Researchers from Duke University, Penn State University, and Intel Labs have come to a disturbing conclusion for Android users. Two thirds of the 30 apps they examined are sending user data to advertisers without notice or permission. The researchers used a technique called dynamic taint analysis to determine when apps send personal information to remote servers. They named their spy-on-spyware app TaintDroid.
In this case “taint” means labeling what’s being tracked, in this case sensitive user information. TaintDroid was designed to track use of personal information in real-time on an Android device, to determine where it is copied or sent. Any sensitive information that leaves the device is logged, showing the app responsible, the data labels, and the location where the labeled information was sent.
They then let TaintDroid loose on 30 popular and free apps that required permissions, randomly chosen from Android Market. Half of them sent user information, including the phone owner’s location and phone number. Seven sent on the device ID, including some that sent the phone number or SIM card serial number. In some extreme cases, TaintDroid found the apps sending updated GPS coordinates to the advertising networks as often as every 30 seconds, even when no advertisements were being displayed.
Advertising servers which received users’ location information were admob.com, ad.qwapi.com, ads.mobclix.com and in binary format via FlurryAgent to server data.flurry.com. Google Maps also created binary payloads of location information which were sent to remote servers.
Before you download an app from Android Market, you are told which functions the app will use, and give your consent. But what the Market doesn’t tell you is why the software needs access to your location coordinates, for example. You have to decide whether to give permission or cancel the app download. A multiplayer game could use those coordinates to find other players near you, but then also use those coordinates to send them on to advertisers. So even though you agree to let the game access your GPS, you wouldn’t know if that information was being given to a third party. Or multiple third parties.
Currently, web users are tracked with cookies and Flash beacons and many other techniques, allowing advertisers to build a behavior profile for every individual. Ads are then perfectly targeted because of what websites each person visited, which ones they purchased something, and how long they spent on each site. Most people have no idea just how specifically they are being tracked (if you’re interested in how advertisers track you, this Wall Street Journal series does a good job explaining it).
These secret notifications use your phone’s capabilities just as the data-mining and tracking companies use your computer’s browser. As new tracking techniques are publicized, software developers provide ways to cover your tracks. Similarly, this report is also going to lead to new Android privacy apps, as users will want to know who their phone is reporting to.
Google has developed a list of best practices for data collection by Android apps. This was in response to the Android privacy scare over a wallpaper app sending information to a server in China. Ars Technica recommends that Google strengthen their published practices by requiring links to privacy policies be made available in the Android Market, along with the developers’ contacts. Of course, privacy policies do no good if an app was posted with malicious intent in the first place.
The TaintDroid team will be presenting their results at the Usenix OSDI conference, and you can read their 15 page paper (PDF). After publishing the study’s findings, they plan to release the TaintDroid code as open source. Currently the only way to use TaintDroid is by creating a custom ROM and flashing it to an Android device. Once the source code is available, developers may be able to turn it into Market apps. Users can then find out which apps are revealing more than they bargained for.