More than half of iPhone and Android apps routinely share the personal data of their users with outside companies, a Wall Street Journal investigation has found.
Specifically, 56 of the 101 popular smartphone apps examined by the newspaper were found to transmit the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven of the apps transmitted the phone’s location, and five sent age, gender, and other personal details to third parties.
iPhone apps transmitted more data than the Android apps did, the study found. Among the worst offenders was TextPlus 4, an iPhone app for text messaging that sent the phone’s unique ID number to eight ad companies as well as the zip code, age, and gender of the phone’s user to two of them.
“Apple says iPhone apps ‘cannot transmit data about a user without obtaining the user’s prior permission and providing the user with access to information about how and where the data will be used,'” the Journal reported. Nevertheless, “many apps tested by the Journal appeared to violate that rule.” Apple also declined to discuss how it interprets or enforces that policy, it added.
Age, Gender, Location, Unique ID
Music app Pandora was another key offender, with both its iPhone and Android versions sending age, gender, location, and phone identifiers to various ad networks. Both versions of Paper Toss, meanwhile, sent the phone’s ID number to “at least five ad companies,” the Journal reported, while Grindr–an iPhone app targeting gay men–sent gender, location, and phone ID to three ad companies.
Despite the fact that Apple says apps must ask permission before revealing information, the Pumpkin Maker iPhone app, for example, transmits location information to an ad network without doing so, the Journal found.
Permission is not required on either Apple’s or Google’s platform to access some forms of the device ID, or to send it to outsiders.
“The findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them,” the Journal wrote on Saturday.
No Written Privacy Policies
Several of the app makers involved said the data they transmit isn’t linked to the individual’s name, while details such as age and gender are volunteered by users, the Journal noted.
Yet a full 45 of the 101 apps examined don’t even offer written privacy policies, it found; in fact, neither Apple nor Google requires one.
Overall, the most commonly shared piece of information was the unique ID number assigned to every phone; it’s known as the “UDID” on iPhones. Such IDs normally can’t be blocked or deleted.
‘It’s Nearly Impossible to Prevent’
So what can business and individual users do about all this leaking? “Not much,” according to the Wall Street Journal.
“It’s nearly impossible to prevent cell phone apps from transmitting information about a phone and its owner,” the publication wrote.
To restrict tracking by location, the user can turn off the phone’s location services, but that might also limit features like maps. And the “opt out” capabilities offered by some mobile marketing companies don’t typically apply to apps, the Journal noted.
iPhone users can prevent the transmission of location data by going to “settings” and “general,” it suggested; those with iOS 4 can control access even more finely by clicking on “location settings” and scrolling down the list of apps.
Top Suggestions
“The most important thing a user can do is pay attention to the information each app is requesting,” the Journal noted.
What’s most important to focus on? Among the Journal’s suggestions:
* Watch for any app that asks to access “your personal information” in the list of permissions. As I’ve noted before, sometimes that kind of request makes sense; other times, it doesn’t.
* Avoid apps you don’t trust that request the ability to “read phone state and identity,” which is listed under the “phone calls” heading.
* Turn off location capabilities by adjusting your location settings. As noted above, however, this could mean maps won’t work.
Follow Katherine Noyes on Twitter: @Noyesk.