Android apps caught sending GPS, phone numbers to ad firms

October 1, 2010

A new joint study from Duke University, Intel Labs and Penn State University has found that some Android apps are sending excessive and potentially dangerous levels of location and personal info to ad producers. Of 30 free, successful apps, about half were sending advertisers the user’s GPS positioning and even phone numbers beyond what they were known to do. The updates would occur even when no ads were running, Ars Technica noted, and could occur as often as every 30 seconds.
Many of the details themselves were collected through a custom-built tool, TaintDroid, that looked for instances when an app might be sending private information to an outside server and which could be compared against the actual usage patterns.
Concerns have been mounting that Google’s approach to privacy policies and notifications is allowing advertisers or app developers themselves to violate personal information without the knowledge or consent of the users. Android apps regularly have a notice before an app download of what access is required, but the notices aren’t specific about how the information will be used or the ultimate destination. A controversy briefly erupted this summer when a wallpaper app was caught sending information to China, although it was discovered afterwards that less was being sent than Google’s own app warnings implied.
The OS has also had an issue with apps that can potentially be malicious without sending any alerts, such as a proof-of-concept exploit sent out this summer.
Google hasn’t responded to the initial details of the study, which will be published in full at the Usenix Symposium on OS Design and Implementation next week in Vancouver, but it has so far recommended only that developers provide a simple way of accessing the privacy policy for a given app once it’s already installed.
The approach contrasts sharply with that of Apple. While iOS developers have a smaller set of possible app features, it has explicitly prevented apps from using GPS primarily for advertising and requires that apps ask the user for permission to use location info. Excess information is still a possibility for iPhone apps and other devices but is more likely to be caught earlier.

Android Alert!