Privacy Concerns With Android and iPhone Apps 116
carre4 writes "The Wall Street Journal has come out with an article where they examine 101 popular smartphone apps and show that 56 of them transmit various types of information including unique phone IDs, age, gender, postal codes, and location to ad companies. The article also includes responses from infringing app makers and talks about the pressure that some developers feel to share even more information, like Max Binshtok, creator of the DailyHoroscope for Android, who has been encouraged by ad-network executives to transmit users' locations."
Re: (Score:2)
I, for one, would like to invite our new advertising overlords to take a flying f..k. But that's just me.
Isn't there anything like sourceforge for android? (Score:5, Interesting)
Se we can download source and built it ourselves?
Re: (Score:1)
Does sourceforge have a policy of discrimination against mobile stuff? Also, downloading and compiling is only useful when someone has done the coding and sharing.
Re: (Score:2)
>are the ones that need to tell others what is cool and what is not
What about those who tell others who the real losers are, what are those?
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
No, the 3rd party libraries are what you (the developer) added to your code for ads and analytics. Its not in the source.
Re: (Score:1)
that would be a little unethical, by doing so you deprive the dev of income. But if he shares infos he's not supposed to share, he deserves that in a way. But the best thing to do is to s
Re: (Score:3)
For the Android OS there is: The Android Open Source Project [android.com]
However, as far as I understand it, there are some hurdles with regards to building a ROM depending on the phone you have. Some have locked bootloaders / proprietary drivers.
For apps, there is a lot of stuff on GitHub, but as someone else already posted that requires the dev to have shared the code.
If you root your device a good firewall is DroidWall
Re: (Score:2, Informative)
Le Wiki Koumbit: https://wiki.koumbit.net/AndroidFreeSoftware [koumbit.net]
The Replicant for Android list: http://trac.osuosl.org/trac/replicant/wiki/ListOfKnownFreeSoftwareApps [osuosl.org]
The Wikiperdia list: http://en.wikipedia.org/wiki/List_of_Open_Source_Android_Applications [wikipedia.org]
What's the world coming to (Score:3)
Aren't there laws against these practices?
Re: (Score:2)
>Aren't there laws against these practices?
You know, I might ask you the very same question, Mr tsa. (j/k, your probably not *that* tsa, right?)
Re: (Score:2)
No, my tsa are some letters from my family name, don't worry :). I don't even live in America.
Laws of reality (Score:5, Informative)
The article stated:
"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my birthday or age stored.
Re:Laws of reality (Score:5, Insightful)
The problem is, there is no way to know what the information is being used for.
I've never used Pumpkin Maker and the description doesn't mention anything about it's capabilities. However, suppose I include a "feature" which will display a background depending on the time of day and your location. So if it's after sunset, it will be dark outside. Of course, for me to know if it's sunset, I need to know your location since sunset varies depending on where in the world you are.
Thus, Pumpkin Maker needs my location. So it comes up and says, "Would you like to allow Pumpkin Maker to access your location?" Makes sense--it needs to know my location so that it can display the appropriate background. Of course, it doesn't mention that while it's showing your appropriate background, it's sharing your location with it's advertisers.
Gender would be easy to come by--just ask. After all, it's a fun game for kids and we want to identify the kid with the appropriate pronoun. Or we ask for a name and send that off--after all, we want to identify your pumpkin as "Bob's Pumpkin" or "Sally's Pumpkin" initially, right? Then something on the backend figures out that "Bob" tends to be a boy's name and "Sally" tends to be a girl's name. "Pat" will confuse it, of course...
Age? Again, you could just ask. You have a collection of add-ons for your pumpkin and you want to filter for age-appropriateness. After all, we don't want small children adding pumpkin boobies or penises. That would be sick and wrong and we're a good company that Thinks of the Children.®
So the game collects all of this information for a good reason but it never says, "Hey, you mind if I ship it off to advertisers?"
Again, I've never used this App. I don't know much about it. But these are some ways you could get the information.
Re: (Score:3, Interesting)
Oh, I agree, there isn't one.
Part of the problem, though, comes from the iPhone zealots--and, to a lesser degree, Apple--who claim that Apple's App Store makes your private information nice and secure. After all, they'll claim, look at all those nasty apps on Android that transmit your personal information. iPhone users don't have to worry about that because Apple checks all of these things and makes sure that you're safe.
So if Apple can't stop an App like Pumpkin Maker from transmitting personal informat
Re: (Score:1)
he's replying with a hypothetical (and also plausible) way of obtaining information which the GP was say is impossible without the user's consent.
in his scenario he's saying that it is possible that the application asked for that information in order to function as advertised but no where it says hey while we're here I'll be shipping the information that you just gave to [insert add company]. Which is very plausible. If the application would a
Still consented to by user (Score:2)
It doesn't matter what the app does with the location data after, the fact is that you agreed to provide it. The poster you are responding to is exactly correct that it's kind of a social engineering issue, although depending on what you are sending Apple might actually catch it in review (remember that now they are checking for things like device specific data being sent out thanks to leaked device testing details).
At least on the iPhone you are asked when the app tries to get the users location, not up f
Re: (Score:1)
But that's beside the point. The poster who answered your post didn't in any way intended to propose a solution for the social eng problem he was merely pointing o
Re: (Score:1)
The article stated:
"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my birthday or age stored.
On my Android for example you can cross link contacts from different sources. Facebook for example. On Facebook you could store your birthday and gender. I am not a developer, but I see some possibilities here perhaps... Any comments?
Re: (Score:2)
You'd still have to be asked for the users Facebook login credentials. The user would then know the app had access to Facebook data - and I believe that Facebook further tells you what kinds of data the application has requested access to see.
From there it is possible for the app to mine something and send it off. But, again, the user would know the app had access to Facebook, they had authorized it. And Apple does some kind of network monitoring from apps to see what they are transmitting, so if it did
Re: (Score:2)
Can it get the cell tower ID or some other non-obvious metric identify location?
No. (Score:3)
Can it get access to Facebook app's info? For age, sex and more info?
No, app sandbox.
Can it get the cell tower ID or some other non-obvious metric identify location?
Not in the API and therefore would be rejected. You also cannot get the SSID of the WiFi you are on nor any WiFi around you.
As I said, I'm an app developer. I know the sneaky ways you could try and do something, and what is possible. Gender is not even stored anywhere. Location is just not possible with the restrictions the app store has in
Re: (Score:2)
Can apps access the web without permission? IP based location over HTTP is trivial and if web access doesn't require special permission then that's one way to do so.
It is of course much less accurate than GPS based location.
Trivial? (Score:2)
IP based location over HTTP is trivial
Quick, what is the location of 10.1.10.45? That's my current IP address.
But perhaps you'd proclaim NAT to be unfair even though 90% of people on WiFi will be behind one.
Well what about the cell network? My phone is 166.205.14.227.
And I don't live anywhere near Austin, or even in Texas...
I wouldn't say "less accurate", I'd say "almost unusable".
Re: (Score:2)
Of course in some cases it can be states out, but even if it gives the users country, which, in 99.99% of cases it will, then that's good enough for many advertisers as they'll often have a focus across at least a whole nation with their product/advertising program. Some sites such as the BBC and Hulu trust it enough country-wise that they use it as their core method of ensuring content is only served to users in specific countries- it's trivial to get around with VPN but again, how many people do that real
Re: (Score:1)
"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my birthday or age stored.
Impossible? Anything's possible. http://blogs.wsj.com/digits/2010/12/19/how-one-apps-sees-location-without-asking/ [wsj.com]
duh (Score:2, Flamebait)
Closed source = no expectation of security + no expectation of privacy + expectation of malice + higher development cost. The sooner Joe Q. Public gets this consumer advocacy message, the better off he'll be. There are only two valid reasons to conceal the code: embarrassment and ill will towards the user. And the only valid reason to make an open-sourced program non-free is greed. None of these are helping the user, the consumer, or whatever you want to call 99% of people who use computers.
Ugh (Score:5, Insightful)
Re: (Score:3)
>FOSS has gone a long way to make the world a better place, but it's not a be-all, end-all solution.
Sure it is. We're just not there yet.
Re: (Score:1)
Sorry to burst your bubble, but most developers like to eat, which means that commercialization of software comes in at some point
That's great, but may be, as Eben Moglen noticed, they should eat just a tad bit less. While you are sitting here defending them, they are collecting monopoly profits. And I don't mean the kind of monopoly that Microsoft and Google are being accused of, but the intellectual monopoly on ideas that ALL proprietary software vendors enjoy. Are you really that spineless or deluded? Or do you have money to burn? If YOU, the user, are going to pay for software development, why not make it a condition that the resu
Re: (Score:1, Insightful)
Because maybe he agrees that the developers should be fairly paid for their work? Not everyone is a retarded hippie, okay? Knock it off. You're the spineless one if you can't accept that people think differently than you about how software should be available. I personally am perfectly fine with applications that are closed and applications that are open, as long as there aren't inherent problems with the closed software (shady company, obvious lack of maintenance and support, etc.)
Re: (Score:1)
I think it's unfair to say that a desire to make money off of your product is greed, if greed is bad.
There are two options here:
1. Your statement is false, and someone who puts _their_ time and effort into a product has a right to be compensated for their time and effort. Thus by charging for a product, they are not greedy by definition. They need to make a living too.
Or
2. Your statement is true, and greed is not bad.
I think it's the former. While I certainly use my fair share of free software (and enjoy
Re: (Score:2)
Re: (Score:2)
...+ higher development cost...
Higher development costs don't matter until the profit is counted. If you give it away and don't charge, then your development costs are actually higher with Open Source.
Basically you shot your own argument in the foot.
Powers (Score:2)
I was really suprised when I learned how blunt the security options in Android were.
I'm used to COMODO IS asking me every time an application attempts to use TCP/UDP, start another process, look at a DLL or stuff like that.
All you get on Android is 'DO YOU WANT APPLICATION TO INTERNET? Y/N' which is totally insufficient.
Re: (Score:2, Insightful)
Yeah, you have fun with that crap. I prefer to use the device instead of auditing every packet and process it produces.
Re: (Score:2)
I think "Yes, No, or Prompt me each time" would work.
Then when you get prompted, it should offer the opportunity to never ask again.
I, too, was shocked that when you install an app on the Android, you get one opportunity to see the permissions that you are granting that app. Seemed like it was "take it or leave it", too - you can give it all the required permissions, or not use the app.
Re: (Score:2)
Agreed - you should be able to tweak the permissions. So, if the app asks for location tracking, and you don't want to grant it, you can tell the OS to install the app but not let it know the location, rather than not install it at all. Of course, if you're installing a navigation app you'll have to accept that the app won't work. However, if you're installing an IM client maybe you don't want it to know where you are.
The API could make these kinds of situations work out so that applications don't have p
Re: (Score:2)
All I want is for the android platform to distinguish internet access for it's purpose. ie, have a permission that says this app shows adverts or another for collects usage stats. These would then have limited access to some websites already preconfigured or even restricted to Google or the phone provider/carrier. Then if this is part of the API the phone can control what information is allowed through, even restrict the granularity of information (ie, age groups, or country rather than city). I'm happy if
Information security? (Score:2)
Now, apart from the phone ID, do people REALLY use their real age, gender, and postal code on their phone? It's your phone, not the advertisers. It also sounds like we need a web browsers "No script" type of app for Android to trawl the other apps for data leaks and deliberately ruin the data for advertisers. They are not paying your phone bill, so why give them useful information, give them garbage.
Re: (Score:3, Insightful)
This is actually a good Idea.
The problem is that giving that level of snooping capability to one app pretty much makes it available for other apps, and you can see how that would get out of hand pretty quickly with one app data mining another and sending back encrypted data later.
Perhaps a better method would be for Android/IOS to find a way to lock down access to specific items of data in the phone. If you want to deny an app from reading your phone number or IMEI you can just uncheck a box and it can't e
Re: (Score:1)
While not a complete block of all this garbage, adFree on rooted Android phones blocks most ads at the /etc/hosts level, and I'm sure lots of these companies aren't writing code to submit directly to IP address.
I can't imagine them writing a way to get my info, but not show me their ads, and since installing, all of my "ad-supported" apps are not.
I have no issue paying for apps, and will continue to do so if I find it useful. But garbage like this is going to prevent me from doing any form of proxy support
Re: (Score:2)
In other news (Score:1)
It was uncovered today that your toilet analyzes your stools and sends the results to your proctologist. If you cannot afford a proctologist, one will be provided to you...
Re: (Score:3, Funny)
It was uncovered today that your toilet analyzes your stools and sends the results to your proctologist. If you cannot afford a proctologist, one will be provided to you...
unless you live in the US. in which case, your shit's out of luck
I think many people suspected this (Score:2)
There are many applications that want to run more services that they need to.
For example, when I start up an application for an IT magazine, it always asks me if I want to turn on my GPS. There is no need for it to use GPS to show me content so the only reason would be to make a not of my location for someone else.
That is an easy one to fix, I have GPS off unless I anctually want to use it. The same goes for WiFi - smartphone batteries do not last as long as stupidphone ones.
But what about other leaks?
L
Re: (Score:2)
Yup. All of your problems would go away if the app asked for a list of permissions, and then you'd edit them to what you want to give. Obviously you can't revoke GPS since you'll get no value from the app, but you could just kill the network access.
Re:I think many people suspected this (Score:4, Informative)
Re: (Score:2)
Re: (Score:1)
An application on Android can get location information using A-GPS without using network permissions, the "assisted" segment is handled by the GPS daemon\driver.
BlackBerry Permissions (Score:1)
Re: (Score:2)
Re: (Score:1)
Android is not the same, check out the screen shots posted in this forum link: http://forums.crackberry.com/f86/application-permissions-234021/ [crackberry.com] The BB actually gives the user the choice on a PER-APP basis what permissions to allow each app. As much as I've grown to hate my BB Storm for its overwhelming lack of memory and frequently required battery pulls, at least I have some control over how applications use my phone. I'd love to switch to an Android-based phone but I am hoping that the developers will a
Re: (Score:2)
yes but i cannot selectively disable parts of the permissions it is requesting.
Re: (Score:2)
But on a BlackBerry you can permit/deny individual items, whereas on the Android, you can either permit all or deny all (by not installing the app). Which is a useless security model, the user will think "Oh it will steal all my data. But I really want to play this game!".
On the BB you can say "Sure you can keep the screen powered on, but no internet, no location, no reading the calendar and address book."...
New SMS Message! (Score:1)
Hey! You just walked by the best pizza restaurant in town! Come on in, show this message at the check-out, you'll receive a 10% discount. We're just 102.1 meters away at 3030 Main St.
Re: (Score:1)
Yeah, my god, you think humans are capable of walking the length of a football field? It takes incredibly trained football teams many tries with rest periods to make it that far!
Re: (Score:2)
Well duh... (Score:2)
Anyone who has used android knows this is true. There are loads of apps that ask for permissions they clearly shouldn't need. Most often it is for internet access, your location, your phone ID (IMSI), and sometimes access to your contacts.
Obviously the crappy little 'content' apps like DailyHoroscope, backgrounds and ringtones are the main culprits.
So why buy an android or jobsian phone? (Score:2)
...when you could have a Nokia N900?
Re: (Score:2)
...when you could have a Nokia N900?
I bought an iPhone 4 recently (previously used a 1st gen iPhone). The choice was between it an an n900. N900 was winning on all counts except ease of upgrade (which was not a major factor at all). N900 lost when I went to a local store and saw the thickness of the n900. My pocket space is valuable.
Unique Id (Score:1)
So if an app just happened to transmit a unique id then it would get on this list?
I don't see how that is much of an issue at all, remember your browser can identify you uniquely unless you have something as common as a fresh install of XP with no updates, etc.
I would like to see the figures that have better criteria than just sending unique ids. (Such as location)
Data from Article (Score:5, Informative)
Re: (Score:1)
Re: (Score:2)
fake data (Score:2)
I do not have a smartphone myself, but one of the first apps I would install would be some sort of fake data sandbox for apps.
I have seen the install screen for android apps briefly: they show what sort of permissions an app needs: access to GPS, address book, outgoing sms, etc; but the only options seemed to be "grant that access" or "do not install"
So simply add a checkbox that allows me to supply fake GPS data, fake "no connection" signal, fake empty address book for apps that I do not want to access the
Re: (Score:1)
A simple solution: root the phone (Score:2)
After rooting your Android phone, you can block the advertisers with AdFree (which a simple black list for all ad sites), or go with a more complex solution like DroidWall and only allow apps you trust to access the net. And you can easily change Android ID with aptly named Android ID changer or simple db hack.
Not sure if something similar exists for iPhone (would never touch it anyway).
Re: (Score:2)
I don't mind to see the occasional ad, but I never agreed to sending my personal information to the advertisers. It is not essential to them, the targeted ads don't seem to work anyway despite all their efforts (I don't remember any mobile ad that seemed even little relevant).
Since it's the app developers who send the information, they deserve to be left without revenue. Maybe it'll teach them to value their users' privacy.
Re: (Score:2)
What's your app, and what kind of ads do you use? And why are you AC?
I use DroidWall and have a few simple rules for allowing or disallowing net access. First, all apps are denied 3G access unless they really need it (my data plan is limited). Second, if an app requires some suspicious permissions - it is denied Wi-Fi access as well. For instance, if an offline game requires location information (and a lot do!) - it is denied any kind of net access.
Re: (Score:2)
Yep, also for jailbroken ("rooted") iPhones. It's called Firewall IP and alerts you to all outgoing connections being made
Re: (Score:2)
In Android all apps get different UIDs (unless they demand sharing the id), and GID determines the allowed permissions. So it's very easy to filter not just by usual IP rules (src:port-dest:port), but also by application, effectively doing application level firewall. That's what DroidWall is.
There is a huge difference between rooting and jailbreaking. Android is open, in a sense that it allows installing apps from any source out of the box, you don't need jailbreaking. Rooting just allows superuser permis
Android sandboxing (Score:2)
Don't forget that Android applications are placed in a sandbox. Each time you install an app, you will have to agree that the app wants to have access to specific parts of your phone. I've discarded apps that were too invasive, e.g. wanting access to my phone book, or games that want access to the internet. With Apple, the only protection you have is...Apple. At least with Android there is another level of security.
Some of what the article stated is not possible (Score:2, Interesting)
The article stated:
"One iPhone app, Pumpkin Maker (a pumpkin-carving game), transmits location to an ad network without asking permission."
That is flat out impossible. I am an iPhone developer; there is no way for an application to obtain user location without the user being prompted if that is OK.
It makes the rest of the conclusions very suspect to me. Just how would an app get age and gender? Again I cannot think of a way that is even possible on an iPhone without being asked; no-where on my iPhone is my
yeah and? (Score:2)
You buy an android and you pretty much HAVE to have a google account so all your data can be 'in the cloud'. If it has moto blur then moto has a copy too.
You install facebook on your iphone, blackberry, android or whatever and then all your contacts are on your phone and 'in the cloud'. Most of the apps that are free have ads and it is pretty standard practice for advertisers to want as much info about someone as possible. This is not anythin
Gender? (Score:1)
A wonderful new tool (Score:2)
The [US] Army wants to issue every soldier an iPhone or Android cellphone — it could be a soldier's choice.
Vane said he wants to use the phones to collect biometrics on enemy combatants.
To track the bad guys, track the troops and what the troops might be writing about.
Your Apps Are Watching You (Score:2)
This is why I don't include ads in my apps... (Score:2)
All of my Android apps are either free, or one-time paid. Sure, I could probably make some more money bundling in an ad network, but who wants to be responsible for exposing my customers like that? Besides, some of my apps are designed to *enhance* privacy - I could hardly turn around and sell out my users. The developer who includes ads in their app has little, if any, control over how the collected data will be used or disseminated. So for me, it's just too much of a risk.
We've been here before (Score:1)
It's rough out there (Score:1)
I've written a few small games for Android. They're all free and ad supported, and the advertising networks want as much data as they can get. Even with all that, they don't pay all that well. One of my apps gets as little as $.16 per 1,000 ad impressions. I'd love to skip the ads, but my apps really aren't good enough to charge for, at least this way I get something out of it. It's not like the developers are getting rich on your personal data, perhaps the networks are or developers who are lucky enoug
Re: (Score:2)
Then clearly I must be an Android person, because you sir, are not making sense to me at all...