Smartphone Apps: Is Your Privacy Protected?

Smartphone apps can do more than provide you with entertainment, information or useful services -- they can also invade your privacy.

Smartphone apps can do more than provide you with entertainment, information or useful services -- they can also invade your privacy.

Apps can trace your Web habits, look into your contact list, make phone calls without your knowledge, track your location, examine your files and more. They can also automatically send information such as location data to mobile ad networks.

Slideshow: 8 Essential Android Security Apps

Android Security: Six Tips to Protect Your Google Phone

In addition, apps can gather the phone number and the unique ID number of each type of phone: the Unique Device Identifier (UDID) on the iPhone, the International Mobile Equipment Identity (IMEI) number on the BlackBerry, and (depending on the make) the IMEI or the Mobile Equipment Identifier (MEID) on an Android phone. Personal information that apps gather about you can be matched to these IDs. That means that ad networks can easily combine various pieces of information collected by multiple apps, build a sophisticated profile about you -- and then legally sell that data to other marketing companies.

It's not as if you weren't warned. Before you download an app, you often get to see the kinds of information that the app will collect about you. On Android, for example, when you tap Install to download and install an app, a screen displays the "permissions" you grant it when you install it. In order to download and install the app, you must tap OK underneath the "Accept permissions" button. BlackBerry phones also cite permissions and Apple monitors all App Store apps for safety.

But do you actually pay attention to what's gathered? Have you ever not downloaded an app based on what information it indicates it's going to harvest about you? What do those notices really mean?

In this article, we'll detail the kind of privacy threats you face when using mobile apps, offer advice on ways you can protect yourself, and take a look at possible legislation that may -- or may not -- help.

What information do apps gather?

Researchers warn that a surprisingly high percentage of smartphone apps may threaten your privacy. In October 2010, joint research by Intel Labs, Penn State and Duke University found that 15 out of 30 Android apps analyzed sent geographic information to remote ad servers without users' knowledge. Seven of them also sent the unique phone identifier; in some cases, the actual phone number and serial number were sent to app vendors. This can enable app vendors and/or advertisers to create comprehensive profiles about your likes and dislikes, the places you visit when you carry your phone, your Web surfing habits and more. They can then use those profiles however they want or sell them to others.

Meanwhile, in June 2010, security vendor SMobile Systems found that 20% of Android apps allowed third parties (that is, companies other than the app vendors themselves) to get access to private or sensitive information. In addition, the report warned, 5% of the apps could make phone calls by themselves without user intervention and 2% could send an SMS text message to a premium, for-pay number -- again without the user making the call.

Apple's iOS is not immune to such threats. In January, a class-action suit filed in San Jose charged Apple, the music-streaming service Pandora and others with "transmitting [users'] personal, identifying information to advertising networks without obtaining their consent." The suit also charged that "some apps are also selling additional information to ad networks, including users' location, age, gender, income, ethnicity, sexual orientation and political views." The case is still winding its way through the courts.

This issue is enough of a worry that federal prosecutors are currently investigating whether iOS and Android apps obtain or transmit information about users without properly disclosing what they are doing, according to the Wall Street Journal. Pandora has already received a subpoena in the probe, according to the Journal.

The most comprehensive investigation into the kind of information that smartphone apps gather and how they use it may be one conducted by the Wall Street Journal itself. The Journal examined 101 popular iOS and Android apps and found that "56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders."

For example, the Journal found that that Pandora "sent age, gender, location and phone identifiers to various ad networks." The iOS and Android versions of a game called Paper Toss "sent the phone's ID number to at least five ad companies." The list goes on.

The Journal also found that, as a general rule, iOS apps sent more personal data than did Android apps, but the newspaper also noted that "because of the test's size, it's not known if the pattern holds among the hundreds of thousands of apps available."

The legal issues

There may be very little that you can do about one of the biggest privacy issues related to apps: What is done with your personal information after it is gathered by a mobile app.

You can try to check the apps themselves to see whether they have privacy policies in place. Typically, these policies can be found in a Settings screen, on an About This App tab or screen, or possibly through a link at the bottom of a screen. But few apps have or display these types of policies. TRUSTe and Harris Interactive recently studied the top 340 free iOS and Android apps and found that only 19% of them included links to privacy policies.

Troy H. Vennon of the Juniper Global Threat Center warns, "Many developers are collecting device information and storing that information on third-party servers as a means to build ad profiles or device profiles for delivering application content.... It's worth noting here that nearly all free applications use some sort of adware kit in order for the developers to generate revenue on their free applications. How many of these free applications are collecting and transmitting this 'private' device data to build those ad profiles?"

No one knows the answers to those kinds of questions, because there are no legal requirements to provide them.

Congress is concerned enough about the issue that it has held hearings on the matter. After a recent hearing of the Senate Judiciary Committee's privacy and technology subcommittee, Sen. Al Franken (D-Minn.), chairman of the subcommittee, called for Apple and Google to require that location-aware apps include privacy policies.

"Apple and Google have each said time and again that they are committed to protecting users' privacy," Franken wrote in a letter to the companies. "This is an easy opportunity for your companies to put that commitment into action."

However, that would be a relatively small step, because it would cover only location-aware apps, and would not limit how the apps share personal information, only that they reveal how they will use it.

Other senators would like to see the federal government take stronger measures. Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introduced the Commercial Privacy Bill of Rights Act in April, which would require any Web-based businesses, including mobile ones, to give a clear notice to consumers about what data is being collected about them. And Sen. Jay Rockefeller (D-W.Va.) introduced a bill that would in essence create a national do-not-track mechanism to allow users to opt out of being tracked. It would apply to mobile network operators, websites and ad networks.

It's not clear that either bill will pass, especially because they face opposition from groups such as the technology trade group Association for Competitive Technology (ACT).

How to protect yourself

Given all that, what can you do to protect your privacy when using apps?

First, keep this in mind: The very nature of using a mobile app exposes you to potential privacy intrusions. So you need to balance the benefit you expect to get from an app against the potential privacy risk.

Even the most rigorous privacy protectors don't say you should avoid downloading apps altogether. Rather, they say, the key is making sure that the app you're downloading truly requires the permissions it's asking for. If, for example, a single-player game asks for permissions to send SMS messages, that should be a clear warning sign, because there's no need for a game like that to send text messages.

Keep reading for a look at how some of the major mobile operating systems handle permissions -- and to learn what you can do to protect yourself.

-- Preston Gralla

Android: Permission granted?

Troy H. Vennon was a researcher with SMobile Systems when it conducted the research that found that 20% of Android apps allow third parties to get access to private or sensitive information. (SMobile Systems has since been acquired by Juniper, and Vennon is now research engineer with the Juniper Global Threat Center.) He emphasizes that, while every permission available to an Android developer has a legitimate purpose, it is important for consumer to decide whether the permissions demanded by a particular app are necessary.

"For example," he says, "in many cases the SEND_SMS permission is completely benign and has a legitimate purpose. But if that same permission is requested in an application that has no discernable SMS functionality, you may be looking at an SMS Trojan app that might be capable of sending SMS messages to premium rate numbers without the user's consent."

William Enck, who as a doctoral student at Pennsylvania State University was one of the researchers who found Android apps send geographic information about users to remote ad servers without the users' knowledge, says, "When you install a new application, look closely at the permissions listed.... Users can also contact developers if they do not understand why an application has certain permissions. I have done this several times, and in at least one case, the developer removed the permission."

According to Jay Nancarrow, a Google spokesperson, the permissions that an app displays before installation limit what the app can actually do -- essentially the app is "sandboxed" and can't get data outside the sandbox. So, for example, if you install an app that doesn't ask for permission to "read Browser's history and bookmarks," there's no way that app can subsequently get that information, he says.

Before you download an Android app, you're shown a list of permissions the app requires. Android has broad categories of permissions, such as "Network Communications," and "Your Personal Information." Underneath each of those broad categories are finer levels of permissions, such as "Read browser's history and bookmarks," "Read contact data" and "Write contact data." These finer-grained levels of permissions are what you should look at before downloading an app.

So which of the permissions should you check? Some, such as "Prevent phone from sleeping" have few, if any, privacy implications. But others you need to look at more closely.

Services that cost you money

Two subcategories of permissions could present problems: "Make phone calls" and "Send SMS or MMS." If an app can make phone calls, it could call a 900 number that charges you money, without your knowledge. The same holds true for sending SMS and MMS messages to services that charge you money. If you encounter a problem related those capabilities, you could end up spending several hours working things out with your carrier.

Your personal information

The "Read contact data" permission presents obvious privacy issues, because it means the apps can view all of your contact information. Keep in mind, though that plenty of apps legitimately need this permission in order to work -- examples include social networking apps, communications apps such as Skype and many others. The "Read calendar data, write calendar data" permission presents similar privacy issues.

Storage

The "Modify/delete SD card contents" permission creates obvious potential privacy risks, because it allows the app not just to write information to your SD card, but to read information from it as well, including your photos, music and more. Plenty of apps legitimately need this permission in order to work, such as camera apps, music apps, file management apps and others.

Network communications

The "Full Internet access" permission grants exactly what it says: Full access to sending and receiving data and making connections to external sources over the Internet -- without your knowledge. This is the holy grail for malware and privacy invaders, especially when combined with other permissions, such as "Read contact data," because a malicious app could send all your personal information to a server somewhere, and you wouldn't know it.

1 2 3 Page 1
Page 1 of 3
Survey says! Share your insights in our 2020 CIO Tech Poll.