Two new studies have raised concerns about the transmission of private data by some iPhone and Android apps.
Last week, researchers from Duke University, Pennsylvania State University, and Intel Labs released the results of a study on 30 popular third-party Android apps. Using TaintDroid, a tool which the researchers created, they discovered that 20 of the studied applications exhibited “suspicious handling of sensitive data” and that 15 of the applications “reported users’ locations to remote advertising servers.”
In addition to location information, the researchers discovered instances of applications transmitting a device’s phone number, IMSI code (unique code that identifies a user of a GSM or UMTS network), ICC-ID (unique SIM card serial number), and IMEI number (unique identifier for an individual device). They found that one application transmitted information each time the phone booted.
Not only are applications transmitting information that could be used to personally identify an individual, they are also sending geographic location data. The researchers found that 50 percent of the studied applications “exposed location data to third-party advertisement servers without requiring implicit or explicit user consent.” And while two of these 15 did display a EULA when first run, neither EULA indicated that such data would be collected and sent to advertisers.
A second paper, written by Eric Smith, Assistant Director of Information Security and Networking at Bucknell University, raised similar privacy questions about iPhone applications. Instead of creating a tool to track transmitted data, Smith analyzed the network traffic sent from an iPhone through a specially configured wireless network.
“Packet captures were recorded using tshark12, the console-based libpcap capture utility. The resulting files were then analyzed using a suite of open-source tools including Wireshark, ngrep, and the Perl Net::Pcap libraries13 in order to determine what, if any, personally-identifiable information was being shared with third parties.”
Smith also analyzed browser cookies placed on the device by applications.
Of the 57 applications Smith evaluated, 68 percent transmitted the iPhone’s UDID (a unique device serial number), “to a remote server, owned either by the application developer or an advertising partner.” Some applications encrypted the data using SSL, but others transmitted the UDID and user’s name (either the logged-in user’s name or the iPhone’s user-assigned name) in plain text.
Applications were also found to place “extremely long-lived” tracking cookies on the iPhone. These cookies aren’t set to expire for several years. According to Smith, “these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals’ new phones as they upgrade to the newest iPhone model every few years.”
Choose your apps wisely
In response to the Android study, a Google representative pointed out that users must approve the access when an application is installed. CNET quoted the representative:
“On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application,” the representative said. “Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data…We consistently advise users to only install apps they trust.”
Under Apple’s latest iPhone Software License Agreement, users have already consented to having their location information collected.
“By using any location-based services on your iPhone, you agree and consent to Apple’s and its partners’ and licensees’ transmission, collection, maintenance, processing, and use of your location data to provide such products and services.”
So, what’s the takeaway from these studies? First, be very careful about which applications you install. If an application asks for access to information that doesn’t seem relevant to the application’s function, you might think twice about installing it. Second, if you do allow an application to access your private data, know that the information may be used in ways you didn’t intend. William Enck, one of the Android researchers, made this point to CNET.
“Right now users have to be more diligent with the apps they install, look closely at the permission screen, and assume that that information may be misused.”
Do you read the EULA when installing a smartphone application?
In case you’re interested, here’s a video of TaintDroid in action: