Android App Spygate: Tips to Put an End to Spying Apps
By Ian Paul
PCWorldSep 30, 2010 11:36 am PDT
Worried your Android apps are spying on you? You should be, according to a recent study that found several popular Android Apps regularly share your location and critical phone data such as your phone number with advertisers and others. Researchers from Intel Labs, Penn State, and Duke University randomly selected 30 out of 358 popular apps from the Android Market for this study. The computer scientists were able to track each application’s behavior using a special monitoring program called TaintDroid developed by the researchers.
Here’s a breakdown of the researcher’s findings:
-15 popular Android apps sent location information to advertisers without requiring user consent
-9 apps transmitted a user’s International Mobile Equipment Identity number, a unique device identifier
-7 out of those 9 apps did not mention IMEI collection in their End User License Agreements including one unnamed popular social networking app and one unnamed location-based search application
-2 applications transmitted a user’s phone number and ICC-ID–a SIM card’s serial number–both of which are unique identifiers
While those findings may sound scary, the good news is I’ve got 7 tips for you to keep prying eyes off your Android smartphone or your iPhone.
Android Users: Check Your Permissions
You can find a list of what your apps are doing by visiting the Android Market via your mobile device. Go to menu>downloads to see a list of the apps you’ve downloaded. Then select the app you want to check up on and go to menu>security. This will give you a list of all the information on your device that your application can access. This won’t tell you what those apps are doing with that information, but at least you can get rid of any applications that want access to information you’re not comfortable sharing with it.
Note that some of Android’s sharing and permissions information is a little hard to understand. Many apps, for example, say they have “full Internet access,” but the Market doesn’t explain what that means. Android’s developer documentation isn’t much help either, but it appears “full Internet access” means an app has unfettered access to send and receive data.
iPhone Users: Check Your Location
If you’re an iPhone user, you don’t have the same wide array of permissions you can access through your phone. You can, however, check to see which of your apps are using location information. On your phone navigate to Settings>General>Location Services. This will show you a list of all the apps on your phone that use location information, and ones that have accessed your location in the past 24 hours are marked with an arrow. You can also deny any application access to your location information from this list.
Check Those Comments
Google relies on community policing to keep the Android Market safe, so make sure you take advantage of each application’s comments section. Look for complaints about how an app functions or problems with your specific device. Also, make sure you read a little deeper than Graphic: Diego Aguirrejust the first few comments at the top.
IPhone users are unlikely to find complaints about malware or other dirty deeds in the comments. Nevertheless, comments are still an important source to find out what others think about the quality of a particular app.
Just as important as checking comments is to share your own thoughts about apps you’ve used. If you’ve been scammed by a peculiar app, make sure you share your horror story with others.
Developer’s Website
Developers of fishy applications will (more often than not) have fishy Websites for their apps. It’s a simple rule of thumb, and it can often save you time and heartache. Watch out for Websites that are poorly constructed, haven’t been updated in a while or don’t contain any valid contact information.
Apple recently pulled apps built by Vietnam-based iPhone developer Thuat Nguyen for “violating the developer Program License Agreement, including fraudulent purchase patterns.” Nguyen reportedly bilked iPhone users out of hundreds of dollars. Users could’ve saved themselves a lot of trouble if they’d merely checked Nguyen’s Website, which redirected to a parked domain called home.com. A clear red flag.
Illustration: Stuart BradfordRead Those Updates
Whenever an application wants to update be sure to check what the changes are to see if it’s asking for anything new. IPhone users can do this by tapping on the apps that have updates available in the iPhone’s onboard App Store application. Android users should read over the new permissions list that appears before you install the update to make sure it isn’t asking for new permissions you don’t want it to have.
Keep an Eye on TaintDroid
Right now TaintDroid is a monitoring tool that requires you to modify your firmware to work. It is not an installable application right now, so TaintDroid is not ready for everyday users. However, the creators of TaintDroid plan to turn the program into an open source project. In a few months, maybe some enterprising developer will be able to create a usable TaintDroid application.
Keep an Eye on Amazon
Rumor has it that Amazon is working on its own curated Android app market similar to Apple’s App Store. Details are unclear about which devices will be able to use the market. But it’s worth keeping an eye on as Amazon may be able to effectively neutralize many, but not all, bad actors before they reach the online retailer’s rumored Android market.
Still A Small Risk
Remember that while these tips will help maintain your privacy and security you take an inherent leap of faith with every app you download. The hope is that developers won’t abuse your trust, and that safeguards such as community policing (Android) and quality control monitoring (iPhone) will keep out rogue developers.
But there’s always a small chance you could end up using an app that violates your privacy or has some rogue functionality built-in.
The good news is that tools such as TaintDroid and Lookout Mobile Security’s App Genome project are working to expose applications that are behaving badly.
