Amid the growing privacy concerns regarding smartphones, a research study from MIT, Harvard, and Carnegie-Mellon revealed that mobile apps are leaking user’s information to third parties in massive proportions. These third parties are advertisers who exercise a user’s personal information, such as behavioral data, search terms, and location data, to understand and predict buying behavior.
Over 100 Free Apps Tested
Researchers tested 110 popular, free apps––half Android and half iOS–– to determine which apps shared personal, behavioral, and locational data with third-party websites. They looked at the top five most popular apps from the Google Play Store in the categories of Business, Games, Health & Fitness, and Travel & Local; the same was done with the top five most popular apps from Apple’s App Store, from Business, Games, Health & Fitness, and Navigation.
The list included mobile app staples we’ve come to know and love, such as Candy Crush, Facebook, Facebook Messenger, Facebook Pages, Skype, Fitbit, Amazon, eBay, Groupon, Instagram, Pinterest, Snapchat, MapQuest, Google Maps, YouTube, and Yelp. Within the study, researchers recorded traffic that occurred using the apps to track personally identifiable information (PII), and behavioral data, such as search terms and location data.
iOS a close second to Android’s damaging reputation
The results that came out were nothing less than shocking. A staggering 73% of the tested Android apps were found to be leaking user’s email address to third parties, while 47% of the Apple store apps were found to be leaking geo-coordinates and other location data to third parties. Research also revealed that 51 out of 55 Android apps connect to a mysterious domain, safemovedm.com. The purpose could not be verified, but is likely due to a background process of the Android phone.
- The average Android app sends potentially sensitive data to an approximate 3.1 third-party domains, with the average iOS app connecting to 2.6 third-party domains.
- Android apps are more likely than iOS apps to share PII with a third party, such as name (73% of Android apps vs. 16% of iOS apps) and email address (73% vs. 16%).
- More iOS apps (47%) than Android apps (33%) share location data.
Christopher Weatherhead, a technologist at Privacy International shares that “…the analysis in the paper suggests that a large proportion of apps tested share sensitive information like location, names and email addresses with third parties with minimal consent.”
Suggesting that these information-leaking apps are posing a great risk to user’s sensitive data, the research described following as the most concerning:
- An app may share a unique [ID] related to a device such as a System ID, SIM card ID, IMEI, MEID, MAC address, UDID, etc. The ID can be used to track an individual.
- An app can request user permission to access device functions and potentially personal or sensitive data, with the most popular requests being access to network communications, storage, phone calls, location, hardware controls, system tools, contact lists, and photos & videos.
- Some apps practice over-privileging, where the app requests permissions to access more data and device functions than it needs for advertising and data collection.
- Any data collected by the app may be sent to a third party, such as an advertiser.
- A user may have a hard time understanding permission screens and other privacy tools in a device’s operating system
Mobile Apps pose the greatest risk to privacy
- 97% Allows access to private data
- 86% Are technically vulnerable
- 75% Leave data unencrypted
If you are up for contract renewal, need a new phone, or will soon be starting to look at a new phone, perhaps consider a switch from Android. Take a look at the Blackphone 2, which is constructed from a modified AndroidOS known as SilentOS. Blackphone provides encrypted, secure end-to-end, communication with the ability to close back doors, as well as the option to use unencrypted communication if the user wishes. Sound fishy? Don’t worry. Just as there’s a difference between protecting company trade secrets and calling the neighborhood pizza delivery person, there’s a difference between when you do and do not need encrypted communication, and Blackphone takes that into account. Explore more on the Blackphone by Silent Circle here.
About Jitesh Chauhan
A student of life with a passion for people, communication, and privacy.