A recent research report has called into question the practices of some Droid apps. The study looked at the top 30 downloaded Droid apps in the Droid market. These apps gather and then transmit information from Droid-enabled phones and then transmit the information to third parties. While some of the apps may ask for permission, it was found that the disclaimers did not justly or fully disclose all that the apps had access to and what they could share.
The researchers used an Android-based program called TaintDroid. The Android app simply logged and recorded how often information was shared, along with what information was shared. Researchers were surprised at both the frequency at which some apps sent information, along with breadth of the information that apps had access to share.
One app sent location information every 30 seconds to third party recipients letting them know exactly where users were at any given time. This certainly should raise some eyebrows since, while asking to share the user’s location, the app made no indication of the frequency it would transmit it. The app also failed to mention that it was capable of sharing that information even while being idle.
Fifteen other apps did not ask for permission at all before sharing location information of users with third parties. This is a real privacy concern for people who do not want to be tracked by third parties who may not have their best interest in mind. This also raises some legal concerns for the third parties behind these apps.
A number of other apps were found to share a great deal of personal information about the user and their phone without informing the user. Information transmitted to third parties could be phone numbers, their SIM card serial number and other device-specific information. This information could be used as a means to advertise directly to users or for other malicious acts.
Concern initially spurred when Android users were urged not to download Tap Snake, an app found on the Droid marketplace. It was suspected, and then later confirmed, to be a piece of malware that had passed Google’s screening methods and found its way onto the market. The malware, when downloaded, would copy and transmit any personal information it could access to third parties.
This brings a level of serious concern to apps that was not there previously. While the study only looked at Android-based apps, who knows what is lurking in apps of any other sort? Typically, most people don’t read through the agreements apps ask for when they need permission to transmit information. This creates a question of just what sort of data we are allowing our smart devices to transmit about us, and if we really feel comfortable not truly knowing what our devices are doing. It also raises the question of whose responsibility it is to ensure the safety of user information: is safety up to the user, or should the companies who run the marketplaces be held accountable?