Android apps exploit permissions granted, French researchers find

One app in three accesses location, and two in three track users' identities, a study by CNIL and INRIA found

Android apps really do use those permissions they ask for to access users' personal information: one online store records a phone's location up to 10 times a minute, French researchers have found. The tools to manage such access are limited, and inadequate given how much information phones can gather.

In a recent study, ten volunteers used Android phones that tracked app behavior using a monitoring app, Mobilitics, developed by the French National Institute for Informatics Research (INRIA) in conjunction with the National Commission on Computing and Liberty (CNIL). Mobilitics recorded every time another app accessed an item of personal data -- the phone's location, an identifier, photos, messages and so on -- and whether it was subsequently transmitted to an external server. The log of the apps' personal information use was stored on the phone and downloaded at the end of the three months for analysis.

The volunteers were encouraged to use the phones as if they were their own, and together used 121 apps over the period from July to September. A similar study last year used a special iOS app to examine the way iPhone apps access users' personal data.

Many apps access phones' identifying characteristics to track their users, the researchers said. One of the few options users have to avoid this tracking is a switch in the "Google Settings" app to reset their phone's advertising ID. That's not much help, though, as apps have other ways to identify users. Almost two-thirds of apps studied in the three-month real-world test accessed at least one mobile phone identifier, a quarter of them at least two identifiers, and a sixth three or more. That allows the apps to build up profiles of their users for advertising purposes.

Location was one of the most frequently-accessed items of data. It accounted for 30 percent of all accesses to personal information during the test, and 30 percent of the apps studied accessed it at some point. The Facebook app recorded one volunteer's location 150,000 times during the three-month period -- more than once per minute, on average, while the Google Play Store tracked another user ten times per minute at times. Often, the only use apps make of such information is to serve personalized advertising, as was the case with one game that recorded a user's location 3,000 times during the study. The volume of data gathered is staggering: one app, installed by default on one of the phones, accessed the user's location 1 million times over the month.

Apps don't need many permissions to build up a comprehensive user profile, said INRIA researcher Vincent Roca. He described how, simply by requesting access to the permissions "Internet" and "Access_Wifi_State," an application could identify the phone through the MAC address of its Wi-Fi adapter and track its movements around the world. The app could even allow its developer to map the user's social network by sending information about the time at which it encountered particular Wi-Fi networks to a central server, where it could be compared with similar information from other phones to see who else was in the same place at the same time.

CNIL wants developers -- both of mobile apps and mobile operating systems -- to take more responsibility for what can be done with their products, and to make continued efforts to provide users with more tools to manage their privacy. CNIL president Isabelle Falque-Pierrotin said "privacy by design" should be developers' design philosophy, and called on them to minimize the collection of data not needed for apps to fulfill their purpose.

Peter Sayer covers general technology breaking news for IDG News Service, with a special interest in open source software and related European intellectual property legislation. Send comments and news tips to Peter at peter_sayer@idg.com.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags securitysmartphonesAndroidFrench National Commission on Computing and Liberty (CNIL)mobileprivacyFrench National Institute for Informatics Research (INRIA)mobile applicationsAndroid OSconsumer electronicsGoogle

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Peter Sayer

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?