Android apps really do use those permissions they ask for to access users’ personal information. French researchers found that one online store records a phone’s location up to 10 times a minute. The tools to manage such access are limited, and inadequate given how much information phones can gather.
In a recent study, ten volunteers used Android phones that tracked app behavior using a monitoring app, Mobilitics, developed by the French National Institute for Informatics Research (INRIA) in conjunction with the National Commission on Computing and Liberty (CNIL). Mobilitics recorded every time another app accessed an item of personal data—the phone’s location, an identifier, photos, messages and so on—and whether it was subsequently transmitted to an external server. The log of the apps’ personal information use was stored on the phone and downloaded at the end of the three months for analysis.
The volunteers were encouraged to use the phones as if they were their own, and together used 121 apps over the period from July to September. A similar study last year used a special iOS app to examine the way iPhone apps access users’ personal data.
Many apps access phones’ identifying characteristics to track their users, the researchers said. One of the few options users have to avoid this tracking is a switch in the Android Settings panel to reset their phone’s advertising ID. That’s not much help, though, as apps have other ways to identify users. Almost two-thirds of apps studied in the three-month real-world test accessed at least one mobile phone identifier, a quarter of them at least two identifiers, and a sixth three or more. That allows the apps to build up profiles of their users for advertising purposes.
Location was one of the most frequently-accessed items of data. It accounted for 30 percent of all accesses to personal information during the test, and 30 percent of the apps studied accessed it at some point. The Facebook app recorded one volunteer’s location 150,000 times during the three-month period—more than once per minute, on average, while the Google Play Store tracked another user ten times per minute at times. Often, the app use that information to serve personalized advertising, as was the case with one game that recorded a user’s location 3,000 times during the study. The volume of data gathered is staggering: one app, installed by default on one of the phones, accessed the user’s location 1 million times over the month.
Apps don’t need many permissions to build up a comprehensive user profile, said INRIA researcher Vincent Roca. He described how, simply by requesting access to the permissions “Internet” and “Access_Wifi_State,” an application could identify the phone through the MAC address of its Wi-Fi adapter and track its movements around the world. The app could even allow its developer to map the user’s social network by sending information about the time at which it encountered particular Wi-Fi networks to a central server, where it could be compared with similar information from other phones to see who else was in the same place at the same time.
CNIL wants developers—both of mobile apps and mobile operating systems—to take more responsibility for what can be done with their products, and to make continued efforts to provide users with more tools to manage their privacy. CNIL president Isabelle Falque-Pierrotin said “privacy by design” should be developers’ design philosophy, and called on them to minimize the collection of data not needed for apps to fulfill their purpose.