This study results from a collaboration between Intel Labs, Penn State, and Duke University. Our efforts are supported by Intel Labs and grants from the U.S. National Science Foundation.
Smartphones contain many types of information that users characterize as privacy sensitive. Examples include geographic location, phone identifiers, microphone input, and camera images. Our research goal is to build tools to monitor how applications access and use privacy sensitive data, and then study and report the behavior exhibited by existing real-world applications.
Android asks the user which services and data an application may access when it is installed. For example, an application may request access to location information (such as captured by the GPS sensor) and access to the Internet. If the user chooses not to allow this access, the application is not allowed to be installed.
No, the install-time permission checks do not indicate to the user how these services and data will be used. There is no way to determine simply from the set of permissions how data will be used, and in some cases misused.
Users can also be notified of an application's behavior via a license agreement that is displayed on first use. With one exception, we found the user license agreements in the studied applications, if present at all, do not provide any additional information on how data is used.
A privacy violation can occur where services and data are used in ways that are unexpected. In the applications we studied, we found it surprising that location information was shared with ad networks without further explanation or notification.
We randomly selected 30 out of the 358 most popular free applications from the Android Market that have access to both the Internet and privacy sensitive information such as geographic location, camera, audio, and phone information. We then used the applications while watching them with our TaintDroid monitoring tool. We found that 15 of the 30 applications shared location information with advertisement servers. We also found that 7 of the applications shared phone identifiers with a remote Internet server.
We studied just over 8% of the top 50 popular free applications in each category that had access to privacy sensitive information in order to get a sense of the behaviors of these applications. Our OSDI paper describes in more detail how this sample set was chosen.
We observed a range of behavior in the studied applications. Some applications shared location with advertisement servers only when displaying ads to the user. Other applications shared location even when the user was not running the application. In some cases, we observed location information being shared as frequently as every 30 seconds.
We only studied Android and therefore cannot comment on other platforms. Further studies investigating other platforms are warranted however.
We selected to study Android and its applications, because it has many features in common with other popular smartphone platforms, and because it is open source, which was necessary for us to build our TaintDroid monitoring tool.
TaintDroid uses a scientific technique called "dynamic taint analysis". This technique marks information of interest with an identifier called a "taint." That taint stays with the information when it is used. The tracking system then monitors the movement of tainted information. For example, TaintDroid can trace back the origin of the information (e.g., GPS) when tainted information is sent to the Internet.
We will be making TaintDroid open source. Information to obtain the TaintDroid source code will be posted to this page.