Skip to main content

Smartphone Apps Spread Personal Info, Study Finds

A recent study has found that many popular smartphone applications release consumers' personal information to online advertisers without their knowledge.

Researchers at Penn State, Duke University, and Intel Labs conducted a joint study to monitor and analyze, in real time, exactly what is done with the sensitive data users input when downloading smartphone apps to mobile devices. The findings indicate we aren't as safe as we think.

Fifteen of the apps tested were found to be sending user’s geographic location to remote advertising servers. Seven of the 30 apps, the study proved, shared the phone’s Interactive Mobile Equipment Identifier (IMEE) – similar to a hardware serial number that shows the exact type of handset being used. The IMEE codes were released without notifying the phone’s user. Two applications were also found to share phone numbers with a content server.

To gather this data, the researchers built what they call TaintDroid, a framework within the Android mobile phone platform that can mark and track information as it leaves the phone’s Application Programming Interface (API). Some of the tracked apps include: The Weather Channel, Trapster, BBC News Live Stream, Yellow Pages, MySpace, and gaming apps such as Hearts, Solitaire, Blackjack, and Spongebob Slide.

In all, 20 of the 30 apps sent off data to another party without the user’s knowledge or consent, explained William Enck, a Ph.D student in computer science and engineering at Penn State who worked on the study. It's a statistic that is cause for concern.

“When you install an app on an Android phone, it lists permissions that app has,” Enck said. “What it doesn’t do is say what that application is going to do with that info.”

Enck, an Android user himself, said he will continue to download apps, even if the study’s findings have made him slightly wary.

“I’m very vigilant in the applications I choose to download,” Enck said. “It’s kind of like browsing the web. You have to make your own judgments. It’s probably best to assume the worst. You want to be better safe than sorry.”

The full report will be presented at the USENIX Symposium on Operating Systems Design and Implementation in early October in Vancouver.