Slashdot Mirror
Privacy Concerns With Android and iPhone Apps
carre4 writes "The Wall Street Journal has come out with an article where they examine 101 popular smartphone apps and show that 56 of them transmit various types of information including unique phone IDs, age, gender, postal codes, and location to ad companies. The article also includes responses from infringing app makers and talks about the pressure that some developers feel to share even more information, like Max Binshtok, creator of the DailyHoroscope for Android, who has been encouraged by ad-network executives to transmit users' locations."
Se we can download source and built it ourselves?
Aren't there laws against these practices?
-- Cheers!
Closed source = no expectation of security + no expectation of privacy + expectation of malice + higher development cost. The sooner Joe Q. Public gets this consumer advocacy message, the better off he'll be. There are only two valid reasons to conceal the code: embarrassment and ill will towards the user. And the only valid reason to make an open-sourced program non-free is greed. None of these are helping the user, the consumer, or whatever you want to call 99% of people who use computers.
I was really suprised when I learned how blunt the security options in Android were.
I'm used to COMODO IS asking me every time an application attempts to use TCP/UDP, start another process, look at a DLL or stuff like that.
All you get on Android is 'DO YOU WANT APPLICATION TO INTERNET? Y/N' which is totally insufficient.
Now, apart from the phone ID, do people REALLY use their real age, gender, and postal code on their phone? It's your phone, not the advertisers. It also sounds like we need a web browsers "No script" type of app for Android to trawl the other apps for data leaks and deliberately ruin the data for advertisers. They are not paying your phone bill, so why give them useful information, give them garbage.
Take Nobody's Word For It.
It was uncovered today that your toilet analyzes your stools and sends the results to your proctologist. If you cannot afford a proctologist, one will be provided to you...
For justice, we must go to Don Corleone
Does sourceforge have a policy of discrimination against mobile stuff? Also, downloading and compiling is only useful when someone has done the coding and sharing.
Sorry to burst your bubble, but most developers like to eat, which means that commercialization of software comes in at some point, whether that's advertising, support, or something else. Limiting the selection of software to only non-free (as in beer) software would result in a lot less software being available (or made in the future), which isn't exactly helpful for end users either. FOSS has gone a long way to make the world a better place, but it's not a be-all, end-all solution.
There are many applications that want to run more services that they need to.
For example, when I start up an application for an IT magazine, it always asks me if I want to turn on my GPS. There is no need for it to use GPS to show me content so the only reason would be to make a not of my location for someone else.
That is an easy one to fix, I have GPS off unless I anctually want to use it. The same goes for WiFi - smartphone batteries do not last as long as stupidphone ones.
But what about other leaks?
Limit yourself to open source apps - ideally write them yourself. Never use anything free and closed source. You never know what is there!
I just consider my phone an insecure device and do not trust it. I do not do anything on it that involves confidentiality. I also do not respond well to unsolicited adverts...
I'll see your Constitution and raise you a Queen.
I know on my Blackberry whenever I install apps it gives me a list of permissions the app is asking for and I have to either approve or deny the permissions. There has been more than one occasion where I've gone back and fourth with a app developer after their app refused to run without having access to my contacts, gps coords and other things. I believe the last one I encountered this with was a freaking flashlight application. Doesn't Android/iPhone have this type of thing when apps are installed?
Hey! You just walked by the best pizza restaurant in town! Come on in, show this message at the check-out, you'll receive a 10% discount. We're just 102.1 meters away at 3030 Main St.
Anyone who has used android knows this is true. There are loads of apps that ask for permissions they clearly shouldn't need. Most often it is for internet access, your location, your phone ID (IMSI), and sometimes access to your contacts.
Obviously the crappy little 'content' apps like DailyHoroscope, backgrounds and ringtones are the main culprits.
For the Android OS there is: The Android Open Source Project
However, as far as I understand it, there are some hurdles with regards to building a ROM depending on the phone you have. Some have locked bootloaders / proprietary drivers.
For apps, there is a lot of stuff on GitHub, but as someone else already posted that requires the dev to have shared the code.
If you root your device a good firewall is DroidWall
meep
Just search for AdFree
"Never let your sense of morals prevent you from doing what is right" - Salvor Hardin
...when you could have a Nokia N900?
So if an app just happened to transmit a unique id then it would get on this list?
I don't see how that is much of an issue at all, remember your browser can identify you uniquely unless you have something as common as a fresh install of XP with no updates, etc.
I would like to see the figures that have better criteria than just sending unique ids. (Such as location)
I dream of a nation where a man is not judged by his skin color but by an number assigned by a credit rating agency.
>are the ones that need to tell others what is cool and what is not
What about those who tell others who the real losers are, what are those?
Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
I do not have a smartphone myself, but one of the first apps I would install would be some sort of fake data sandbox for apps.
I have seen the install screen for android apps briefly: they show what sort of permissions an app needs: access to GPS, address book, outgoing sms, etc; but the only options seemed to be "grant that access" or "do not install"
So simply add a checkbox that allows me to supply fake GPS data, fake "no connection" signal, fake empty address book for apps that I do not want to access these parts, but want them to run regardeless.
Is that impossible ar particularily hard to program?
After rooting your Android phone, you can block the advertisers with AdFree (which a simple black list for all ad sites), or go with a more complex solution like DroidWall and only allow apps you trust to access the net. And you can easily change Android ID with aptly named Android ID changer or simple db hack.
Not sure if something similar exists for iPhone (would never touch it anyway).
Don't forget that Android applications are placed in a sandbox. Each time you install an app, you will have to agree that the app wants to have access to specific parts of your phone. I've discarded apps that were too invasive, e.g. wanting access to my phone book, or games that want access to the internet. With Apple, the only protection you have is...Apple. At least with Android there is another level of security.
Le Wiki Koumbit: https://wiki.koumbit.net/AndroidFreeSoftware
The Replicant for Android list: http://trac.osuosl.org/trac/replicant/wiki/ListOfKnownFreeSoftwareApps
The Wikiperdia list: http://en.wikipedia.org/wiki/List_of_Open_Source_Android_Applications
The article stated:
"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my birthday or age stored.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The article stated:
"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my birthday or age even stored.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
You buy an android and you pretty much HAVE to have a google account so all your data can be 'in the cloud'. If it has moto blur then moto has a copy too.
You install facebook on your iphone, blackberry, android or whatever and then all your contacts are on your phone and 'in the cloud'. Most of the apps that are free have ads and it is pretty standard practice for advertisers to want as much info about someone as possible. This is not anything new and it has been known for a while on these devices.
You can write your own apps, but good luck with that, start an open android market, but then you can have all sorts of rogue apps taking who knows what kind of data about your computer or you can live with this.
The same thing happens online when you visit a web site, only they use cookies and try to gather as much info as possible. I suppose at some point google or the android community or apple will add in an anonymous feature on the phones, but until then you either live with it or don't get a smart phone.
Only 'flamers' flame!
Does slashdot hate my posts?
So, since I can't recall ever supplying my gender to my phone, how is it determining that? Turning on the camera, hoping there's a hole in my pocket, and assuming that my sex and gender are concordant? Snooping on my location and contacts is one thing, but if I volunteer certain information then I've always assumed the app phoned home with that information. Surely that's common sense...
Right, what the heck is the purpose of obtaining the source? So you can spoof your location? That will work well when you actually want to use a GPS app for real. No spy code in OS, the spy code is in 3rd party libraries that developers put into their code for Ads and Analytics.
http://www.usatoday.com/tech/news/2010-12-13-army-smartphones_N.htm?csp=34tech
The [US] Army wants to issue every soldier an iPhone or Android cellphone — it could be a soldier's choice.
Vane said he wants to use the phones to collect biometrics on enemy combatants.
To track the bad guys, track the troops and what the troops might be writing about.
Domestic spying is now "Benign Information Gathering"
An investigation by the Wall Street Journal of 101 popular smartphone "apps"--games and other software applications for iPhone and Android phones--shows that 56 transmitt the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitt the phone's location in some way. Five send age, gender and other personal details to outsiders. "In the world of mobile, there is no anonymity," says Michael Becker of the Mobile Marketing Association. A cellphone is "always with us. It's always on." Smartphone users are all but powerless to limit the tracking. With few exceptions, app users can't "opt out" of phone tracking, as is possible, in limited form, on regular computers. Both Apple and Google say they protect users by requiring apps to obtain permission before revealing certain kinds of information, such as location but the investigation found that these rules can be skirted. For example, one iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission. Apple declines to comment on whether the app violates its rules.
Define all the 3rd parties library functions as dummies and rebuild without linking to those libraries ...
All of my Android apps are either free, or one-time paid. Sure, I could probably make some more money bundling in an ad network, but who wants to be responsible for exposing my customers like that? Besides, some of my apps are designed to *enhance* privacy - I could hardly turn around and sell out my users. The developer who includes ads in their app has little, if any, control over how the collected data will be used or disseminated. So for me, it's just too much of a risk.
I, for one, would like to invite our new advertising overlords to take a flying f..k. But that's just me.
Anybody else remember twelve years ago, when Intel started putting serial numbers in CPUs? There was widespread outrage, and they dropped the idea.
Today, Google and Apple have (effectively) put serial numbers in (handheld) computers, and software is rabidly exploiting that.
We didn't tolerate it then, we shouldn't tolerate it now.
"Given the pace of technology, I propose we leave math to the machines and go play outside." -- Calvin
I've written a few small games for Android. They're all free and ad supported, and the advertising networks want as much data as they can get. Even with all that, they don't pay all that well. One of my apps gets as little as $.16 per 1,000 ad impressions. I'd love to skip the ads, but my apps really aren't good enough to charge for, at least this way I get something out of it. It's not like the developers are getting rich on your personal data, perhaps the networks are or developers who are lucky enough to get a lot of exposure, but it's a rough world for the little guys looking to compete. I'm glad it's just a hobby for me.
It doesn't matter what the app does with the location data after, the fact is that you agreed to provide it. The poster you are responding to is exactly correct that it's kind of a social engineering issue, although depending on what you are sending Apple might actually catch it in review (remember that now they are checking for things like device specific data being sent out thanks to leaked device testing details).
At least on the iPhone you are asked when the app tries to get the users location, not up front as on Android.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Can it get access to Facebook app's info? For age, sex and more info?
No, app sandbox.
Can it get the cell tower ID or some other non-obvious metric identify location?
Not in the API and therefore would be rejected. You also cannot get the SSID of the WiFi you are on nor any WiFi around you.
As I said, I'm an app developer. I know the sneaky ways you could try and do something, and what is possible. Gender is not even stored anywhere. Location is just not possible with the restrictions the app store has in place (and they are scanning now for any use of private symbols).
Not to mention they are ALSO monitoring outbound connections from apps now as part of review.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Then clearly I must be an Android person, because you sir, are not making sense to me at all...
IP based location over HTTP is trivial
Quick, what is the location of 10.1.10.45? That's my current IP address.
But perhaps you'd proclaim NAT to be unfair even though 90% of people on WiFi will be behind one.
Well what about the cell network? My phone is 166.205.14.227.
And I don't live anywhere near Austin, or even in Texas...
I wouldn't say "less accurate", I'd say "almost unusable".
"There is more worth loving than we have strength to love." - Brian Jay Stanley
No, the 3rd party libraries are what you (the developer) added to your code for ads and analytics. Its not in the source.
how is not in the source??? you have to call the functions at some point? and in order for the program to work as a whole you have to link against those libraries. If you look in the source and find those calls, disable them (plenty of ways to do that) and rebuild the program, the final build shouldn't have ant ads in it.
that would be a little unethical, by doing so you deprive the dev of income. But if he shares infos he's not supposed to share, he deserves that in a way. But the best thing to do is to stay away from those applications
Transparency is the key, if they ask for information they should tell exactly what they intend to do with it be fore you agree to give it or not. As I said in an other post, if you go to a bar and they ask for an id, you have to give the ID in order to get in (or not but you wont get in), but that doesn't give them carte blanche to do anything they want with that info (drivers lic number name address aged...etc) if they tell you we want that info to validate you have the required age to enter, and we may be giving that info to our sponsors you can say no and go some where else or say hey what the hell I don't mind be my guest. Knowing helps you make a choice (free information is key to free market)