Smartphone apps can do more than provide you with entertainment, information or useful services -- they can also invade your privacy.
Apps can trace your Web habits, look into your contact list, make phone calls without your knowledge, track your location, examine your files and more. They can also automatically send information such as location data to mobile ad networks.
In addition, apps can gather the phone number and the unique ID number of each type of phone: the Unique Device Identifier (UDID) on the iPhone, the International Mobile Equipment Identity (IMEI) number on the BlackBerry, and (depending on the make) the IMEI or the Mobile Equipment Identifier (MEID) on an Android phone. Personal information that apps gather about you can be matched to these IDs. That means that ad networks can easily combine various pieces of information collected by multiple apps, build a sophisticated profile about you -- and then legally sell that data to other marketing companies.
It's not as if you weren't warned. Before you download an app, you often get to see the kinds of information that the app will collect about you. On Android, for example, when you tap Install to download and install an app, a screen displays the "permissions" you grant it when you install it. In order to download and install the app, you must tap OK underneath the "Accept permissions" button. BlackBerry phones also cite permissions and Apple monitors all App Store apps for safety.
But do you actually pay attention to what's gathered? Have you ever not downloaded an app based on what information it indicates it's going to harvest about you? What do those notices really mean?
In this article, we'll detail the kind of privacy threats you face when using mobile apps, offer advice on ways you can protect yourself, and take a look at possible legislation that may -- or may not -- help.
What information do apps gather?
Researchers warn that a surprisingly high percentage of smartphone apps may threaten your privacy. In October 2010, joint research by Intel Labs, Penn State and Duke University found that 15 out of 30 Android apps analyzed sent geographic information to remote ad servers without users' knowledge. Seven of them also sent the unique phone identifier; in some cases, the actual phone number and serial number were sent to app vendors. This can enable app vendors and/or advertisers to create comprehensive profiles about your likes and dislikes, the places you visit when you carry your phone, your Web surfing habits and more. They can then use those profiles however they want or sell them to others.
Meanwhile, in June 2010, security vendor SMobile Systems found that 20% of Android apps allowed third parties (that is, companies other than the app vendors themselves) to get access to private or sensitive information. In addition, the report warned, 5% of the apps could make phone calls by themselves without user intervention and 2% could send an SMS text message to a premium, for-pay number -- again without the user making the call.
Apple's iOS is not immune to such threats. In January, a class-action suit filed in San Jose charged Apple, the music-streaming service Pandora and others with "transmitting [users'] personal, identifying information to advertising networks without obtaining their consent." The suit also charged that "some apps are also selling additional information to ad networks, including users' location, age, gender, income, ethnicity, sexual orientation and political views." The case is still winding its way through the courts.
This issue is enough of a worry that federal prosecutors are currently investigating whether iOS and Android apps obtain or transmit information about users without properly disclosing what they are doing, according to the Wall Street Journal. Pandora has already received a subpoena in the probe, according to the Journal.
The most comprehensive investigation into the kind of information that smartphone apps gather and how they use it may be one conducted by the Wall Street Journal itself. The Journal examined 101 popular iOS and Android apps and found that "56 transmitted the phone's unique device ID to other companies without users' awareness or consent. Forty-seven apps transmitted the phone's location in some way. Five sent age, gender and other personal details to outsiders."
For example, the Journal found that that Pandora "sent age, gender, location and phone identifiers to various ad networks." The iOS and Android versions of a game called Paper Toss "sent the phone's ID number to at least five ad companies." The list goes on.
The Journal also found that, as a general rule, iOS apps sent more personal data than did Android apps, but the newspaper also noted that "because of the test's size, it's not known if the pattern holds among the hundreds of thousands of apps available."
The legal issues
There may be very little that you can do about one of the biggest privacy issues related to apps: What is done with your personal information after it is gathered by a mobile app.
You can try to check the apps themselves to see whether they have privacy policies in place. Typically, these policies can be found in a Settings screen, on an About This App tab or screen, or possibly through a link at the bottom of a screen. But few apps have or display these types of policies. TRUSTe and Harris Interactive recently studied the top 340 free iOS and Android apps and found that only 19% of them included links to privacy policies.
Troy H. Vennon of the Juniper Global Threat Center warns, "Many developers are collecting device information and storing that information on third-party servers as a means to build ad profiles or device profiles for delivering application content.... It's worth noting here that nearly all free applications use some sort of adware kit in order for the developers to generate revenue on their free applications. How many of these free applications are collecting and transmitting this 'private' device data to build those ad profiles?"
No one knows the answers to those kinds of questions, because there are no legal requirements to provide them.
Congress is concerned enough about the issue that it has held hearings on the matter. After a recent hearing of the Senate Judiciary Committee's privacy and technology subcommittee, Sen. Al Franken (D-Minn.), chairman of the subcommittee, called for Apple and Google to require that location-aware apps include privacy policies.
"Apple and Google have each said time and again that they are committed to protecting users' privacy," Franken wrote in a letter to the companies. "This is an easy opportunity for your companies to put that commitment into action."
However, that would be a relatively small step, because it would cover only location-aware apps, and would not limit how the apps share personal information, only that they reveal how they will use it.
Other senators would like to see the federal government take stronger measures. Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introduced the Commercial Privacy Bill of Rights Act in April, which would require any Web-based businesses, including mobile ones, to give a clear notice to consumers about what data is being collected about them. And Sen. Jay Rockefeller (D-W.Va.) introduced a bill that would in essence create a national do-not-track mechanism to allow users to opt out of being tracked. It would apply to mobile network operators, websites and ad networks.
It's not clear that either bill will pass, especially because they face opposition from groups such as the technology trade group Association for Competitive Technology (ACT).
How to protect yourself
Given all that, what can you do to protect your privacy when using apps?
First, keep this in mind: The very nature of using a mobile app exposes you to potential privacy intrusions. So you need to balance the benefit you expect to get from an app against the potential privacy risk.
Even the most rigorous privacy protectors don't say you should avoid downloading apps altogether. Rather, they say, the key is making sure that the app you're downloading truly requires the permissions it's asking for. If, for example, a single-player game asks for permissions to send SMS messages, that should be a clear warning sign, because there's no need for a game like that to send text messages.
Keep reading for a look at how some of the major mobile operating systems handle permissions -- and to learn what you can do to protect yourself.
-- Preston Gralla
Android: Permission granted?
Troy H. Vennon was a researcher with SMobile Systems when it conducted the research that found that 20% of Android apps allow third parties to get access to private or sensitive information. (SMobile Systems has since been acquired by Juniper, and Vennon is now research engineer with the Juniper Global Threat Center.) He emphasizes that, while every permission available to an Android developer has a legitimate purpose, it is important for consumer to decide whether the permissions demanded by a particular app are necessary.
"For example," he says, "in many cases the SEND_SMS permission is completely benign and has a legitimate purpose. But if that same permission is requested in an application that has no discernable SMS functionality, you may be looking at an SMS Trojan app that might be capable of sending SMS messages to premium rate numbers without the user's consent."
William Enck, who as a doctoral student at Pennsylvania State University was one of the researchers who found Android apps send geographic information about users to remote ad servers without the users' knowledge, says, "When you install a new application, look closely at the permissions listed.... Users can also contact developers if they do not understand why an application has certain permissions. I have done this several times, and in at least one case, the developer removed the permission."
According to Jay Nancarrow, a Google spokesperson, the permissions that an app displays before installation limit what the app can actually do -- essentially the app is "sandboxed" and can't get data outside the sandbox. So, for example, if you install an app that doesn't ask for permission to "read Browser's history and bookmarks," there's no way that app can subsequently get that information, he says.
Before you download an Android app, you're shown a list of permissions the app requires. Android has broad categories of permissions, such as "Network Communications," and "Your Personal Information." Underneath each of those broad categories are finer levels of permissions, such as "Read browser's history and bookmarks," "Read contact data" and "Write contact data." These finer-grained levels of permissions are what you should look at before downloading an app.
So which of the permissions should you check? Some, such as "Prevent phone from sleeping" have few, if any, privacy implications. But others you need to look at more closely.
Services that cost you money
Two subcategories of permissions could present problems: "Make phone calls" and "Send SMS or MMS." If an app can make phone calls, it could call a 900 number that charges you money, without your knowledge. The same holds true for sending SMS and MMS messages to services that charge you money. If you encounter a problem related those capabilities, you could end up spending several hours working things out with your carrier.
Your personal information
The "Read contact data" permission presents obvious privacy issues, because it means the apps can view all of your contact information. Keep in mind, though that plenty of apps legitimately need this permission in order to work -- examples include social networking apps, communications apps such as Skype and many others. The "Read calendar data, write calendar data" permission presents similar privacy issues.
The "Modify/delete SD card contents" permission creates obvious potential privacy risks, because it allows the app not just to write information to your SD card, but to read information from it as well, including your photos, music and more. Plenty of apps legitimately need this permission in order to work, such as camera apps, music apps, file management apps and others.
The "Full Internet access" permission grants exactly what it says: Full access to sending and receiving data and making connections to external sources over the Internet -- without your knowledge. This is the holy grail for malware and privacy invaders, especially when combined with other permissions, such as "Read contact data," because a malicious app could send all your personal information to a server somewhere, and you wouldn't know it.
Keep in mind, though, that as a general rule, many apps ask for this permission, even though you can't see an obvious reason for it. The game Angry Birds, for example, requires this permission. So merely asking for it is no obvious red flag. However, if you're downloading an app that has rarely been downloaded, has gotten few reviews, and has no obvious reason to ask for that permission, you would do well to think twice before downloading it.
The "Read phone state and identity" permission is a commonly used one because many apps need to know when there's an incoming call. However, this permission also lets an app see your unique phone ID, which can then be used to track you. So if there's no apparent reason for an app to ask for this, and it asks for it, stay away.
The two location-related types of permissions that apps might request could both invade your privacy. "Fine (GPS-based) location" uses your phone's GPS technology to determine your location precisely. "Coarse (network-based) location" uses Wi-Fi and cell towers to determine your location; it's less precise than the GPS setting. Any location-aware app requires these types of permissions in order to work. If there's no clear reason for an app to ask for this, you might want to stay away.
Look out for the "Read system log files" or "Read sensitive log data" permissions. Some apps will need these permissions in order to work -- for example, on a Dropbox forum, a staff member wrote: "'Read system log files' is used for crash analysis, so that, if the app has a Force Close, we can determine what the problem was and fix it." But keep in mind that Google says that entries in log files "can contain the user's private information."
Check existing and updated apps
Unfortunately, there's no way for you to know whether apps are indeed sending your info to third parties. You may or may not see more targeted ads on your phone, you may or may not see more spam, etc. There's simply no way to know when the information is being gathered or what's being done with it.
Checking permissions before you download an app can help you vet apps you haven't tried yet. But what can you do about the apps that are already on your Android device? There's a simple way to check their permissions. Tap the Menu key, then select Settings -->Applications -->Manage Applications and tap any app. Scroll to the bottom of the screen and you'll see the Permissions area, which tells you which permissions each app uses. Uninstall any app that concerns you.
In addition, if you're worried about apps tracking your location, you can turn off you phone's location services. Tap the Menu key, then select Settings -->Location & Security. In the My Location section, uncheck the boxes next to "Use wireless networks," "Use GPS satellites" and "Enable assisted GPS." That will turn off all location tracking, but you also won't be able to use any location services. You might consider turning off location tracking, but then turning it back on when you want to use location services.
You can make this process easier by installing a home screen widget that lets you turn services on and off. Many, if not all, Android phones come with a Power Control widget; there are also apps that provide additional functionality, including Dazzler Configurable Switcher, Mini Info and SwitchPro Widget.
Also, keep in mind that when you update an application, the permissions for the updated app aren't necessarily the same as the previous version. Developers can change the permissions. So examine the permissions for the updated app as if you were downloading it for the first time.
One final thing you should do if you're concerned about privacy invasions: Read the reviews on the Android Market before downloading and see whether others have complained about privacy issues. Be wary of apps that have gotten few downloads and few reviews. It's not that they're necessarily less safe, but with no significant reputation to go on, they're harder to check out.
-- Preston Gralla
BlackBerry 'Trusted App status'
(This section was adapted from an article previously published on CIO.com entitled "How to Manage BlackBerry Application Permissions.")
Research In Motion (RIM) designed its BlackBerry smartphone operating system with security in mind from the start, and it shows: The operating system offers a number of ways for smartphone owners and IT administrators to control how mobile applications interact with a BlackBerry and all of the data stored on it. (Note: The information provided here specifically refers to the BlackBerry 6 mobile operating system, but most of the advice is also applicable to other recent versions of RIM's OS.)
Trusted Application status
Whenever you install a new BlackBerry application, even before you open it for the first time, you're asked if you want to grant the software "Trusted Application status." By granting this status to an application, you're allowing it to access potentially sensitive information on your device without prompting you for permission again.
Once you grant an app Trusted status, you can always go into your individual application permissions and modify them or remove the Trusted status. But it's a good idea not to grant this special status for the majority of apps you install.
You should be very selective about the apps that get Trusted status. Examples of applications that might deserve Trusted App status are those from reliable developers and/or brands you have an established relationship with, very popular apps without any sort of negative security- or privacy-related reviews in BlackBerry App World (RIM's mobile software shop) or elsewhere, and, perhaps, applications you use or have used frequently enough to trust but that require constant permissions acknowledgments.
But keep in mind that when you give a BlackBerry app Trusted status, you're basically giving it free reign over your device, and that could lead to trouble.
Managing BlackBerry app permissions
BlackBerry application permissions are broken down into three categories: Connections, which control application-access to device features including Bluetooth, Wi-Fi USB, etc.; Interactions, which dictate how applications can interact with device settings, media and recording options etc.; and User Data, which lets you decide which personal data to make available to applications.
When you first install or open a new BlackBerry app, it may prompt you for access to specific device features and functionality. You'll then have options to either grant the required permission or deny it. In addition, you'll often see a "Do not ask again" option that lets you grant the app ongoing access to that specific feature or functionality.
You should pay particular attention to permission requests related to your personal user data, since this type of data is usually the most sensitive information stored on your smartphone. It also pays to be skeptical of apps that request access to core BlackBerry functions, like network connectivity, messages, and GPS and/or cell-tower-based location information.
Some applications legitimately require access to sensitive user information including email, organizer data, files and BlackBerry "security data," such as keystore keys and certificates. And some applications, like the app for the popular location-based social network FourSquare, clearly need access to your location data. So you shouldn't automatically deny requests for access to such information.
But you do want to pay attention to the kinds of permissions that apps are asking for. If something seems odd, deny the permissions request and see if the app still functions the way it should. Denying a permission request could affect some functionality in the app, but sometimes the software will still work fine. And you can always modify the permissions at a later date if you need to.
For example, if a news reader application requests access to your location information, you might want to deny that request, because such an app should be able to function without your location. Many ad-based applications will request access to your location data so they can serve up relevant advertisements based on your whereabouts. However, denying a location request from such an app may stop it from functioning properly because the developer could have built in a feature that blocks content from being served if ads are disabled.
To modify BlackBerry application permissions at any point, simply open up Options, click Device and then Application Management. In BlackBerry 6, you'll next see a screen that lists all of the applications installed on your device. Find and highlight the app for which you wish to change permissions, tap your BlackBerry Menu key and then select the Edit Permissions option.
On the next screen, you'll see options for the three BlackBerry permissions categories. Scroll over one of them, hit your BlackBerry Menu key again and choose Expand to see the full list of permissions within each category. To change a specific permission, find it within the appropriate category and then change the setting to Allow or Deny.
Some specific permissions also offer a Prompt option, which makes the app request approval for access to certain features or functionality every time it needs them or until you grant it full permission. The Prompt function can be valuable because it notifies you whenever an app is accessing a potentially sensitive function or personal data.
The overall message here: You may occasionally want to avoid using apps that look interesting but also seem suspicious. If that cool new app everyone is talking about comes from a developer you've never heard of that's located in some far-off land, you should think twice about granting access to your location information, cellular network connectivity or personal data.
In the end, managing BlackBerry application permissions is not a science, but it takes more than a little common sense -- even a bit of paranoia on occasion. But properly managing your app permissions will pay off with the peace of mind of knowing your smartphone isn't subjecting you, your reputation or your wallet to any undue risk.
(For more details on managing BlackBerry smartphone application permissions, check out CrackBerry.com's post on the subject.)
-- Al Sacco
iOS: Taking control
The iPhone recently came to the attention of privacy activists when three bugs were discovered relating to the location information on iOS devices. Those bugs have been squashed, but they did bring privacy issues into sharp relief for many iPhone and iPad users.
While Android apps specifically alert you to which permissions they need before and during installation, iOS apps tend not to be so upfront about what they're up to. This is largely because Apple doesn't require developers to alert users about such things (though some apps may still include those details in their descriptions). Knowing exactly what an iPhone or iPad app is accessing and what it's doing with the information it collects requires a bit of investigation and understanding of how Apple designed iOS.
Apple's philosophy -- that specific details concerning permission don't have to be presented to users -- seems to reflect the fact that the company reviews each app before it gets listed in its App Store. When Apple reviews an app, it tries to verify several things, including these: Does the app do what it says it does? Does it function reliably? And does it respect the limitations that Apple has put on developers?
This process does weed out some security threats, like apps that carry malware, but it doesn't mean that every app is an equally good citizen when it comes to your personal data. For example, an investigation by the Wall Street Journal in April found that an app called Pumpkin Maker "transmits location to an ad network without asking permission." The Journal also reported that the creator of Pumpkin Maker received a subpoena in a federal privacy probe about mobile apps.
(Note: Jailbreaking an iOS device to install unapproved apps -- most of which are distributed by the unofficial Cydia app store -- removes any protections that Apple does provide.)
Apps that access your personal data
In general, Apple tries to prevent developers from having full-scale access to all of the data and hardware on an iOS device. This improves overall security; however, Apple does grant developers access to a number of system components. This means that apps can pull data from most of the Apple-provided apps and features (like the Camera, Photos, Music/iPod and Contacts apps).
That gives apps access to a lot of your personal details and other data. So how do you know what an app can access?
Generally, the app's description is the place to get this information, even if it isn't explicitly spelled out. Apple's review process requires that an app must do what it says it does and ensures that apps access only the parts of the iOS system that Apple allows. That doesn't mean an app will explicitly list everything it may access, but you can get a pretty good idea from the description.
The Skype app, for example, can import your contacts so they can be used in placing VOIP calls, something that isn't explicitly stated in its description. But you can easily infer that the app will have some level of access to your contacts by both what the app is designed to do and from this sentence in the app's description: "Plus call or text your Contacts (or any other number) at Skype's low rates." Network access, which is implied by the nature of the app, is also explicitly stated as part of the description because Skype can function over both Wi-Fi and 3G connections.
While learning all of that involves a bit of detective work, it isn't particularly onerous to figure out what data or device features an app will use based on the description alone.
It's also worth noting that, with very few exceptions (location data being the biggest), iOS apps don't access external information unless you do something to trigger that access. Examples of actions that could trigger such access include selecting a photo to post on Facebook, picking a song or playlist to listen to during a gaming session, or choosing one or more contacts to use for VoIP calls or messaging.
The one set of data that apps can access automatically is your location. Many apps that are location-based do attempt to determine your location as soon as you launch them (weather apps, turn-by-turn navigation tools and business review guides come immediately to mind).
The Apple Photos app could be the most notorious for unsuspected use of your location information, since it embeds your location in any photo you take (a common smartphone function known as geotagging). Other apps may only request your location when you use a specific feature, like the location check-in option in many social network apps.
You can protect your location privacy by disabling location services in the iOS Settings app, but this can limit much of the functionality of an iPhone or iPad. So Apple gives you the ability to pick and choose the apps that you will allow to access that information.
The first time an app attempts to retrieve your location, it will ask for permission. This is a core tenet of Apple's developer guidelines that all apps must adhere to before getting into the App Store. If you say yes, then the app can access your location whenever it needs to. (If you say no, then it can't, but it may request permission again in the future.)
You can always tell when an app is accessing your location information because an arrow icon will appear in the status bar at the top of the screen next to the battery indicator.
If you later want to revoke an app's access to your location data (or if you decide to grant such access), you can launch the Settings app and select the Location Services item. All apps for which you've allowed or denied access will be listed, and you can adjust the permissions for each one. You'll also see a purple arrow icon next to each app that has accessed your location during the previous 24 hours, giving you a way to monitor apps even if you fail to notice the icon in the status bar.
Passing information to other apps
While iOS apps can do very little in the background, they can launch other apps and pass some data to them. An app could launch the App Store and link directly to another app by the same developer, for example. Or an app could launch the phone app and pass along a number to dial.
Most of the time, apps make it pretty obvious that they're going to do these things and, as with accessing external personal or system features, it usually only happens in response to action that you've taken (like tapping on a link). However, sometimes it may not be clear that an app is going to launch something else, and you may find yourself surprised to suddenly have some other app open.
Unfortunately, there isn't a lot that you can do to prevent these surprises other than making sure you're aware of content onscreen. An app that launches the App Store is likely to reference a developer by name, for example.
One upside is that this won't happen in the background -- you'll be aware that you've switched apps. That gives you the ability to close the newly opened app -- usually before it has done more than load some content. Another upside is that although apps can pass on limited data, they can't trigger any real actions in the second app (you'll be asked if you want to dial a phone number, for example) beyond loading content.
To an extent, Apple can safeguard apps from accessing too much personal data stored on a device itself, but many apps will request access to personal data stored in online services. The Pulse Newsreader app, for example, can store your login credentials for Google Reader (which are generally the same as other Google services), Instapaper, Twitter and Facebook. The popular Words With Friends game can similarly store your Facebook details to enable you to connect and play games with your Facebook friends.
For the most part, apps that request access to various online services and accounts have a good reason for doing so and require your active consent. However, before entering any account details, review the app's description to be sure that you understand just what it will be accessing, why it is doing so and what it will do with that information. Also, it doesn't hurt to read some of the reviews listed for an app to see if anyone is reporting anything untoward or unexpected.
-- Ryan Faas
Preston Gralla is a contributing editor for Computerworld.com and the author of more than 35 books, including How the Internet Works (Que, 2006).
Al Sacco covers mobile and wireless technologies for CIO.com, with a focus on BlackBerry handhelds and other smartphones. Follow Al on Twitter at @ASacco.
Ryan Faas is a freelance writer and technology consultant specializing in Mac and multiplatform network issues. He has been a Computerworld columnist since 2003 and is a frequent contributor to Peachpit.com. Faas is also the author of iPhone for Work (Apress, 2009). You can find out more about him at RyanFaas.com and follow him on Twitter (@ryanfaas).