Android Apps Secretly Sending GPS Information to Advertisers

android-broken

Android security seems to be in everyone’s mind again as its apps are, yet again, sending out data unbeknownst to its users. This time, some apps have been found to be sending GPS data to advertisers without the user’s consent or awareness. Researchers from Duke University, Penn State University and Intel Labs have developed a security program called TaintDroid, which probably sounds more dirty than it should, that “uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.”

Ars Technica reports:

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user’s location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.

It may be unnerving to know that TaintDroid showed that these apps, while running, are transmitting your location every 30 seconds! However, whether you’re unaware and are unable to opt in or out of the GPS service that theses apps use, it does get a little tricky if you feel like your privacy or security is being violated.

When you install some Android apps, they explicitly state what the app will have access to before you allow permission to install. I’ve found myself changing my mind the last minute when I see a game or some utilities app says it will require access to the phone’s GPS. Why?

Earlier this year, Android users were in an uproar when a wallpaper app was discovered to be sending user data to unknown servers in China. Prior to that incident, there were other concerns for Android security when two apps were remotely killed by Google for violating its terms and conditions. The two apps ended up not being malicious, but questions were raised about the applications in the Android Market and whether Google was being stringent enough on user safety.

The report with TaintDroid continues:

As Google says in its list of best practices that developers should adopt for data collection, providing users with easy access to a clear and unambiguous privacy policy is really important. Google should enhance the Android Market so that application developers can make their privacy policies directly accessible to users prior to installing, a move that would be really advantageous for end users.

And what if the app developer has malicious intent to start rather than security?

[Via: Ars Technica, photo]

  • Sandor

    ++fud

    [quote]
    When you install some Android apps, they explicitly state what the app will have access to before you allow permission to install. I’ve found myself changing my mind the last minute when I see a game or some utilities app says it will require access to the phone’s GPS. Why?
    [/quote]

    Not of SOME, but of ALL applications the permissions are listed upon installation. Furthermore; do not attribute to maliciousness what can be explained by stupidity, e.g. bad programming techniques.

  • jerry

    The Android permissions interface is not sufficient.

    Users should be

    1. Told what permissions are required and generically what those perms do — this is the status quo
    2. Told specifically why this specific app needs those permissions
    3. Given the opportunity to give an app some permissions but not all
    4. Provided app specific firewall/permissions logging. This app opened the net five times in the past 10 minutes, and accessed 20 of your contacts, and sent two sms messages, …

    Developers should write their apps so that they fail on lack of permission gracefully. No net access? Fine, don’t log the high score to the net. No position access? Fine, don’t send the user position out.

  • Slobodan

    This is b**it.
    This is something that every android programmer knows, and I am the one, it is no secret.
    It has nothing to dowith bad or good programming. Mobile ad networs: admob, mobclix… are deploying their SDK which in order to deliver targeted ads reads GPS position.

    Moust programmers are just linking in mobile SDK into their aplications and have no idea how ads are displayed…

    this is not news, just sensationalism

  • gdigenis

    if you really want to be helpful you would include the names of the apps that are sending out info, otherwise you are just being an parrot and repeating what someone else said without realy discussing it. and that wallpaper app you mentioned turned out to not be malicious, but thanks for the full story

Back to top ▴