The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user's location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.

The Android operating system has an access control mechanism that limits the availability of key platform features and private user information. Third-party applications that rely on sensitive features have to request permission during the installation process. The user has the option of canceling the installation if they do not wish to give the application access to the specific features that it requests. If a user starts to install a simple arcade-style game and finds out that it wants access to the user's GPS coordinates, for example, the seemingly suspicious permission request might compel the user to refrain from completing the installation process.

It's a practical security measure, but one critical limitation is that there is no way for the user to discern how and when the application will use a requested feature or where it will send the information. To build on our previous example, the user might decide to grant an Android game access to their GPS coordinates so that the software can facilitate multiplayer matches with nearby users. The user has no way of knowing, however, whether the application is also transmitting that information to advertisers or using it for malicious purposes. Making the permission system more granular might potentially address those kinds of problems, but would also have the undesired affect of making it too complex for some users to understand. Indeed, there are already a lot of careless users who simply don't take the time to look at the permission listing or don't understand the implications.

Concerns about unauthorized access to private information by Android applications were raised earlier this year when a popular wallpaper application was found surreptitiously transmitting the user's phone number to a remote server in China. Google's investigation of the matter revealed that the developer of the application was simply using the phone number as a unique identifier for user accounts and was not threatening the user's security or doing anything nefarious. Google responded by publishing an overview of best practices for handling sensitive user information. Google temporarily disabled the application in the Android Market while performing a security review, but later reenabled it after finding no evidence of a serious threat.

Google's ability to remove unambiguously malicious applications from the Android Market protects users from the most egregious kinds of attacks, but obviously doesn't really address the multitude of gray areas where the implications of data collection and disclosure are more nuanced and don't constitute blatant abuse. It's really important to recognize that even highly invasive data collection by mobile applications doesn't necessarily pose a threat to users. There are millions of users who are happy to voluntarily concede privacy in exchange for free access to useful services. The key is that it has to be voluntary, which means that users have to know in advance that the information is going to be collected.

When a mobile advertising widget embedded in Android applications collects IMEI numbers so that it can correlate a user's activity across multiple applications for the purpose of extrapolating a behavioral profile that will support more effective targeted advertising, it's really not all that different from what prominent Internet advertising networks are already doing with cookies in the Web browser.

For a more invasive example, consider a mobile application that perhaps reads your SMS messages looking for information about what kind of products your friends mention so that it can advertise to you more effectively. In practice, it's not profoundly different from what Google does with contextual advertising in GMail. It wouldn't surprise me at all if the possibility of doing exactly these kinds of things was a major factor in inspiring Google to create Android in the first place. As smartphones become ubiquitous, it's likely that users will be expected to give up more of their privacy in order to get access to the next generation of hot mobile applications and services.

Invasive mobile data collection by advertisers isn't necessarily bad if users are getting something of value in return. The real issue is whether the practice is coupled with an appropriate level of transparency and disclosure to the end user. What separates a legitimate business practice from an unacceptable abuse in data collection is whether the user was made aware in advance of how data is collected, used, and shared so that they can choose to opt out or refrain from using the product if it shares their sensitive information in ways that make them uncomfortable. Such problems are obviously not specific to Android or mobile operating systems in general, but the fact that smartphone platforms provide standardized APIs for accessing certain kinds of sensitive information make them higher-risk targets for subtle privacy invasions.

As Google says in its list of best practices that developers should adopt for data collection, providing users with easy access to a clear and unambiguous privacy policy is really important. Google should enhance the Android Market so that application developers can make their privacy policies directly accessible to users prior to installing, a move that would be really advantageous for end users. When applications share information improperly, don't conform with the stipulations of their privacy policies, or aren't suitably transparent about their data collection practices, tools like TaintDroid will be a powerful asset for enabling savvy users and privacy watchdogs to expose such abuses. The researchers behind the TaintDroid project will soon be publishing their results and plan to make the TaintDroid application available to the public in order to encourage further investigations. Their efforts to raise awareness of data collection by mobile applications is an important contribution to the advancement of safe mobile computing.

These results are being presented next week at the Usenix OSDI conference.