using the app.
Unfortunately, there doesn’t seem to be any legal recourse for these applications. They have notified the user what they would access ahead of time. A partial solution would be for every application to have a clear privacy policy available before installation so that you would already know what they might do with your information beforehand, but most users still wouldn’t read them.
TaintDroid is only possible because Android is open source. Now that the issue has been pointed out, there are measures that can be taken to fixing it. What I wonder is how this is handled with Apple, a completely closed system. While they have a strict approval process, I doubt they screen each app to detect privacy breaches. According to one commenter on Ars Technica:
- Apple applications don’t notify you which services an app will have access to.
- Apps that track other apps are not allowed in the App Store.
This means that, even if iOS apps are leaking private data, users would never know about it. Not only that, but it seems there is no way for them to ever know about it.
via Ars Technica