Last week, a study was published that showed how 15 popular applications in the Android Market shared location data with advertisement servers, while 10 shared unique identifiers with them, as well. Glad you’re using an iPhone? Not so fast – another study, published over the weekend, shows that the iOS ain’t much better in this regard.
The Android study was done by people from Penn State University, Duke University, and Intel Labs, using a tool they created called TaintDroid. They studied 30 popular applications from the Android Market, chosen at random, and came to the conclusion that a selection of them transmitted location data and/or unique identifiers to advertisement servers.
Google already responded to this study last week, stating that applications always ask for permission to access any personal information upon installation – this is a requirement for the Android Market. As such, Google noted that “none of the applications studied in this research operated outside of the Android Permissions model, so in each case, a user would have already granted the application access to the resources listed (e.g. location, device ID, etc)”.
While this is true, it ignores the fact that while applications on Android may ask for permission to use personal information, it’s never really clear how or why they’re using this information. Sure, it makes sense for a, I don’t know, route tracking application to have access to your GPS data – but at the same time, you have no idea if the application isn’t also sending this information to third party advertisement servers.
While a far more controlled environment, Apple’s iOS isn’t free from these kinds of issues either, as noted by a study performed at Bucknell University. This study requires some historical background: back in 1999, Intel’s newly announced Pentium III processors contained a unique serial number per processor, which didn’t sit well with the industry and governments the world over. They worried that it could be used to track users’ online behaviour, and some governments even went as far as asking for a ban on Pentium III processors. Intel removed this serial number shortly afterwards.
The iPhone, iPod Touch, and iPad, however, contain something similar: the Unique Device Identifier (UDID). Apple promotes the use of UDIDs as a way for application developers to link information to specific devices, e.g. storing high scores in a game on a central server. While Apple states that the UDID may not be linked to personally identifiable information, there is no mechanism in place to prevent this from happening, nor is there a mechanism to prevent the UDID from being shared with third parties (such as advertisement firms).
The study in question was performed to “determine if the privacy fears surrounding the Pentium 3 have manifested themselves on the iPhone platform”. In order to do so, they studied 57 random popular applications from the App Store, and came to interesting conclusions.
“We found that 68% of these applications were transmitting UDIDs to servers under the application vendor’s control each time the application is launched. Furthermore, 18% of the applications tested encrypted their communications such that it was not clear what type of data was being shared,” the study notes, “A scant 14% of the tested applications appear to be clean. We also confirmed that some applications are able to link the UDID to a real-world identity.”
“For example,” the study continues, “Amazon’s application communicates the logged-in user’s real name in plain text, along with the UDID, permitting both Amazon.com and network eavesdroppers to easily match a phone’s UDID with the name of the phone’s owner. The CBS News application transmits both the UDID and the iPhone device’s user-assigned name, which frequently contains the owner’s real name.”
As a conclusion, the study states that all this poses a real threat to iOS users. “Privacy and security advocates, personal iPhone owners, and corporate iPhone administrators should be concerned that it would be feasible – and technically, quite simple – for their browsing patterns, app usage, and physical location collected and sold to unintended customers such as advertisers, spouses, divorce lawyers, debt collectors, or industrial spies,” the study argues, “Since Apple has not provided a tool for end-users to delete application cookies or to block the visibility of the UDID to applications, iPhone owners are helpless to prevent their phones from leaking this information.”
It’s difficult to ascertain how much of an issue this – both the Android and iOS one – really is. Sure, it’s a matter of principal that devices should not emit information like this for everyone to see without users’ consent, but at the same time, allowing very fine-grained control over these matters will only serve to confuse most users. This confusion could have two outcomes; users see a complicated privacy dialog and automatically cancel out of fear. However, considering just how many applications use personal data, it could also lead to users becoming numb to such dialogs.
In the end, it may already be too late, as a Google spokesperson notes. “Note that this trust relationship between the user and the software maker exists regardless of the platform – even in desktop software and more controlled application environments,” he said, “It is not specific to Android. As an industry, we’ve never been able to 100% guarantee what a software maker (on any platform) will do with data to which they are entrusted.”
Still, it is good to see people paying attention to this and questioning the uses and motives of these application developers.