Is your Android phone spying on you?

A new study reveals that many popular Android apps are tracking your location and your handset without telling you.

Got an Android phone? Installed apps from the Android Market? Congratulations, you have been named the Mayor of We Know Where You Went and What You Did Last Week.

Even if you never use services like Foursquare or Facebook Places or Google Latitude to announce your physical location to the world, the apps you have installed may be capturing this information and sharing it with advertisers -- without your knowledge or consent.

[ See also: Warning: Fake LinkedIn spam can steal your bank passwords ]

A study by researchers at Duke University, Penn State, and Intel Research Labs has revealed that Android apps are collecting location information from users' GPS phones and sharing them without notifying users or asking for permission.

The researchers looked at 30 popular Android apps, including The Weather Channel, MySpace, Evernote, BBC News Live Stream, Yellow Pages, and Spongebob Slide. They used a home-made tool called TaintDroid to track what data was being shared and with whom. The skinny:

  • Two thirds of these apps violated user privacy by sharing location data or information that could identify individual handsets.

  • Half of them sent user location information to advertising networks like Admob or analytics companies like Flurry without user consent.

  • Seven of the apps sent the unique device identification numbers of the GSM user and the handsets' SIM card to its servers.

  • Two of the apps captured the users' cell phone number along with the ID number and the users' geographical coordinates.

Nice.

Mind you, if the police wanted this information, they'd need a court order. These apps are doling it out like candy to advertising firms and storing it on their own servers.  Per the study [PDF]:

This finding demonstrates that Android’s coarse-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data. Moreover, we found that one application transmits the phone information every time the phone boots. While this application displays a terms of use on first use, the terms of use does not specify collection of this highly sensitive data.

The study did not name which applications shared each kind of information -- a shame, really, because the ones that did not are tarred with the same brush as the guilty ones. Me, I'd uninstall all of them, just to be safe.

Here's the full list of apps tested, both guilty and innocent:

The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Live, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote.

I've written before about why location privacy is important and how your location data is mostly up for grabs. But the reality is proving far worse than even I imagined. Simply by installing an app, you could be transmitting a stream of data indicating where you are 24/7 that isn't protected by any law yet on the books.

While this study was limited to Android apps, the problem is not. I expect to hear a lot more about other apps slurping up GPS and handset information, either accidentally or deliberately, on other handset platforms. The reason we're hearing about Android first is that Android is open source and easier for researchers to access.

It seems the location chickens are coming home to roost. Let's hope you don't end up with egg all over you.

When ITworld TY4NS blogger Dan Tynan isn't uninstalling Android apps, he's spreading snark across the InterWebs via eSarcasm (Geek Humor Gone Wild). Follow him on Twitter: @tynan_on_tech.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies