Android apps exploit permissions granted, French researchers find

One app in three accesses location, and two in three track users' identities, a study by CNIL and INRIA found

Android apps really do use those permissions they ask for to access users' personal information: one online store records a phone's location up to 10 times a minute, French researchers have found. The tools to manage such access are limited, and inadequate given how much information phones can gather.

In a recent study, ten volunteers used Android phones that tracked app behavior using a monitoring app, Mobilitics, developed by the French National Institute for Informatics Research (INRIA) in conjunction with the National Commission on Computing and Liberty (CNIL). Mobilitics recorded every time another app accessed an item of personal data -- the phone's location, an identifier, photos, messages and so on -- and whether it was subsequently transmitted to an external server. The log of the apps' personal information use was stored on the phone and downloaded at the end of the three months for analysis.

The volunteers were encouraged to use the phones as if they were their own, and together used 121 apps over the period from July to September. A similar study last year used a special iOS app to examine the way iPhone apps access users' personal data.

Many apps access phones' identifying characteristics to track their users, the researchers said. One of the few options users have to avoid this tracking is a switch in the "Google Settings" app to reset their phone's advertising ID. That's not much help, though, as apps have other ways to identify users. Almost two-thirds of apps studied in the three-month real-world test accessed at least one mobile phone identifier, a quarter of them at least two identifiers, and a sixth three or more. That allows the apps to build up profiles of their users for advertising purposes.

Location was one of the most frequently-accessed items of data. It accounted for 30 percent of all accesses to personal information during the test, and 30 percent of the apps studied accessed it at some point. The Facebook app recorded one volunteer's location 150,000 times during the three-month period -- more than once per minute, on average, while the Google Play Store tracked another user ten times per minute at times. Often, the only use apps make of such information is to serve personalized advertising, as was the case with one game that recorded a user's location 3,000 times during the study. The volume of data gathered is staggering: one app, installed by default on one of the phones, accessed the user's location 1 million times over the month.

Apps don't need many permissions to build up a comprehensive user profile, said INRIA researcher Vincent Roca. He described how, simply by requesting access to the permissions "Internet" and "Access_Wifi_State," an application could identify the phone through the MAC address of its Wi-Fi adapter and track its movements around the world. The app could even allow its developer to map the user's social network by sending information about the time at which it encountered particular Wi-Fi networks to a central server, where it could be compared with similar information from other phones to see who else was in the same place at the same time.

CNIL wants developers -- both of mobile apps and mobile operating systems -- to take more responsibility for what can be done with their products, and to make continued efforts to provide users with more tools to manage their privacy. CNIL president Isabelle Falque-Pierrotin said "privacy by design" should be developers' design philosophy, and called on them to minimize the collection of data not needed for apps to fulfill their purpose.

Peter Sayer covers general technology breaking news for IDG News Service, with a special interest in open source software and related European intellectual property legislation. Send comments and news tips to Peter at peter_sayer@idg.com.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags privacymobilesmartphonesGoogleAndroidmobile applicationsconsumer electronicsAndroid OSFrench National Commission on Computing and Liberty (CNIL)French National Institute for Informatics Research (INRIA)

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Peter Sayer

Peter Sayer

IDG News Service
Show Comments

Brand Post

Bitdefender 2019

Taking cybersecurity to the highest level and order now for a special discount on the world’s most awarded and trusted cybersecurity. Be aware without a care!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?