US: The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user.
The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.
They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user’s location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.
The Android operating system has an access control mechanism that limits the availability of key platform features and private user information. Third-party applications that rely on sensitive features have to request permission during the installation process. The user has the option of cancelling the installation if they do not wish to give the application access to the specific features that it requests. If a user starts to install a simple arcade-style game and finds out that it wants access to the user’s GPS coordinates, for example, the seemingly suspicious permission request might compel the user to refrain from completing the installation process.
It’s a practical security measure, but one critical limitation is that there is no way for the user to discern how and when the application will use a requested feature or where it will send the information.
Concerns about unauthorised access to private information by Android applications were raised earlier this year when a popular wallpaper application was found surreptitiously transmitting the user’s phone number to a remote server in China. Google’s investigation of the matter revealed that the developer of the application was simply using the phone number as a unique identifier for user accounts and was not threatening the user’s security or doing anything nefarious. Google responded by publishing an overview of best practices for handling sensitive user information. Google temporarily disabled the application in the Android Market while performing a security review, but later re-enabled it after finding no evidence of a serious threat.
Source: ars technica