Monday, October 4, 2010

Some Android apps caught covertly sending GPS data to advertisers

From Ars Technica,

The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy
.


Read More here.

6 comments:

Reilly said...

As an Android user, it's scary to think how much personal data is being constantly transmitted to app developers for advertising purposes. It doesn't even bother me that much if an advertising network knows my location and other anonymous data to serve relevant ads, but it makes me think how easy it would be for that data to get in the wrong hands. I know that Android alerts you if an app can know your location before you install it, but I never read those notices anyway, and according to the article they can get it anyway. It makes me think how easy it would be for criminals to get your location and use it to, for example, know when you're not home to rob you or something. It also seems to me like not many people are concerned about privacy on mobile phones - yet. I wonder if going forward a competitive factor in mobile operating systems will be the level of privacy. Maybe operating systems like Android that are open source will be more vulnerable than the iPhone and other non-open source systems.

Caitlin said...

About a week or so ago, I received the following email from my mother, which she had been forwarded by a friend of hers. The email was entitled "Call to get your number off the list." In light of my new found knowledge of and appreciation for issues of privacy and security, I decided to take the email seriously [something a former me would have likely ignored].


"REMEMBER: Cell Phone Numbers Go Public this month. All cell phone numbers are being released to telemarketing companies and you will start to receive sales calls.

YOU WILL BE CHARGED FOR THESE CALLS

To prevent this, call the following number from your cell phone: 888-382-1222.

It is the National DO NOT CALL list. It will only take a minute of your time.. It blocks your number for five (5) years. You must call from the cell phone number you want to have blocked. You cannot call from a different phone number.

HELP OTHERS BY PASSING THIS ON. It takes about 20 seconds.

https://www.donotcall.gov/default.aspx "


My initial reaction is outrage. Then I've got all sorts of questions. Who is it that is 'releasing' [more like, selling] my phone number? The government? Who exactly is gaining access to my phone number? Is it essentially becoming readily available to whoever wants it? HOW IS THIS LEGAL/MORAL?

I have a huge problem with the selling of personal data such as cell phone numbers without any consent from the individual(s) whose data is being released. Is there no established set of ethics for personal information dealing? Moreover, is there no law in the U.S. that if not forbids, at least limits organization's use of people's personal information such as their cell phone numbers?

Then I think...Is this email even legitimate? Or is it a scam - some false alarm devised to get people to call in and/or register their cell phone numbers and furthermore, attach those numbers to their name. Is someone sitting somewhere watching as concerned individuals call in and register online by the thousands creating a huge database of numbers and names, while completely ignorant of where that information is going/being used for. Hm. Thank you, Professor Moran for the paranoia.

I look at the website. It's very low-tech, so I'm immediately suspicious. Well, it's a ".gov" but does that mean anything really? Then I google "National Do Not Call Registry" so see what comes up. Hundreds of websites, so it seems somehow legitimate. I google "National Do Not Call Registry Scam" and I get this website: http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt055.shtm

It's a warning from the Federal Trade Commission about "Do Not Call" scams. Great. So, how am I supposed to know what is legitimate and what is not? Ultimately, I decide that the email my mom has sent me is legitimate, but the moral of this story is...if I, an individual at least somewhat-educated about issues of privacy and security am having such a hard time discriminating between the scam and the legitimate attempt to help me protect my privacy, then how is the average Joe ever to know?! I suppose the answer is that they won't know and all the better for the companies looking to take advantage of them.

Caitlin said...

About a week or so ago, I received the following email from my mother, which she had been forwarded by a friend of hers. The email was entitled "Call to get your number off the list." In light of my new found knowledge of and appreciation for issues of privacy and security, I decided to take the email seriously [something a former me would have likely ignored].


"REMEMBER: Cell Phone Numbers Go Public this month. All cell phone numbers are being released to telemarketing companies and you will start to receive sales calls.

YOU WILL BE CHARGED FOR THESE CALLS

To prevent this, call the following number from your cell phone: 888-382-1222.

It is the National DO NOT CALL list. It will only take a minute of your time.. It blocks your number for five (5) years. You must call from the cell phone number you want to have blocked. You cannot call from a different phone number.

HELP OTHERS BY PASSING THIS ON. It takes about 20 seconds.

https://www.donotcall.gov/default.aspx "


continued below...

Caitlin said...

[comment continued...]

My initial reaction is outrage. Then I've got all sorts of questions. Who is it that is 'releasing' [more like, selling] my phone number? The government? Who exactly is gaining access to my phone number? Is it essentially becoming readily available to whoever wants it? HOW IS THIS LEGAL/MORAL?

I have a huge problem with the selling of personal data such as cell phone numbers without any consent from the individual(s) whose data is being released. Is there no established set of ethics for personal information dealing? Moreover, is there no law in the U.S. that if not forbids, at least limits organization's use of people's personal information such as their cell phone numbers?

Then I think...Is this email even legitimate? Or is it a scam - some false alarm devised to get people to call in and/or register their cell phone numbers and furthermore, attach those numbers to their name. Is someone sitting somewhere watching as concerned individuals call in and register online by the thousands creating a huge database of numbers and names, while completely ignorant of where that information is going/being used for. Hm. Thank you, Professor Moran for the paranoia.

I look at the website. It's very low-tech, so I'm immediately suspicious. Well, it's a ".gov" but does that mean anything really? Then I google "National Do Not Call Registry" so see what comes up. Hundreds of websites, so it seems somehow legitimate. I google "National Do Not Call Registry Scam" and I get this website: http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt055.shtm

It's a warning from the Federal Trade Commission about "Do Not Call" scams. Great. So, how am I supposed to know what is legitimate and what is not? Ultimately, I decide that the email my mom has sent me is legitimate, but the moral of this story is...if I, an individual at least somewhat-educated about issues of privacy and security am having such a hard time discriminating between the scam and the legitimate attempt to help me protect my privacy, then how is the average Joe ever to know?! I suppose the answer is that they won't know and all the better for the companies looking to take advantage of them.

Caitlin said...

[comment continued...]

My initial reaction is outrage. Then I've got all sorts of questions. Who is it that is 'releasing' [more like, selling] my phone number? The government? Who exactly is gaining access to my phone number? Is it essentially becoming readily available to whoever wants it? HOW IS THIS LEGAL/MORAL?

I have a huge problem with the selling of personal data such as cell phone numbers without any consent from the individual(s) whose data is being released. Is there no established set of ethics for personal information dealing? Moreover, is there no law in the U.S. that if not forbids, at least limits organization's use of people's personal information such as their cell phone numbers?

Then I think...Is this email even legitimate? Or is it a scam - some false alarm devised to get people to call in and/or register their cell phone numbers and furthermore, attach those numbers to their name. Is someone sitting somewhere watching as concerned individuals call in and register online by the thousands creating a huge database of numbers and names, while completely ignorant of where that information is going/being used for. Hm. Thank you, Professor Moran for the paranoia.

[continued below...]

Caitlin said...

[comment continued...]

I look at the website. It's very low-tech, so I'm immediately suspicious. Well, it's a ".gov" but does that mean anything really? Then I google "National Do Not Call Registry" so see what comes up. Hundreds of websites, so it seems somehow legitimate. I google "National Do Not Call Registry Scam" and I get this website: http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt055.shtm

It's a warning from the Federal Trade Commission about "Do Not Call" scams. Great. So, how am I supposed to know what is legitimate and what is not? Ultimately, I decide that the email my mom has sent me is legitimate, but the moral of this story is...if I, an individual at least somewhat-educated about issues of privacy and security am having such a hard time discriminating between the scam and the legitimate attempt to help me protect my privacy, then how is the average Joe ever to know?! I suppose the answer is that they won't know and all the better for the companies looking to take advantage of them.