Half of more than two-dozen popular Android apps studied by researchers and available for download to smartphones secretly transmit the geographic location of users, i.e. the approximate physical location of a consumer with their device, to remote servers controlled by advertisers, according to new findings released Sept. 29.

But makers of the applications typically don’t provide privacy policies clearly stating how this sensitive information is being used or where it’s going. Seven more of the applications out of 30 send information uniquely identifying the phone and occasionally include actual phone numbers as well as serial numbers assigned to SIM cards where consumers store their contacts, text messages, call history and more.

Scientists and students at Penn State University, Duke University and Intel Labs conducted the study by creating a tool called TaintDroid that analyzes how downloaded apps are capturing private information from cell phones and releasing it to third parties. The results highlight a growing debate about the way in which advertisers quietly keep tabs on the Internet habits of consumers to more narrowly target them with product pitches.

That can make advertising space on the web far more valuable, and indeed the industry behind it has grown rapidly in recent years. But it also means people will be giving up increasingly intimate details about themselves without always being aware of it or knowing how to put a stop to the snooping. The report also found more generally that among 20 leading apps used within the Android mobile-phone platform, there were nearly 68 instances of private information being “potentially misused.”

“We don’t have the data to say that a majority of third-party apps are untrustworthy,” Duke assistant professor Landon Cox said in a statement the school released. “This study, however, is a proof-of-concept to show the value of enhancing smartphone platforms to include real-time monitoring tools like TaintDroid to give users awareness of how their information is being shared.”


Video produced by Duke University showing TaintDroid in operation.

Days later on Oct. 1, a researcher at Bucknell University in Pennsylvania released similar conclusions, this time after studying top iPhone applications. Information security expert Eric Smith found that almost 70 percent of them were sending unique identifying numbers for the phones to remote servers, and a segment of those involved encrypted communications “such that it was not clear what type of data was being shared.” According to Smith:

An advertiser or other entity who wants to track user behaviors and patterns online could not ask for a better identifier than one that is guaranteed by the hardware manufacturer to be unique to a single device. There is no ability to block the visibility of the iPhone’s [unique device ID] to any installed applications, nor is there a mechanism to prevent the transmission of the UDID to third parties in the current version of Apple’s IOS, the operating system used by the iPhone.

Many of the applications are capable of linking this unique number to login information, such as what you use to access Twitter, Facebook and Amazon, meaning that between the two pieces of data, your actual or “real-world” identity could be established.

Other corporations offering apps that collect device IDs and also require login information include Chase Bank, Target and Sam’s Club. For several more, like eBay and Bank of America, an answer couldn’t be provided due to encryption. But based on the trend uncovered, Smith concludes they likely send off unique IDs, too.

Privacy advocates were already complaining about the use of sophisticated cookies planted in web browsers to surreptitiously watch for places visited on the Internet by consumers. Smith says the same thing is occurring on smartphones where nearly ageless cookies can “live” for several years and follow data generated by individuals over long lengths of time.

His report determined this was the case with apps offered by mainstream media organizations, including ABC News and BBC News. “The existence of these long-lived persistent cookies could allow for third parties to link [unique IDs] from old, discarded phones to individuals’ new phones as they upgrade to the newest iPhone model every few years.”

Smith found that iPhone applications are also sending the latitude and longitude of devices elsewhere, which consumers consent to often without fully knowing it when they click through Apple’s 159-page terms of service in order to access its online App Store. There are no means available to delete app cookies or prevent someone else from seeing your device’s unique ID, which makes iPhone owners “helpless” to the information being leaked, Smith argues.

It’s not just advertisers in a position to use this data, either, he says. The information could feasibly be turned around and sold to curious spouses, divorce attorneys, corporate spies and debt collectors.

Already government authorities are using smartphones to revolutionize law enforcement and the collection of intelligence. Digital searches may require a court-issued warrant and the showing of probable cause, to be sure. Nevertheless, one company called Micro Systemation offers two systems that aid investigators and intelligence analysts in removing the immense volumes of user data that mobile phones can stockpile.

An executive from Micro Systemation, Douglas Oby, told the trade paper Government Security News in an interview earlier this year that everything conceivable short of voice conversations can be exploited, from call histories and text messages to GPS locations and e-mails. According to Oby:

In Europe right now approximately 70 to 80 percent of the cases that are being investigated contain some kind of cell-phone data or evidence. In the United States, a very small fraction of law enforcement at this time are going after cell-phone data and cell-phone evidence. I truly believe this is going to be a very, very huge market. It’s going to be huge, like fingerprints and DNA. I think it’s on that scale.

Flickr image courtesy Kenn Wilson.

Creative Commons License

Republish our articles for free, online or in print, under a Creative Commons license.

G.W. Schulz is a reporter for Reveal, covering security, privacy, technology and criminal justice. Since joining The Center for Investigative Reporting in 2008, he's reported stories for NPR, KQED, Wired.com, The Dallas Morning News, the Chicago Tribune, the San Francisco Chronicle, Mother Jones and more. Prior to that, he wrote for the San Francisco Bay Guardian and was an early contributor to The Chauncey Bailey Project, which won a Tom Renner Award from Investigative Reporters and Editors in 2008. Schulz also has won awards from the California Newspaper Publishers Association and the Society of Professional Journalists’ Northern California Chapter. He graduated from the University of Kansas and is based in Austin, Texas.