User beware: That mobile app is spying on you

A recent study of the 400 most popular iOS and Android apps reveals that nearly all free apps collect users' personal data.

Those apps you download on your smartphone may be free or very cheap, but there's a hidden price you should be aware of: loss of privacy.

The vast majority of the most popular iOS and Android mobile apps collect a variety of personal data from users, including location details, address book contacts and calendar information, according to a just-released survey by Appthority, a company that advises businesses on security.

The report does offer some significant good news. Appthority found that very few of the apps it analyzed carried malware.

Appthority, which says it has a catalog of around two million apps, analyzed a total of 400 of the most popular mobile apps available (based on downloads) in Apple's App Store and Google Play. When it comes to free apps, there was essentially no difference between the two platforms.

However, "paid iOS apps surprisingly collect more data and share that information with more third parties than Android paid apps, making iOS slightly more risky than Android. On the whole, free apps remain the most risky category, exhibiting the greatest number of risky behaviors across both platforms," according to Appthority.

Here's a breakdown of the most frequently collected data:

  • 82% of the top Android free apps and 49% of the top Android paid apps track user location
  • 50% of the top iOS free apps and 24% of the top iOS paid apps track user location

You might not expect a flashlight app or a calculator to track your location, but many do.

"One of the main reasons app developers initiate app tracking is to generate supplementary revenue by sharing app user data with advertising networks and analytics companies. In some cases, particularly with free apps, developers are paid based on the amount of data they collect and share about users," explains Appthority.

  • 30% of the top Android free apps and 14% of the top Android paid apps access user address books
  • 26% of the top iOS free apps and 8% of the top iOS paid apps access user address books

App developers often transmit users' contacts or even full address books. One reason why is to increase the viral or network effects of the app. In other words, developers want to use owners' contacts to expand their customer bases. However, only a small percentage of the apps Appthority analyzed grabbed calendar or meeting invites.

  • 88% of the top Android free apps and 65% of the top Android paid apps access IMEI/UDIDs
  • 57% of the top iOS free apps and 28% of the top iOS paid apps access IMEI/UDIDs

IMEIs and UDIDs are unique serial numbers embedded in mobile phones. Appthority explained the risk associated with IMEI/UDIDs:

"Access to UDIDs is a concern because with a unique device identifier, developers can correlate user behavior across multiple apps (even if they have different usernames and passwords for each of the apps) and then match them to a unique user. While Apple has prohibited iOS developers from using UDIDs as a means to track and identify users, Appthority discovered that the new rule is only enforced on devices which are running the latest version of iOS."

This story, "User beware: That mobile app is spying on you" was originally published by CIO.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies