People are often surprised to learn that popular mobile applications on their smartphones are sharing their location, contact lists and other sensitive information, Carnegie Mellon University researchers say. Though some of that sharing is legitimate, the researchers maintain that user perception nevertheless is a starting point in evaluating the privacy and security risks of mobile apps.
“No one expects Angry Birds to use location data, but it does,” said Jason Hong, associate professor in the Human-Computer Interaction Institute.
The popular game app is hardly alone. Researchers, led by Hong and Computer Science Professor Norman Sadeh, who analyzed the top 100 Android mobile apps of the past year, found most users were surprised to find the Pandora radio app accessing their contact lists, Brightest Flashlight sharing their device ID and Horoscope using their location information.
The CMU team, which included Jialiu Lin, a Ph.D. student in computer science, and Shahriyar Amini, a Ph.D. student in electrical and computer engineering, gathered information on user perceptions and expectations as the team developed scalable methods for evaluating and communicating app privacy and security concerns to users.
“All of this information can be used for good or for bad,” Hong said of the user data accessed by apps. Though users are surprised to learn that Dictionary.com uses location information, the app uses it for a benign purpose — identifying words searched by other users nearby, he noted. But some apps — particularly free versions — appear to share device ID, location or contact lists with online marketers or other groups that profile users.
Of the top 100 Android apps, 56 use device ID, contact lists and/or location, the team found. The researchers crowdsourced the reaction of 20 users to each app permission, or a total of about 5,000 users for those 56 apps. Though the process did not produce a rank list of those apps, the 10 apps that raised the most surprise among users (and the sensitive information each app accesses) were:
- Brightest Flashlight (device ID, location)
- Toss It game (device ID, location)
- Angry Birds game (device ID, location)
- Talking Tom virtual pet (device ID)
- Backgrounds HD Wallpapers (device ID, contacts)
- Dictionary.com (device ID, location)
- Mouse Trap game (device ID)
- Horoscope (device ID, location)
- Shazam music (device ID, location)
- Pandora Internet Radio (device ID, contacts)
“As part of our work, we have been automatically scanning the code of mobile apps to determine what they do with the data they collect. While today mobile app markets do not show this information to users, our research indicates that it can have a significant impact on people’s comfort level and would enable them to make better informed decisions when selecting apps to install on their phones,” Sadeh said.
Many popular apps caused little consternation. No one was surprised, of course, that Google Maps accessed location information. Likewise, it made sense to users that Handcent SMS, a messaging tool, would access contact lists.
Angry Birds, on the other hand, shared sensitive information with eight entities — four companies that target mobile ads, two mobile ad networks, an app analytics site and an ad optimization and rewards company. Shazam used location information for its own tagging of songs, but also shared user information with companies that serve up mobile ads.
In one sense, no user of these apps should be surprised by any of this because Google Play, the site where Android apps can be purchased and/or downloaded, requires developers to specify what resources each app uses. But users tend not to pay much attention to these warnings, or lack the context to understand what resources are reasonable for an app to use, Hong and Sadeh agreed. Apple’s App Store vets all apps before making them available, though some malicious apps nevertheless have become available. The App Store process is not transparent, however, and not easy for outside research groups to study.
The difficulty is magnified by the sheer size of the app markets — the App Store offers more than half a million apps and Google Play offers nearly as many. And smartphone apps are just the beginning.
“TVs will run apps. Cars will have apps. We’re going to see all of these problems again,” Hong explained.
Even crowdsourcing each app, as the CMU team did, is unworkable at such scales. Hong noted it took his team two weeks to crowdsource perceptions of the 56 apps in this study. One alternative being developed by the CMU team is to create models for different categories of apps, identifying what sensitive information is reasonable and accepted for each class. It may then be possible to selectively alert users when an app they are considering behaves in ways that are atypical for that class.
The team also is developing tools that will help professionals better understand what private information each app is accessing and how it is using that information.
This work is sponsored by the National Science Foundation, Google and the Army Research Office.
[Image courtesy: Carnegie Mellon University]