July 21, 2011, 11:44 AM — It may become fashionable once again to carry a cell phone somewhere other than your pocket once news gets out of a study showing that 8 percent of the Android apps leak.
Of 10,000 Android apps surveyed, 800 leak private information about the user to either the programmer or a third-party server not authorized by the user to get the information, according to Neil Daswani, CTO of Dasient which analyzed the Android apps, who will present the full report at Black Hat in Las Vegas Aug. 4.
That level of leakage is only possible because the Android market is not rigorously controlled in the same way Apple controls the iOS applications market. Apple's control filters out much of the malware and adware Google has to keep pulling from its Apps Market, but also limits the kinds of function and content iOS users have available.
If the number of apps taking private data without permission is only 8 percent, it's a huge improvement from May, when a study from a German security firm estimated 99 percent of Android apps leaked users' identification data.
That leakage was due to a flaw in which the authentication token required for an application to continue interacting with a web site were being sent in clear text, where they could easily be intercepted by identity thieves.
Because most of those tokens identified the user but weren't tied to a particular phone, tokens that were intercepted could be used by fraudsters easily from any device they chose.
The Dasient study looked at the purposeful behavior of individual Android apps, however, not at flaws in the OS itself.
It did not release much information on what kind of data the apps are leaking, however. Daswani will reveal those details at Black Hat.
In September, 2010, however, researchers at Duke, Penn State and Intel found a large number of Android apps were sending data from the phones' GPS systems to either their developers or third parties, usually without the knowledge or permission of the owner.
Other information being poached could include what competitive apps are running on a phone, a user's phone number and address, the owner's list of other contacts with all their contact information, or simply the type of searches, requests and other uses the phone owner makes of a particular app.