Advertising networks used by apps in Android devices can get access to user information, according to an investigation by a UK information security company.

MWR Infosecurity found that a significant number of the top 50 "free" apps which generate money for the developer and advertisers by connecting to an American advertising network pass on details about the phone's user to the network – a move that may breach European data protection laws. With roughly a quarter of the UK's phone users using Android phones, and with millions of apps downloaded every month – often for free, supported by advertising, rather than paid-for – the gap in security is a source of concern.

The study was commissioned by Channel 4 News. MWR Infosecurity told the programme: "We found that a lot of the free applications in the top 50 apps list are using advertising inside the applications, and that the permission that you grant to these applications is also granted to the advertiser. If users knew about this I think they would be concerned about it, but at the moment I don't think they are aware of the situation and how widely their information can be used."

The EC commissioner for justice, Viviane Reding, condemned the practice: "This really concerns me, and this is against the law because nobody has the right to get your personal data without you agreeing to this," she told Channel 4 News. "Maybe you want somebody to get this data and agree and it's fine. You're an adult and you can do whatever you want. But normally you have no idea what others are doing with your data. They are spotting you, they are following you, they are getting information about your friends, about your whereabouts about your preferences. That is certainly not what you thought you bought into when you downloaded a free-of-charge app. That's exactly what we have to change."

Reding spoke out last week against proposed changes in Google's privacy policy, warning the search giant that she was "not playing games" as the French data protection commissioner, the CNIL, announced that it would lead a Europe-wide investigation into whether the changes were legal. Google implemented the changes, which it said would pull together information from across all of its services, at the start of March after announcing them in January.

The code that MWR Infosecurity found gave advertising networks access to contacts, calendar and location. It came from a large US ad network called MobClix. Channel 4 said that it had not responded to repeated requests for comment.

Google told Channel 4 News that it has best practises for app makers to follow when it comes to user data, but it doesn't screen applications before they are offered for download.

MobClix is owned by Velti, a US-based company which claims to be the largest mobile marketing company, based on revenue, customers, consumer reach and technology holdings.

Apple has recently come under fire too after it was discovered that some apps can upload all or part of the user's address book, and more recently when it was found that for both Apple and Android phones that some apps could access photos on the devices. Apple has said that it will address the weakness in a forthcoming software update.

Correction: the headline on an earlier version of this article said that user data was passed to advertisers. As the story makes clear, this should have said 'ad networks'.