Menu
Android apps exploit permissions granted, French researchers find

Android apps exploit permissions granted, French researchers find

One app in three accesses location, and two in three track users' identities, a study by CNIL and INRIA found

Android apps really do use those permissions they ask for to access users' personal information: one online store records a phone's location up to 10 times a minute, French researchers have found. The tools to manage such access are limited, and inadequate given how much information phones can gather.

In a recent study, ten volunteers used Android phones that tracked app behavior using a monitoring app, Mobilitics, developed by the French National Institute for Informatics Research (INRIA) in conjunction with the National Commission on Computing and Liberty (CNIL). Mobilitics recorded every time another app accessed an item of personal data -- the phone's location, an identifier, photos, messages and so on -- and whether it was subsequently transmitted to an external server. The log of the apps' personal information use was stored on the phone and downloaded at the end of the three months for analysis.

The volunteers were encouraged to use the phones as if they were their own, and together used 121 apps over the period from July to September. A similar study last year used a special iOS app to examine the way iPhone apps access users' personal data.

Many apps access phones' identifying characteristics to track their users, the researchers said. One of the few options users have to avoid this tracking is a switch in the "Google Settings" app to reset their phone's advertising ID. That's not much help, though, as apps have other ways to identify users. Almost two-thirds of apps studied in the three-month real-world test accessed at least one mobile phone identifier, a quarter of them at least two identifiers, and a sixth three or more. That allows the apps to build up profiles of their users for advertising purposes.

Location was one of the most frequently-accessed items of data. It accounted for 30 percent of all accesses to personal information during the test, and 30 percent of the apps studied accessed it at some point. The Facebook app recorded one volunteer's location 150,000 times during the three-month period -- more than once per minute, on average, while the Google Play Store tracked another user ten times per minute at times. Often, the only use apps make of such information is to serve personalized advertising, as was the case with one game that recorded a user's location 3,000 times during the study. The volume of data gathered is staggering: one app, installed by default on one of the phones, accessed the user's location 1 million times over the month.

Apps don't need many permissions to build up a comprehensive user profile, said INRIA researcher Vincent Roca. He described how, simply by requesting access to the permissions "Internet" and "Access_Wifi_State," an application could identify the phone through the MAC address of its Wi-Fi adapter and track its movements around the world. The app could even allow its developer to map the user's social network by sending information about the time at which it encountered particular Wi-Fi networks to a central server, where it could be compared with similar information from other phones to see who else was in the same place at the same time.

CNIL wants developers -- both of mobile apps and mobile operating systems -- to take more responsibility for what can be done with their products, and to make continued efforts to provide users with more tools to manage their privacy. CNIL president Isabelle Falque-Pierrotin said "privacy by design" should be developers' design philosophy, and called on them to minimize the collection of data not needed for apps to fulfill their purpose.

Peter Sayer covers general technology breaking news for IDG News Service, with a special interest in open source software and related European intellectual property legislation. Send comments and news tips to Peter at peter_sayer@idg.com.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags securitysmartphonesAndroidFrench National Commission on Computing and Liberty (CNIL)mobileprivacyFrench National Institute for Informatics Research (INRIA)mobile applicationsAndroid OSconsumer electronicsGoogle

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments