Could one third of free Android apps be stealing sensitive data?

by: Gary SimsApril 5, 2013


New research from security specialists Bitdefender suggests that as many as one third of free Android apps access and upload your private data (including your phone number) to third parties. Issues around privacy and security are constantly with us in the digital age. As more and more information about us is digitized, what happens to that data is becoming increasingly relevant.

The problem is with advertising. Other than the freemium business model, where in-app purchases are used to monetize an app, the majority of free apps use advertising to generate income. There are dozens of different mobile advertising platforms and each one offers its own software development kit and libraries to give the developer an easy way to integrate the adverts into his or hers app. But the question is what data are these mobile advertising platforms uploading to allow relevant and targeted adverts to be delivered?

The Bitdefender data shows that just under 33 percent of apps upload information such as your phone number, location, and your email address to third-party advertising companies. It is unclear from this research if any one app actually uploads your number, location and email all at the same time, but the study shows that 12% upload at least your phone number and some 17 percent of apps ask for permission to read your contacts, access your browsing history, and access your photo library.

Although an app developer might be offered terms and conditions for the use of a particular mobile advertising platform, very seldom are the end users offered the chance to read and accept terms and conditions about how the in-built advertising interacts with an Android device. Although the Google Play Store does have an optional link to a publisher’s privacy policy, these are often in legalese.

Some third party advertisers automatically receive some of your personally identifiable information if and when you interact with an advertisement.

I picked a random app from the front page of the Play Store and followed the link to the developer’s privacy policy and this is what it said, “some third party advertisers automatically receive some of your personally identifiable information if and when you interact with an advertisement.” This text was buried in the penultimate paragraph of the privacy policy. And at the top of the text it says very clearly that by using the app “you represent and warrant that you have read and understood, and agree to the terms of, this privacy policy.”

However the issue is a little less clear once you consider that most advertising platforms want to know your location so that you can be sent targeted ads. It is pointless sending a European adverts about a discount sale in New York. Likewise it is pointless sending a man adverts targeted at women and so on. I find adverts annoying, but I find unrelated, irrelevant adverts more annoying.

So assuming that there is legitimate data that an app needs to fulfill its monetization needs, the question remains are there apps which are uploading sensitive data which neither it or the mobile advertiser have a right to see? Bitdefender would say that there are such apps and would use words like “aggressive adware”. But it is interesting to note that the report also mentions that “you could always go ahead and install a mobile security solution that can spot malware and aggressive adware at a distance.” I would guess that Bitdefender would prefer that the “mobile security solution” that you install would be theirs!

So what do you think? Are Bitdefender trying to hype up this issue or is it in fact a real problem?

  • Woah. That’s fishy! I think it’s a huge problem.

  • MasterMuffin

    Buy the paid versions. Done! Or root and Ad block/deny internet access.

    But still this should be fixed!

  • bungadudu

    Be it free or paid, there are a lot of apps and games with too many sneaky permissions.
    Don’t know why Google allow this ! (Why do a wallpaper needs to read contacts, connect to internet, etc?)
    The devs who are caught with doing this should be banned from the playstore ! (But I don’t think that Google will do this since they have to brag about having more apps than itunes)

    • bartdog

      Not terribly surprising. If you charge nothing fir the software you have to make money through the advertising. Imafine if the operating aystem wrre free and ad aupported. Wait…

  • mggOptimusG

    Are we supprised that advertising increase?
    Google would try to lit them only to their own instead.
    There is no more liberty when people want free stuff.

  • raindog469

    It’s not stealing if you’ve given someone permission to come into your house and look at your address book or connect to your wifi and they subsequently do so. Not even if they subsequently tell other people what they learn by doing so; you gave them permission. The issue I see is that many apps don’t disclose they have ads until you launch them and see ads, so essentially by giving the app developer permission you’re also giving the ad network permission.

    Unfortunately, there’s no way for Google to include a “This app uses third-party ad networks which will have the same access to your data as the app itself does” notice on the permissions screen unless it creates a whitelist of acceptable ad networks, which would probably be an antitrust violation at this point. We’re basically stuck with the honor system and checking through comments till we find a reference to ads, which only usually happens when they’re especially intrusive or it’s a paid app.

  • bartdog

    Only a third?

  • freedomspopular

    “…if and when you interact with an advertisement.”

  • dave

    “legitimate data that an app needs to fulfill its monetization needs”. No such thing here. Ad blocking for ever.