Many More Android Apps Leaking User Data

eldavojohn writes "After developing and using TaintDroid, several universities found that of 30 popular free Android apps, half were sharing GPS data and phone numbers with advertisers and remote servers. A few months ago, one app was sending phone numbers to a remote server in China but today the situation looks a lot more pervasive. In their paper (PDF), the researchers blasted Google saying 'Android's coarse grained access control provides insufficient protection against third-party applications seeking to collect sensitive data.' Google's response: 'Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data. We consistently advise users to only install apps they trust.'"

List of apps and permissions they need

[slaxative]

They finally get to the part I care about, which is the list of apps they tried. Look at page 9 of their paper in PDF format.

Re:default permissions

[BradleyUffner]

All apps have access to r/w your sdcard, and to get your identity (esn/imei/meid/phone number). Once you give an app permission to access the internet, your identity and sdcard contents are public.

Google needs to fix this. Don't believe me? Install a file manager app. Most won't ask for permission to access the sdcard, but they will be able to. Some permissions are granted without the app asking for it.

Are you sure? In the app I wrote I had to explicitly request access to these in the application's manifest file, or get an error.

Re:but its open....

[E IS mC(Square)]

You are confused between Android OS and Android Apps. But don't let that interfere with your bashing of "open" and love for apple's walled garden. Please continue.

Re:Prevasive?

[Dancindan84]

It's a perfectly cromulent word comprising of:
Pre, from the Latin prae meaning before, in front
evasive, meaning tending or seeking to evade

This submission was accepted prevasively to editing it.

Re:List of apps and permissions they need

[Qzukk]

Too bad after listing all the apps and what permissions they requested, they never named which of them misbehaved, only total numbers.

Re:This is why OSS is so important

[grub]

it also leads to a massive incentive to get things to market before the competition, which causes a complete lack of QA in the release process.

In the iOS world any app can try to read the GPS but the user is presented with a dialog asking for permission to do so. If it's an annoyance you can turn apps' permissions on or off individually in the Location options.

From what I've read, Apple's review process runs apps through some pretty funky things looking for naughtiness.

The odd piece slips through, of course, but I doubt it's half the popular programs as it sounds like it is for Android.

Re:But how?

[Kenja]

For example. If the fart sound generator you download needs access to your call log (which you are told when you install it) I wouldn't trust it.

Re:This is why OSS is so important

[ceoyoyo]

http://en.wikipedia.org/wiki/Mac_OS_X [wikipedia.org]: "Mac OS X (pronounced /mæk o s tn/ mak oh es ten)[6] is a series of Unix-based operating systems and graphical user interfaces...."

http://arstechnica.com/apple/news/2007/08/mac-os-x-leopard-receives-unix-03-certification.ars [arstechnica.com]: Mac OS X Leopard receives UNIX 03 certification

Oh, and mustn't forget:

http://en.wikipedia.org/wiki/Computer_virus [wikipedia.org]: "As of 2006, there are relatively few security exploits targeting Mac OS X (with a Unix-based file system and kernel)."

Well, you're right about something, one of us should have done his research before commenting.

Re: Android Market - review app security

[josh washington]

I think the flaw is it asks too late, and you can't block any of them to still use the App.
IE I wanted a app to track car maintenance and MPG, I find the one that looks best, best reviewed...
Now it comes up and says it wants phone, and internet access...
Not needed for what I wanted, but what do I do now?
Look for another, buy, install, and wait to see if it is worse?

Would be nice if google also disclosed that in the app market before choosing,
then maybe developers would explain what they used the connections for...

I'll grant you the facts that:

• This might not be valid on older phones*
• It might not be in plain sight

but you CAN view which features an application needs before buying/installing/running it.

• Open the Android Market
• search for your topic [imageshack.us]
• review the choices [imageshack.us]
• choose an application [imageshack.us]
• press the Menu key [imageshack.us] on your phone
• choose the 'Security' option [imageshack.us], a padlock and gear icon

This will let you review what privileges an app will have if you install it without requiring you to buy, install, and find out the hard way.
If you have a problem with the app needing access to your fine GPS location (probably for adverts) instead of coarse Geo-IP location
or receive an SMS, you could now avoid downloading this app (or buying it if it weren't free).
If you scroll down, there's usually a section for further clarification [imageshack.us] on specific features requested.

Disclaimer: I neither own nor am I affiliated with any application in the Android Market.

* - My phone is 1 year old and runs Android 2.1, which (I believe) introduced the new Android Market.
For reference, some older phones have 1.5/1.6, & the newest is 2.2.