What's that Android app doing with my data?

Researchers from Intel Labs, Duke University, and Pennsylvania State University have created a tool that analyzes how Android apps handle the data they access on smartphones. Results from experiments on 30 apps might surprise some people.

The researchers pruned a list of popular Android apps in the main categories down to those that had access to potentially sensitive information, such as location and device identification, and then randomly selected 30 apps to experiment on.

They then created a proof-of-concept tool call TaintDroid that analyzes in real-time what potentially sensitive information is collected, including GPS data, phone number, contacts, IMEI (International Mobile Equipment Identity) number that identifies the device, and the SIM card serial number.

When a user wants to download an Android app, a permissions screen is displayed that explains exactly what data and resources the app has access to, and users must click "OK" before the download can proceed. The report suggests that users can be at risk because they are not told how the apps use their data.

"Android's course-grained access control provides insufficient protection against third-party applications seeking to collect sensitive data," the report, entitled "Realtime Privacy Monitoring on Smartphones," (PDF) said. The paper will be presented at the USENIX Symposium on Operating Systems Design and Implementation in Vancouver next week.

Specifically, the researchers found that two-thirds of the 30 apps in the sample used sensitive data suspiciously, half share location data with advertising or analytics servers without requiring "implicit or explicit user consent," and one-third expose the device ID, sometimes with the phone number and the SIM card serial number. In all, the researchers said they found 68 instances of potential misuse of users' private information across 20 applications.

"The permissions screen says, 'here is what the app can access'...but that screen doesn't say how the app is going to use that information once it retrieves it," William Enck, a PhD student at Pennsylvania State University and one of the co-leaders on the project, told CNET today. "Right now users have to be more diligent with the apps they install, look closely at the permission screen, and assume that that information may be misused. Just like when you are on a Web site. Better to be safe than sorry."

Apps can and should provide, in end user license agreements (EULAs), information about what they do with the data, the report suggests. Some of the apps displayed EULAs on the device, but very few, and they didn't explain about the data usage, according to the report.

Granted, the sample is very small given that there are more than 70,000 apps available for download from the Android Market.

"It's not meant to quantify how the market apps behave but to be a qualitative analysis, to see what is actually happening with a few apps and test a tool for determining that in real time," Enck said.

Asked for comment, a Google representative noted that users must explicitly approve this access in order to continue with the installation and they may uninstall at any time.

"On all computing devices, desktop or mobile, users necessarily entrust at least some of their information to the developer of the application," the representative said. "Android has taken steps to inform users of this trust relationship and to limit the amount of trust a user must grant to any given application developer. We also provide developers with best practices about how to handle user data...We consistently advise users to only install apps they trust."

A table in the report identifies the apps and app types that were part of the sample--which included MySpace, The Weather Channel, Solitaire, Coupons, BBC News Live Stream, Ringtones, and Spongebob Slide game--but Enck said he did not want to single out any apps by behavior because the researchers don't know the purpose of the data collection.

Meanwhile, don't expect to be able to download the TaintDroid app anytime soon. It requires modifications to the firmware on the device to work, so users would have to jailbreak their phones and thus void the warranty to use it. But the researchers will offer it as an open-source tool for other researchers and developers to play with, Enck said. A video demo of TaintDroid can be found here.

There is another project that analyzes mobile apps. The App Genome Project, launched in July by mobile security provider Lookout, covers both Android and iPhone apps. However, the App Genome Project looks at what the application files are capable of doing based on a static analysis of the code, while the TaintDroid project does a dynamic analysis of the data flows out of the phone, said Kevin Mahaffey, chief technology officer at Lookout.

"TaintDroid runs on a phone and reports on the apps installed on the phone, while The App Genome Project crawls the Android and iPhone markets and reports on all apps available," he said.