Android apps share more sensitive data than users realize

Even the most cautious of privacy-conscious Android users may be unwittingly sharing more sensitive data with more third parties than they realized — or even intended to authorize.

In a recent joint study by Duke University, Penn State, and Intel Labs, researchers found that 15 of 30 popular Android applications sent users’ geographic location to remote advertisement servers — even though users may have only granted the app permission to access that data for the sake of unlocking location-based features.

[ Also on InfoWorld.com: 10 great iPhone apps for business collaboration | Keep up on mobile developments with InfoWorld’s Mobilize newsletter and Technology: Apple newsletter. ]

Meanwhile seven of the 30 applications — without explicit warning — sent unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers. All in all, researchers found that two-thirds of the applications in the study exhibited “suspicious handling of sensitive data.”

Android app developers are able to pull off these feats of data collection, according to the study, because “mobile-phone operating systems currently provide only coarse-grained controls for regulating whether an application can access private information, but … little insight into how private information is actually used. For example, if a user allows an application to access her location information, she has no way of knowing if the application will send her location to a location-based service, to advertisers, to the application developer, or to any other entity.”

Further, researchers found that the applications’ EULA — or rather, those that actually had EULAs — were not explicit as to what sort of data the app was collection nor whom would receive that data. For example, the study found that seven of nine applications collected the user’s IMEI, a device-specific identifier, without disclosing the practice in an EULA. Scammers have been known to steal valid IMEIs, then reuse them to activate stolen devices.

The moral in all this remains “download mobile-phone apps with discretion,” a mantra that doesn’t apply only to Android users. At the BlackHat conference in August, Lookout Mobile Security revealed that third-party smartphone apps for both Android and iPhone were stealing user information and transmitting it to China.

This article, “Android apps share more sensitive data than users realize,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.