Friday, 1 October 2010

Select Android apps sharing data without user notification

Come one, come all -- let's gather and act shocked, shall we? It's no secret that Google's Android Market is far easier to penetrate than Apple's App Store, which is most definitely a double-edged sword. On one hand, you aren't stuck waiting a lifetime for Apple to approve a perfectly sound app; on the other, you may end up accidentally downloading some Nazi themes that scar you for life. A curious team of scientists from Intel Labs, Penn State and Duke University recently utilized a so-called TaintDroid extension in order to log and monitor the actions of 30 Android apps -- 30 that were picked from the 358 most popular. Their findings? That half of their sample (15, if you're rusty in the math department) shared location information and / or other unique identifiers (IMEI numbers, phone numbers, SIM numbers, etc.) with advertisers. Making matters worse, those 15 didn't actually inform end-users that data was being shared, and some of 'em beamed out information while applications were dormant. Unfortunately for us all, the researchers didn't bother to rat out the 15 evil apps mentioned here, so good luck resting easy knowing that your library of popular apps could be spying on you right now.

Update: A Google spokesperson pinged up with an official response to the study, and you can peek it after the break.

Update 2: Looks as if the full study (PDF) has been outed, with the 30 total apps named. Here they are: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC - Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote. Thanks, Jordan!




"On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices


about how to handle user data.



When installing an application from Android Market, users see a screen that explains clearly what information the application has permission to access, such as a user's location or contacts. Users must explicitly approve this access in order to continue with the installation, and they may uninstall applications at any time. Any third party code included in an application is bound by these same permissions. We consistently advise users to only install apps they trust."


On background, note that this trust relationship between the user and the software maker exists regardless of the platform - even in desktop software and more controlled application environments. It is not specific to Android. As an industry, we've never been able to 100% guarantee what a software maker (on any platform) will do with data to which they are entrusted. Importantly, by limiting resource access at a technical level to those that the user explicitly approves, Android has taken an important step forward compared to what we have with traditional software (which could generally access all computing resources at will, without the user knowing) or even other mobile operating systems. None of the applications studied in this research operated outside of the Android Permissions model, so in each case, a user would have already granted the application access to the resources listed (e.g. location, device ID, etc)."

Source : engadget.com
-----------------------------

No comments:

Post a Comment