A research team has discovered that a number of popular Android applications send private information to advertisers without informing the user.
A team of researchers from Penn State University, Duke University and Intel Labs developed a software tool called TaintDroid which they used to investigate the network activity of 30 popular Android applications, Arstechnica reported.
The findings are due to be presented at the security conference Usenix OSDI next week but shocking details have already emerged regarding the cavalier attitude to privacy issues among several Android developers. It was reported that in some instances the applications were sending GPS coordinates every 30 seconds despite no advertisements being visible.
As owners of Android handsets know, when installing applications from the Marketplace the user is presented with a list of features which the application must request at install time. Errant applications must therefore request access to private information such as contacts, the GPS location of the phone and Internet access.
However most applications ask for many kinds of access most often for legitimate purposes, scanning the list of requests and assessing if they are appropriate for the type of application is clearly not going to be something Android users do as a matter of course.
Many users of applications know that in choosing a free advert supported version they will need to grant Internet access and furthermore it’s often explained that the advert serving middleware also asks for location access. Use of advertising middleware raises the question about whether the developer of the application even knows what their application is doing with their users’ data.
The researchers beyind the TaintDroid project will be releasing an application to the public which will in turn allow many to see exactly what’s being sent to whome and how often. One of the issues is that many developers of smartphone applications are in themselves amateurs and may not understand what is and isn’t appropriate.
Google has the ability to remove malicious applications from the Market and has already done so but the company doesn’t pre approve applications leaving the responsibility firmly on the user.