In the past week, two studies have looked at a sampling of mobile phone apps and determined some of them are betraying our trust. Whether downloaded on our devices for fun or productivity some of these bundles of fun are reporting on our location or trading away our personal information. Is this the end of the app party?
Last week, a study was released by researchers at Duke University, Penn State University and Intel Labs found half of the apps were transmitting personal data. The researchers looked into randomly selected free Android apps. The personal data released included the users location (via GPS) and phone number.
Hot on the heels of that study, is one from Bucknell University that looked into iOS apps (iPhone). The news there wasn’t much better: they found many of the apps studied transmitted user-identifiable data back to their servers. Worse still, some of this info wasn’t encrypted and was even stored in plaintext. The Bucknell team studied 57 apps, about half of them free.
The worry here is the apps in both studies transmitted not just some random phone identifier but the UDID, users names or phone number. These bits of info can link the data back to the physical world. Quickly, questions get raised like, “why does a video game developer need my home address?”
“Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible—and technically, quite simple—for their browsing patterns, app usage, and physical location [to be] collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies,” wrote Bucknell University Assistant Director of Information Security and Networking Eric Smith, who authored the study paper.
Is it just a trade off users are willing to make? For example, there is an airline app that can tell users where the closest airport is and the next flight home it generates using GPS. Now the app makes the request to use your GPS but it doesn’t say it will only use it for this purpose. After users allow the functionality, there’s no telling when and why the app might use GPS info. Nefarious or not, it’s a security risk.
This raises some interesting questions. Should Apple, as the app gatekeeper for its App Store, do an end to end search on how secure the data an app transmits is and how it is stored? How far should they go and what will that mean to the approval process with over 200,000 apps already out there?
Or Android. It’s app market is often compared to the wild West where there’s no sheriff, just apps that float in and out. Do these privacy issues make the Android Market any less attractive knowing there is no gatekeeper? The end result seems to be the same: our apps are looking to betray us.