iPhone optimize

iPhone and Android apps raise privacy concerns

Two new studies have raised concerns about the transmission of private data by some iPhone and Android apps.

Two new studies have raised concerns about the transmission of private data by some iPhone and Android apps.

Last week, researchers from Duke University, Pennsylvania State University, and Intel Labs released the results of a study on 30 popular third-party Android apps. Using TaintDroid, a tool which the researchers created, they discovered that 20 of the studied applications exhibited "suspicious handling of sensitive data" and that 15 of the applications "reported users' locations to remote advertising servers."

In addition to location information, the researchers discovered instances of applications transmitting a device's phone number, IMSI code (unique code that identifies a user of a GSM or UMTS network), ICC-ID (unique SIM card serial number), and IMEI number (unique identifier for an individual device). They found that one application transmitted information each time the phone booted.

"While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data. Surprisingly, this application transmits the phone data immediately after install, before first use."

Not only are applications transmitting information that could be used to personally identify an individual, they are also sending geographic location data. The researchers found that 50 percent of the studied applications "exposed location data to third-party advertisement servers without requiring implicit or explicit user consent." And while two of these 15 did display a EULA when first run, neither EULA indicated that such data would be collected and sent to advertisers.

A second paper, written by Eric Smith, Assistant Director of Information Security and Networking at Bucknell University, raised similar privacy questions about iPhone applications. Instead of creating a tool to track transmitted data, Smith analyzed the network traffic sent from an iPhone through a specially configured wireless network.

"Packet captures were recorded using tshark12, the console-based libpcap capture utility. The resulting files were then analyzed using a suite of open-source tools including Wireshark, ngrep, and the Perl Net::Pcap libraries13 in order to determine what, if any, personally-identifiable information was being shared with third parties."

Smith also analyzed browser cookies placed on the device by applications.

Of the 57 applications Smith evaluated, 68 percent transmitted the iPhone's UDID (a unique device serial number), "to a remote server, owned either by the application developer or an advertising partner." Some applications encrypted the data using SSL, but others transmitted the UDID and user's name (either the logged-in user's name or the iPhone’s user-assigned name) in plain text.

Applications were also found to place "extremely long-lived" tracking cookies on the iPhone. These cookies aren't set to expire for several years. According to Smith, "these long-lived persistent cookies could allow for third parties to link UDIDs from old, discarded phones to individuals’ new phones as they upgrade to the newest iPhone model every few years."

Choose your apps wisely

In response to the Android study, a Google representative pointed out that users must approve the access when an application is installed. CNET quoted the representative:

"On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application," the representative said. "Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data...We consistently advise users to only install apps they trust."

Under Apple's latest iPhone Software License Agreement, users have already consented to having their location information collected.

"By using any location-based services on your iPhone, you agree and consent to Apple's and its partners' and licensees' transmission, collection, maintenance, processing, and use of your location data to provide such products and services."

So, what's the takeaway from these studies? First, be very careful about which applications you install. If an application asks for access to information that doesn't seem relevant to the application's function, you might think twice about installing it. Second, if you do allow an application to access your private data, know that the information may be used in ways you didn't intend. William Enck, one of the Android researchers, made this point to CNET.

"Right now users have to be more diligent with the apps they install, look closely at the permission screen, and assume that that information may be misused."

In case you're interested, here's a video of TaintDroid in action:

About

Bill Detwiler is Managing Editor of TechRepublic and Tech Pro Research and the host of Cracking Open, CNET and TechRepublic's popular online show. Prior to joining TechRepublic in 2000, Bill was an IT manager, database administrator, and desktop supp...

22 comments
Angel_Tech
Angel_Tech

I was amazed taintdroid can give you such info, can anyone suggest an app like that for my droid? I have many free apps that even thought Im aware it's accessing some data, I kinda trust them. cheers :)

Oz_Media
Oz_Media

We've gone through this before with ISP's too, all the big ISP's (such as Shaw, Bell and Telus up here) have a disclaimer in their contracts that if you use their service, they can share ANY information with third parties. Of course, in Canada we have the privacy act that restricts such transfer of 'personal' information but your surfing habits, region etc is all available to their "partners" as they deem fit. the only way around it is to use a private, secure ISP, such as SohoSkyway in Vancouver, that offers business quality, assured services (at a premium price of course).

Gis Bun
Gis Bun

A have a BlackBerry actually. Unsure if RIM does anything to protect users. In any case, the few apps I got are from reliable sources [hopefully less likely to have a privacy issue]. SKDTech commented about Facebook. I have limited myself to what I want to post. No birthday, a generic location where I live, no other personal information, etc. Even limiting my bself to the number of "friends".

JohnMcGrew
JohnMcGrew

It's my prediction that our contemporary notion of "privacy" will be obsolete in the very near future, and forgotten in a generation. Consider that those under 30 have grown up in a world of reality TV and YouTube, where nearly all forms of public exhibitionism is not only tolerated, but is encouraged. These kids tweet details of their daily lives that would have horrified our parents, and even install applications with the sole purpose of publicly announcing their whereabouts in realtime. Who is going to care about privacy when nearly everyone purposely broadcasts every detail of their lives already? Do you really think that these same people are going to be that concerned that their phone is sending off nearly undecipherable strings of hexadecimal code to the IP addresses of who knows who? Probably not. All they wanted was the free wallpaper or ring tone.

Bill Detwiler
Bill Detwiler

Two new studies have raised concerns about the transmission of private data by some iPhone and Android apps. Takeaways from the reports include being very careful about which applications you install, and realizing that the information may be used in ways you didn?t intend. How often do you read the EULA when installing a mobile application? Read the article and take the poll: http://blogs.techrepublic.com.com/itdojo/?p=2107

Bill Detwiler
Bill Detwiler

Because of the way the Android OS works, TaintDroid wasn't developed as a standard app. To use the TaintDroid, you have to load a custom firmware onto the phone. For more information, check out: http://www.appanalysis.org/ There's a contact link on that page to sign up to be notified when the source code is released.

Oz_Media
Oz_Media

Well Sharon's anyway. they pioneered reality TV with The Osbourne's, little did they or MTV know just how mainstream it would become. Now it has destroyed our personal privacy! :D

SKDTech
SKDTech

And the loss of privacy is terrifying to me. The instant I heard about facebook places I went into the settings and disabled it and disallowed anyone from being able to "place" me. The ability of others to broadcast where you are at should never even have been an option. Same with twitters location service. If I want people to know where I am "I" will explicitly tell them and anything else is unacceptable. Companies are constantly trying to trick us into giving up our privacy and we should fight them at every step or we will lose our privacy without realizing it.

jasonemmg
jasonemmg

I do not post any information or pictures of myself or my family on this site!! I use it for e-mail and the occasional IM with old friends. I do not need to have some perv or psycho looking at pictures of my young kids! Yes I'm asked to post pictures of the family for old friends to see, I ask for their personal e-mail address and send it directly to them. I do ask that they not post the pictures on their facebook site.

jasonemmg
jasonemmg

I am an iNOTHING user! Do not have an iphone,pod,pad,etc... I don't need to be in contact with the world every second of my life. I work, have a family at home, I do not need to or have the time to be bothered by non-important text messages. If I were to need a Blackberry or iphone for work I would have them purchase the device!!

Oz_Media
Oz_Media

i-Phone i-apps are all i-approved and i-mostly i-paid for through the i-fantastic i-Apple i-Store for i-Apps to add to i-gadgets! i-I am i-told that is is i-far i-superior to any i-other non-i-devices i-because they are i-not i-sketchy that way?! i-I i-can't i-believe it! i-Am i-I i-ready for i-toys i-yet? (i-been i-practicing my i-best to i-conform)

mtndive
mtndive

I browse through the EULA looking for anything strange or heinous, but according to the reports cited, reading them is meaningless since those notifications weren't in the EULA anyway. In fact, the vast majority of applications didn't even provide an EULA. The advice to only install applications that you trust is ridiculous. These reports are basically saying that I shouldn't trust _any_ application.

BMoreRavens
BMoreRavens

Most of the EULAs are equivalent to reading "War and Peace"... It's absurd to think someone would read some of these things before installing an app. The exceptions for me are apps that would access some really personal information like banking/financial software. Even then I don't "Read" it I just speed through it looking for anything strange. I think as a whole, both mobile and traditional PC apps, the EULA thing has to be revised and displayed in such a way that normal people can read them. After being in IT for so many years I have just about become numb to the things. There could be a clause in there that says I need to give up my first born child and chances are I would skip right over it.

sonicsteve
sonicsteve

I'm still in the process of learning to flash my device and upgrade the OS. I have the samsung galaxy i7500 and since they left the i7500 dead at the side of the road we have to learn to upgrade the phone ourselves. The risk of "bricking" your phone makes this a risk proposition though. So for now I'm hoping that someone will make a build of taintdroid and at least release an apk install file.

Oz_Media
Oz_Media

They already ignored/didn't live up to the last court order imposed by the Canadian government. If they don't adhere now they are in for some real issues. Who actually uses facebook these days anyway though, besides kids and the lifeless? Good read from last year: http://www.priv.gc.ca/media/nr-c/2009/nr-c_090716_e.cfm The changes were made and are approved now, but they see future issues already that are being investigated by the Canadian Internet Privacy Act.

JohnMcGrew
JohnMcGrew

...but most will not. They'd rather have the free app.

presleye69
presleye69

That's what I got out of the article. Most of these apps didn't even have an EULA and those that did, DID NOT accurately specify the type of information being collected and transmitted back. I'm freaked right now! I'm deleting MOST of the apps from my phone right F%$^ing NOW!. I'm actally sorry I bought the D$%^ thing now! My Palm didn't have these types of issues and I did use several Palm apps on my Treo and Centro. This SUCKS! Now, before I use/install any more Android apps, I need a firewall app similar to ZoneAlarm on my phone. SH$%!! Can you tell I'm really pi55ed?

Oz_Media
Oz_Media

And it has been raised here in Canada before. But, just as with any service contract, it is up to the user to read it, that's why they always present you with the Eula BEFORE the software is installed. It's the buyer beware scenario, read contracts, and this IS a contract. Do I? Not normally but I don't care what info is shared through my smartphone, I don't run many apps and those I do don't have any real personal info in them. In the case of service agreements, such as my ISP's contract, the phone providers contract etc. I do read them, but I rest a little easier anyway, just knowing that I live in a country where personal information transmission/sharing is closely monitored/regulated.

Bill Detwiler
Bill Detwiler

In April, UK video game retailer GameStation slipped the following clause into their purchase contracts terms and conditions: "By placing an order via this Web site on the first day of the fourth month of the year 2010 Anno Domini, you agree to grant Us a non-transferable option to claim, for now and for ever more, your immortal soul. Should We wish to exercise this option, you agree to surrender your immortal soul, and any claim you may have on it, within 5 (five) working days of receiving written notification from gamesation.co.uk or one of its duly authorised minions." According to various news reports, the idea started as an April Fool's Day joke, but the company continued it for a bit longer to demonstrate that few people actually read a company's terms of service when shopping online. Around 7,500 people failed to catch the clause and opt-out. http://news.cnet.com/8301-17852_3-20002689-71.html

Oz_Media
Oz_Media

Get i-paranoid, get REAL i-paranoid! RUUUUUUN, they FBI, CIA and FDA is watching your every move and now all the general public will be listening into your calls too! I wonder if your calls will be featured on the evening news, with everyone laughing at you and using your bank information freely, that's another key, better cut up all your credit cards and bank card too, THEY watch you too you know!

JCitizen
JCitizen

I feel the same way. I'm glad I saw this article before I bought my next smart phone! X-(