Could one third of free Android apps be stealing sensitive data?

April 5, 2013
8
165
54 66 45

banner-best-apps-for-protecting-privacy

New research from security specialists Bitdefender suggests that as many as one third of free Android apps access and upload your private data (including your phone number) to third parties. Issues around privacy and security are constantly with us in the digital age. As more and more information about us is digitized, what happens to that data is becoming increasingly relevant.

The problem is with advertising. Other than the freemium business model, where in-app purchases are used to monetize an app, the majority of free apps use advertising to generate income. There are dozens of different mobile advertising platforms and each one offers its own software development kit and libraries to give the developer an easy way to integrate the adverts into his or hers app. But the question is what data are these mobile advertising platforms uploading to allow relevant and targeted adverts to be delivered?

The Bitdefender data shows that just under 33 percent of apps upload information such as your phone number, location, and your email address to third-party advertising companies. It is unclear from this research if any one app actually uploads your number, location and email all at the same time, but the study shows that 12% upload at least your phone number and some 17 percent of apps ask for permission to read your contacts, access your browsing history, and access your photo library.

Although an app developer might be offered terms and conditions for the use of a particular mobile advertising platform, very seldom are the end users offered the chance to read and accept terms and conditions about how the in-built advertising interacts with an Android device. Although the Google Play Store does have an optional link to a¬†publisher’s¬†privacy¬†policy, these are often in¬†legalese.

Some third party advertisers automatically receive some of your personally identifiable information if and when you interact with an advertisement.

I picked a random app from the front page of the Play Store and followed the link to the¬†developer’s¬†privacy¬†policy¬†and this is what it said, “some third party advertisers automatically receive some of your personally identifiable information if and when you interact with an advertisement.” This text was buried in the penultimate paragraph of the¬†privacy¬†policy. And at the top of the text it says very clearly that by using the app “you represent and warrant that you have read and understood, and agree to the terms of, this privacy policy.”

However the issue is a little less clear once you consider that most advertising platforms want to know your location so that you can be sent targeted ads. It is pointless sending a European adverts about a discount sale in New York. Likewise it is pointless sending a man adverts targeted at women and so on. I find adverts annoying, but I find unrelated, irrelevant adverts more annoying.

So assuming that there is¬†legitimate¬†data that an app needs to¬†fulfill¬†its monetization¬†needs, the question remains are there apps which are uploading¬†sensitive¬†data which¬†neither¬†it or the mobile advertiser have a right to see? Bitdefender would say that there are such apps and would use words like “aggressive adware”. But it is interesting to note that the report also mentions that “you could always go ahead and install a mobile security solution that can spot malware and aggressive adware at a distance.” I would guess that Bitdefender would prefer that the “mobile security solution” that you install would be theirs!

So what do you think? Are Bitdefender trying to hype up this issue or is it in fact a real problem?

Comments