[Infowarrior] - Fwd: Android apps surreptitiously phone home with user location data

[Richard Forno]

fron anonymous

Begin forwarded message:

> <http://arstechnica.com/security/news/2010/09/some-android-apps-found-to-cov
> ertly-send-gps-data-to-advertisers.ars>
> 
> Some Android apps caught covertly sending GPS data to advertisers
> 
> By Ryan Paul <http://arstechnica.com/author/ryan-paul/>  | Last updated
> about 9 hours ago
> 
> 
> The results of a study conducted by researchers from Duke University, Penn
> State University, and Intel Labs have revealed that a significant number of
> popular Android applications transmit private user data to advertising
> networks without explicitly asking or informing the user. The researchers
> developed a piece of software called TaintDroid that uses dynamic taint
> analysis to detect and report when applications are sending potentially
> sensitive information to remote servers.
> 
> They used TaintDroid to test 30 popular free Android applications selected
> at random from the Android market and found that half were sending private
> information to advertising servers, including the user's location and phone
> number. In some cases, they found that applications were relaying GPS
> coordinates to remote advertising network servers as frequently as every 30
> seconds, even when not displaying advertisements. These findings raise
> concern about the extent to which mobile platforms can insulate users from
> unwanted invasions of privacy.
> 
> 
> The Android operating system has an access control mechanism that limits the
> availability of key platform features and private user information.
> Third-party applications that rely on sensitive features have to request
> permission during the installation process. The user has the option of
> canceling the installation if they do not wish to give the application
> access to the specific features that it requests. If a user starts to
> install a simple arcade-style game and finds out that it wants access to the
> user's GPS coordinates, for example, the seemingly suspicious permission
> request might compel the user to refrain from completing the installation
> process.
> 
> It's a practical security measure, but one critical limitation is that there
> is no way for the user to discern how and when the application will use a
> requested feature or where it will send the information. To build on our
> previous example, the user might decide to grant an Android game access to
> their GPS coordinates so that the software can facilitate multiplayer
> matches with nearby users. The user has no way of knowing, however, whether
> the application is also transmitting that information to advertisers or
> using it for malicious purposes. Making the permission system more granular
> might potentially address those kinds of problems, but would also have the
> undesired affect of making it too complex for some users to understand.
> Indeed, there are already a lot of careless users who simply don't take the
> time to look at the permission listing or don't understand the implications.
> 
> Concerns about unauthorized access to private information by Android
> applications were raised earlier this year when a popular wallpaper
> application was found surreptitiously transmitting the user's phone number
> to a remote server in China
> <http://blogs.computerworld.com/16650/data_mining_android_apps> . Google's
> investigation of the matter revealed that the developer of the application
> was simply using the phone number as a unique identifier for user accounts
> and was not threatening the user's security or doing anything nefarious.
> Google responded by publishing
> <http://android-developers.blogspot.com/2010/08/best-practices-for-handling-
> android.html>  an overview of best practices for handling sensitive user
> information. Google temporarily disabled the application in the Android
> Market while performing a security review, but later reenabled it after
> finding no evidence of a serious threat.
> 
> Google's ability to remove unambiguously malicious applications from the
> Android Market protects users from the most egregious kinds of attacks, but
> obviously doesn't really address the multitude of gray areas where the
> implications of data collection and disclosure are more nuanced and don't
> constitute blatant abuse. It's really important to recognize that even
> highly invasive data collection by mobile applications doesn't necessarily
> pose a threat to users. There are millions of users who are happy to
> voluntarily concede privacy in exchange for free access to useful services.
> The key is that it has to be voluntary, which means that users have to know
> in advance that the information is going to be collected.
> 
> When a mobile advertising widget embedded in Android applications collects
> IMEI numbers so that it can correlate a user's activity across multiple
> applications for the purpose of extrapolating a behavioral profile that will
> support more effective targeted advertising, it's really not all that
> different from what prominent Internet advertising networks are already
> doing with cookies in the Web browser. 
> 
> For a more invasive example, consider a mobile application that perhaps
> reads your SMS messages looking for information about what kind of products
> your friends mention so that it can advertise to you more effectively. In
> practice, it's not profoundly different from what Google does with
> contextual advertising in GMail. It wouldn't surprise me at all if the
> possibility of doing exactly these kinds of things was a major factor in
> inspiring Google to create Android in the first place. As smartphones become
> ubiquitous, it's likely that users will be expected to give up more of their
> privacy in order to get access to the next generation of hot mobile
> applications and services.
> 
> Invasive mobile data collection by advertisers isn't necessarily bad if
> users are getting something of value in return. The real issue is whether
> the practice is coupled with an appropriate level of transparency and
> disclosure to the end user. What separates a legitimate business practice
> from an unacceptable abuse in data collection is whether the user was made
> aware in advance of how data is collected, used, and shared so that they can
> choose to opt out or refrain from using the product if it shares their
> sensitive information in ways that make them uncomfortable. Such problems
> are obviously not specific to Android or mobile operating systems in
> general, but the fact that smartphone platforms provide standardized APIs
> for accessing certain kinds of sensitive information make them higher-risk
> targets for subtle privacy invasions.
> 
> As Google says in its list of best practices that developers should adopt
> for data collection, providing users with easy access to a clear and
> unambiguous privacy policy is really important. Google should enhance the
> Android Market so that application developers can make their privacy
> policies directly accessible to users prior to installing, a move that would
> be really advantageous for end users. When applications share information
> improperly, don't conform with the stipulations of their privacy policies,
> or aren't suitably transparent about their data collection practices, tools
> like TaintDroid will be a powerful asset for enabling savvy users and
> privacy watchdogs to expose such abuses. The researchers behind the
> TaintDroid project will soon be publishing their results and plan to make
> the TaintDroid application available to the public in order to encourage
> further investigations. Their efforts to raise awareness of data collection
> by mobile applications is an important contribution to the advancement of
> safe mobile computing.
> 
> These results are being presented next week at the Usenix OSDI conference
> <http://www.usenix.org/events/osdi10/index.html> .