Communications of the ACM

BLOG@CACM

Most Smartphone Apps Are Spyware

By Jason Hong
February 17, 2012
Comments (2)

Imagine if I told you that the web sites you go to were gathering your phone number, tracking your location, and might also be collecting your contacts list. Not only would you be up in arms over this, you would see widespread demand for Congressional investigations, boycotts over these web sites, and a large number of defensive maneuvers from web site developers and ad networks in protecting themselves.

The dirty secret is that a lot of smartphone apps already get this kind of data and more. It's been well-known in the computer security research community that many of these apps are essentially spyware. But outside of the research community, there's been little noise about it so far (the most notable exception being the Wall Street Journal's analysis of the most popular Android and iPhone apps).

For example, the popular Pandora music app was the subject of a Federal Grand Jury investigation, because the app (both Android and iPhone) was sending information about users' birth date, gender, unique ID, and GPS location to advertising companies.

There are other popular apps that are just as invasive. There is the yearbook app that wants to know your phone number, an app showing the schedules of public transport that wants your entire contact list, games that want your phone's unique ID, as well as Bible apps that want to know your location (apparently, even supreme deities need help in figuring out where you are).

Recently in the news, there was a furor over the Path mobile social network app, which apparently uploaded people's entire contact lists to their servers. (It's worth pointing out that Path was not the only app doing this, just the most prominent one that was caught)

Why are apps taking in all of this personal information ?

Some apps are actually malware, meant to infect your smartphone and steal your personal data. Sometimes criminals will take existing apps, decompile them, add some malicious code, and put them back on the app market (for free) to trick people into installing them. (So beware of free apps of well-known for-pay apps)

However, the majority of these intrusive apps want personal information like your phone's unique ID and location data simply for advertising purposes. An analysis by some researchers found that many of the most popular apps often used third-party analytics packages as well as ad networks, many of which rely on location data and the phone's unique ID to work. In this case, app developers don't have many choices if they want to find a way of monetizing their app.

Web sites today track identity using cookies, which are temporary pseudonymous identifiers that end-users can block or erase if desired. However, there is no real equivalent to cookies for smartphones.  My guess is that ad networks are happy to have your phone's specific identifier, but would be just as happy to have some kind of reusable identifier that they can use to track the user to understand what ads they have been shown and what kinds of ads they have clicked on. The phone's unique ID is simply the most convenient such identifier.

With respect to location, many web-based ad networks already use geolocation technologies to find your location as you browse the web. These technologies tend to be coarse-grained, using your IP address to infer what city you are in. However, for smartphones, apps can get your exact location, meaning that they can also infer the places you work, live, and play. 

Unfortunately, smartphone users have very few ways of protecting themselves. Apple has done the right thing in requiring explicit approval from end-users for getting location data (and now contacts list as well, after the Path contacts list debacle). Android also shows people the list of permissions an app will use before installing the app. However, these mechanisms put too much of the burden on end-users, who will likely not understand the implications of their decisions. I'd rate them somewhat better than web browsers asking about whether you want to accept a web certificate.

Instead, there needs to be more protection and enforcement from the smartphone operating system itself, and from policies that app markets set about what apps can and cannot do.

For example, one simple thing that the OS could do is restrict access to the smartphone's unique IDs, instead offering the equivalent of web browser cookies, which end-users could periodically delete if they wanted to. This approach strikes a balance between the needs of app developers who want to monetize their apps, ad networks who want to track the effectiveness and display of their ads, and end-users who want to manage their privacy. This solution also matches how the web works today, reducing the number of concepts that end-users have to learn.

Another simple thing the OS could do is allow only coarse grained location data to well-known ad networks, at the ZIP code level or city level. Again, this strikes a balance between revenue models (which are needed if we want free apps) and privacy.

In the long term, there are many open issues for improving the privacy and security of apps. These include offering better privacy summaries of what an app will do in practice, forcing ad networks and apps to comply with certain kinds of rules about data usage and data retention, and offering toolkits that make it easy for app developers to do the right thing and easy for app markets to check that that is indeed the case.

The smartphone market is moving out of childhood and into adolescence, and we're starting to see the growing pains involved when there is a wild and open app market where almost anything goes. Smartphones have incredible potential in being able connect us with other people in new ways and even instrument the physical world, but all of this potential could be at risk if the privacy issues aren't adequately and legitimately addressed. 

---

Comments

---

Displaying all 2 comments