Here’s a heads-up for Android smartphone users. Researchers at Intel and two US universities have discovered that many Android apps routinely send private user information to advertising companies without the user’s knowledge — let alone permission.
Fortunately, not all Android apps are behaving in this underhand way. The researchers started with a selection from the Android Market that are designed to access such personal information as the smartphone’s location, then whittled the list down to the 30 most popular for use in their tests [PDF].
The bad news is that two-thirds of these apps used such information as GPS data, the telephone number, IMEI number and address book entries in a suspicious fashion, while half shared GPS data with advertising companies. In total, the researchers reckoned they found 68 examples of potential data misuse — all in a mere 30 apps.
To be fair, 68 apps out of a selection of the 70,000 available for Android is a very small sample, so the research isn’t saying that Android smartphones have a major privacy problem. The real problem is that while Android is reasonable enough to display a message about what information an app wants access to when it is first downloaded, this message doesn’t state what that data will be used for.
Here’s what Google, maker of Android, had to say:
“On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application. Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data.
When installing an application from Android Market, users see a screen that explains clearly what information the application has permission to access, such as a user’s location or contacts. Users must explicitly approve this access in order to continue with the installation, and they may un install applications at any time. Any third party code included in an application is bound by these same permissions. We consistently advise users to only install apps they trust.”
So, it looks like it’s up to Android smartphone users to pay attention to the information a new app requests access to before installing it — though we think Google should insist that all Android apps explicitly state how the information they collect will be used, too.