• After 15+ years, we've made a big change: Android Forums is now Early Bird Club. Learn more here.

Google Android apps found to be sharing data

Abdur

Android Enthusiast
Sep 30, 2010
252
34
BBC News - Google Android apps found to be sharing data
Some of the most popular apps written for Google's Android phones do not tell users what data they are gathering, says a study by US researchers.

Half of 30 applications studied share location information and unique identifiers with advertisers.

Information about the data gathering was collected using software developed by the team.

App creators should provide more information what will be done with harvested data, they say.

The team of computer scientists from Intel Labs, Penn State, and Duke University chose 30 out of the 358 most popular Android apps that, when installed, ask for permission to get at location, camera and audio data.

Using an extension to the Android operating system called TaintDroid, created by the team, they logged what the applications did.

This revealed that 15 of the apps sent location information to advertisers but did not inform users that data was being shared. Some apps gathered and despatched location information even when an application was not running and some sent updates every 30 seconds.

One application gathered data and sent it as soon as it was installed but before it was run for the first time.

TaintDroid also found that seven of the apps shared unique identifiers, known as IMEI numbers, when sending data. Others despatched phone numbers or SIM card serial numbers.

Trust model

The researchers said that while many Android apps ask for permission to gather information they did not do enough to inform users what was going to be done with that data or who it would be shared with.

They criticised the fact that users must "blindly trust" applications to play fair with data that they gather.

"Android's coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data," wrote the researchers in a paper about their work.

Mobile security analyst Nigel Stanley from Bloor Research said the loose permission system could prove a boon for hi-tech thieves.

"The blanket permissions a user gives on installing an app can give carte blanche to malware and spyware providers to collect as much private data as they want, under the protective nicety of a simplistic warning from the operating system," he said.

In a statement, Android creator Google said users necessarily entrusted all computing devices with some of their information.

"Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer," it said. "We also provide developers with best practices about how to handle user data."

It added that when apps are installed they show a screen detailing what information that program will access and users must give permission for installation to go ahead.

"We consistently advise users to only install apps they trust," it said.

The research and the TaintDroid program are due to be presented at the Usenix symposium on Operating Systems Design and Implementation (OSDI 10).
Is this something to worry about?
If so, what apps are rogue (so to speak).
Just saw this today on BBC.
 
  • Like
Reactions: staffsmatt
I read about this today too. Engadget posted the full report with the list of apps that were found.

Heres the list:
Engadget said:
Looks as if the full study has been outed, with the 30 total apps named. Here they are: The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC - Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote.

EDIT 2:
It turns out I am wrong about this list. I read the article too quick.
THIS IS THE LIST OF ALL APPS THAT WERE EVALUATED USING TAINTDROID.
NOT ALL OF THE APPS LISTED WERE FOUND TO HAVE PROBLEMS.
ONLY 15 OF THESE 30 APPS WERE FOUND TO HAVE PROBLEMS.
Just thought I would make this clear.

I was kind of surprised by a few of them. The Weather Channel and the barcode scanner mostly. But I'm not too surprised by Solitare. I had some hesitation about downloading that one. I deleted all of these. Mostly because I alread had a lot redundancy with those apps and this was a good excuse to get rid of them.

Edit:
Heres the link to the Engadget article:
http://www.engadget.com/2010/09/30/study-select-android-apps-sharing-data-without-user-notificatio/
 
Upvote 0
The real question is how many of these apps mentioned the priviledges needed on installation? If its done on the quiet then thats a different matter to if you were told before installing.

Some of what they are talking about is location services. Surely the Weather app needs that, maybe Yellow Pages too? But as for Solitaire and most of the others, there is no excuse!
 
Upvote 0
I installed Droid Wall on my phone and firewalled apps that have no business talking to the Internet. I don't sync Astrid with any web site, for instance, so it's firewalled. I want more information on what specific data these apps are sending. I can see where Yellow Pages would want to know my GPS location. That makes sense. I can see where it would want to read my contacts. That makes sense too. If it's sending that data anywhere, that doesn't make sense and I want an explanation.
 
Upvote 0
I was kind of surprised by a few of them. The Weather Channel and the barcode scanner mostly. But I'm not too surprised by Solitare. I had some hesitation about downloading that one. I deleted all of these. Mostly because I alread had a lot redundancy with those apps and this was a good excuse to get rid of them.

I am an author of Barcode Scanner, and feel compelled to respond to this.

The TaintDroid / AppAnalysis paper, which is important and valuable work, does NOT say that ALL of these apps violate privacy. On the contrary -- they say they picked 30 popular apps and found issues with 15 of them.

Unfortunately, users like you are reading this as suggesting that all 30 have a problem. And unfortunately, I'm inundated with nasty messages and Market feedback from users who think I've stolen their information.

It is, of course, completely untrue for Barcode Scanner. It does not have permission to access location or phone state (unique ID), and never has. (It didn't help that the paper originally stated incorrectly that it did -- has been fixed now.) Barcode Scanner, of all these apps, should hardly be considered shady. It is completely open source: zxing - Project Hosting on Google Code And, I of course know that we have never ever done anything nefarious with the app.

I call on users like yourselves to do your homework and understand that we simply don't know who the culprits were in their study (though I know Barcode Scanner wasn't one, and you can know that from the source code and from seeing that the report says they don't have permissions needed for the violations they cite.)

But I also call on the authors of the paper to "name names" so users can confidently uninstall nefarious apps while not damaging the good names of innocent, open apps like Barcode Scanner.
 
Upvote 0
I had a few of these apps on my iphone so I was quick to download them from the market place. I got an Android phone knowing full well that GOOGLE is a company that makes money off of user data (not implying that GOOGLE is up to any wrong doing here) and that the market place has little to no privacy. Having said that I am disappointed that their are apps that take info that they shouldn't (warned or not they should be more specific of what they grab) but I am not surprised. And along the lines of what srowen said I don't believe ALL these apps are guilty of wrong doing. It would be nice to know exactly what they do especially when they are being touted by T-Mobile for download.
 
Upvote 0
hi srowen,

I think the main problem for users such as myself is that we don't know WHY the apps are asking for info that they are.

For example barcode scanner asks to access contact data (read and write)... I'm sure that there is a good reason for this but can't for the life of me think what it could be..... (not trying to accuse you of anything, although I know it sounds like it) - <edit> next post down has the answer! </edit>

If devs were more open as to what their apps asked for access to and why it would help a lot....

I agree completely that the authors should name names.
 
Upvote 0
This might not explain it all but it's a really great thread that a member, and aso a developer, compiled. The thread explains what most of the permissions mean: http://androidforums.com/android-ap...ps-avoid-viruses-guide-those-new-android.html

The manifest permission as described by Google: http://developer.android.com/reference/android/Manifest.permission.html

Some of what they are talking about is location services. Surely the Weather app needs that, maybe Yellow Pages too? But as for Solitaire and most of the others, there is no excuse!

From what I have gathered, a lot of the free apps use internet permission so that they can enable ads in the apps. Some developers like to get fancy and ask for GPS access so that the ads can be customized to you based on your location.

The real question is how many of these apps mentioned the priviledges needed on installation? If its done on the quiet then thats a different matter to if you were told before installing.

Before you install an app, you are given a list of permissions that the app requires. Developers cannot have 'hidden permssions'. They need to declare those permissions before they are able to access them in your phone. The safety net Android has up. So before you install an app, read the permissions. If you don't know what some of them are, research them and install at your own risk.

I've quoted some information from the Android Developer site that pertains to Permission access.

To enforce your own permissions, you must first declare them in your AndroidManifest.xml using one or more <permission> tags.
Security Architecture

A central design point of the Android security architecture is that no application, by default, has permission to perform any operations that would adversely impact other applications, the operating system, or the user. This includes reading or writing the user's private data (such as contacts or e-mails), reading or writing another application's files, performing network access, keeping the device awake, etc.
An application's process runs in a security sandbox. The sandbox is designed to prevent applications from disrupting each other, except by explicitly declaring the permissions they need for additional capabilities not provided by the basic sandbox. The system handles requests for permissions in various ways, typically by automatically allowing or disallowing based on certificates or by prompting the user. The permissions required by an application are declared statically in that application, so they can be known up-front at install time and will not change after that.
Using Permissions

A basic Android application has no permissions associated with it, meaning it can not do anything that would adversely impact the user experience or any data on the device. To make use of protected features of the device, you must include in your AndroidManifest.xml one or more <uses-permission> tags declaring the permissions that your application needs.

At application install time, permissions requested by the application are granted to it by the package installer, based on checks against the signatures of the applications declaring those permissions and/or interaction with the user. No checks with the user are done while an application is running: it either was granted a particular permission when installed, and can use that feature as desired, or the permission was not granted and any attempt to use the feature will fail without prompting the user.

If you want to read the technical of how Devs code permissions and how it works: http://developer.android.com/guide/topics/security/security.html
 
Upvote 0
@srowen,
I loved your app. It pained me to delete it. I was very easy to use and fun to mess around with. The reason I got rid of it was because I also have Google Goggles installed on my phone. As you probably already know, this app will scan bar codes too. Along with many other advanced features that your app could not do. Having redundant apps on my phone is a pet peeve of mine. This is also the reason I got rid of The Weather Channel app. I had switched over to using the Weatherbug app instead. I just had hung onto the Weather Channel app until I decided if I wanted to keep Weatherbug. I had been on the fence for a while about uninstalling your app and after I read the article last night, I decided it was time to get rid of it.

After reading your post I see where I misunderstood the list. It was late last night when I posted that and I was tired and I read the article too quick. I have edited my post to make people aware of this. My mistake.

Now, I do agree with some people who posted about the permissions list in the Market. It would be nice if devs were allowed to go into a little more detail as to why their apps need certain permissions. This would clear up a lot of the confusion about whether a app is safe or not. I know I have had to think about downloading quite a few apps because the permissions list had something on it that I didn't think the app should need to access. But that app needs to access my contacts so I can text a link to someone if I wanted to, for example. I think this is a suggestion that needs to be sent to Google. If devs were allowed to write their own permission list options instead of using Google's pre-written ones, it would clear a lot of things up.
 
Upvote 0
...I can see where Yellow Pages would want to know my GPS location. That makes sense. I can see where it would want to read my contacts. That makes sense too. If it's sending that data anywhere, that doesn't make sense and I want an explanation.

The purpose of many apps, such as Yellow Pages and The Weather Channel, is to present the user with a subset of information that is stored not on the device, but on the Internet somewhere. For the Yellow Pages, it's a list of nearby stores. For The Weather Channel, is the weather specific to your location. In order for the app to present this subset of information it must submit a query to a server somewhere. This query must include your location in order for the server to return an appropriate subset of its information.

Similarly, geographically targeted ads operate in the same way.
 
Upvote 0
The purpose of many apps, such as Yellow Pages and The Weather Channel, is to present the user with a subset of information that is stored not on the device, but on the Internet somewhere. For the Yellow Pages, it's a list of nearby stores. For The Weather Channel, is the weather specific to your location. In order for the app to present this subset of information it must submit a query to a server somewhere. This query must include your location in order for the server to return an appropriate subset of its information.

Similarly, geographically targeted ads operate in the same way.

And that makes sense to me with apps like Weather Channel. When an app like Solitaire wants my GPS location, my eyebrows raise.
 
Upvote 0
To be fair its always been an issue since Android was dreamt up, this new research has just highlighted the issue, the good news I would take from this is that Google will be forced to do something about it eventually due to public backlash. I for one and quite happy with my device and knew the risks of owning a smartphone to start with, I won't be rushing out to change my phone any time soon

To add to this I had a look around my apps specifically at what wanted location based dats, only a small number of apps I had looked suspicious as to why they would need this data, so I fired off an email to the Devs of each app:

Handcent: No response back as yet however the very next day after sending my email an update is sent out for the app, after checking the security page of the app it no longer asks for location based services

Backgammon (Free): Response to say this was an oversight by them and they are looking into it. Iv'e not uninstalled this but will wait to see if an update comes out.

MixZing Media Player: Response - Our analytics package (Flurry) uses it. It's not location (GPS), just coarse. - Given that response I will be uninstalling this app as I don't see why the media player needs my location data regardless of it been coarse or GPS

I'm quite happy at this moment in time with the apps I have on this phone granted I dont know how secure they are but I may get a cheapish android phone and put on the software that was used in the project that kicked off all this concern then and only then will I know what certain apps actually do
 
Upvote 0
For example barcode scanner asks to access contact data (read and write)... I'm sure that there is a good reason for this but can't for the life of me think what it could be..... (not trying to accuse you of anything, although I know it sounds like it) - <edit> next post down has the answer! </edit>

If devs were more open as to what their apps asked for access to and why it would help a lot....

As the next post says, we've explained it in the FAQ. The FAQ is the 'home page' linked from the Market. The Market description specifically says "see FAQ for permission info". I don't know that more can be done in this case.

But yes I myself often refuse to install an app that requests permissions that don't seem right, and for which I can find no information on the product page.
 
Upvote 0
@srowen,
I loved your app. It pained me to delete it. I was very easy to use and fun to mess around with. The reason I got rid of it was because I also have Google Goggles installed on my phone. As you probably already know, this app will scan bar codes too. Along with many other advanced features that your app could not do.

Completely fine, you know that Google Goggles uses Barcode Scanner for barcode scanning anyway (well, the same library)? As does Google Shopper. In fact all the underlying technology came out of Google, when I was working there. The devs of the other apps have continued this and they're friends of mine. So, really you're still using it.
 
Upvote 0

BEST TECH IN 2023

We've been tracking upcoming products and ranking the best tech since 2007. Thanks for trusting our opinion: we get rewarded through affiliate links that earn us a commission and we invite you to learn more about us.

Smartphones