Security Researchers Warn That Android Apps Abuse Permissions Security Researchers Warn That Android Apps Abuse Permissions

How carefully do you read the permissions list for each app that you install? And more importantly, what do you do when an application asks to access information it doesn't actually require? According to a French team of security researchers, you should pay more attention to this kind of details. (If you don't already.) Why? Because it appears that most apps abuse the permissions they are given and collect data that could easily be turned into a very accurate user profile.

Initiated by INRIA (French National Institute for Informatics Research) and CNIL (National Commission on Computing and Liberty), the study spanned over three months using ten volunteers who utilized a total of 121 Android apps throughout the duration of the experiment. Each test subject's phone was fitted with special software called Mobilitics that could monitor the behavior of the installed apps. So every time an application would access private data like location, call logs, text messages, etc. and try send it to its servers, Mobilitics would log the event. For accurate results, the volunteers were encouraged to utilize the phones as if they were their own.

From the data gathered by the researchers one app belonging to Facebook accessed and recorded its user's location more than 150,000 times over three months. This means that every minute of every day, the application knew where you were and saved it to its server. But don't think this is just Facebook; on occasion, the Google Play Store app tracked its clients as many as ten times per minute. Furthermore, two thirds of the installed apps (even ones that ship directly with Android) used special markers to identify the device, thus denying most of the privacy countermeasures that users could take.

Android's Nasty FaunaAndroid's Nasty Fauna

As a conclusion, the researcher warned app developers, as well as mobile operating system creators, to be more careful about what can be done with the data gathered by their products.

Comments