Are you unknowingly sharing personal data from your smartphone to online services? You might be, according to a study published in Technology Science. A team of security researchers found that a number of popular free Android and iOS apps, including Pinterest, Skype, Expedia, Text Free and Map My Walk, are sharing your personal data to third-party services — often without your knowledge.
In their analysis of 55 free and popular Android apps and 55 iOS apps, the report found that a “significant proportion” of the apps shared users’ emails, names and GPS locations to Google, Apple and third-party services. There's nothing unusual about that, of course, since users often agree to share such information in order to use certain apps. However, many apps are sharing sensitive data with third parties without notifying users at all — and this rings alarm bells among users who are careful about their privacy.
The report notes that iOS and Android apps both currently lack a comprehensive mechanism for making users aware of the degree that their data is being shared with third-party services. “Apps on Android and iOS today do not need to have permission request notifications for user inputs like PII and behavioral data,” the researchers wrote.
Android apps in the study provided potentially sensitive personal information to an average of 3.1 third-party domains, while the iOS apps sent data to an average of 2.6 third-party domains.
The creepy part is that some apps are also quietly sharing search terms (such as medical search terms) to at least five other domains without any notice to the user at all. The Drugs.com app, for example, forwards the search terms “interferon” and “herpes” to five external domains (doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com and scorecardresearch.com), although the domains do not directly receive personally identifiable information from the app.
The team observed the following percentage of Android apps that shared certain kinds of personal data:
- 73 percent shared email addresses
- 49 percent shared names
- 33 percent shared GPS coordinates
- 25 percent shared addresses
- 24 percent shared IMEIs (a unique identifier for your mobile device) or other details
The Android apps also sent data to third parties in alarming combinations that can be considered potentially sensitive, such as your name plus your GPS location. For instance, seven among the 55 Android apps tested (American Well, Timehop, Tango, Groupon, RunKeeper, Text Free and Pinterest) sent user names and GPS locations to Facebook.
Another curious finding was that 51 of the 55 Android apps sent data to safemovedm.com, but the researchers still have no idea why Android connects to that mysterious domain. “When we used the phone without running any app, connections to this domain continued. It may be a background connection being made by the Android operating system,” the researchers wrote.
In the case of the iOS apps, 47 percent transmitted user GPS locations, 18 percent shared names and 16 percent sent email addresses. The Pinterest app for iOS was found to share user names to four external domains.
Until app makers redesign their apps to let you opt out of such data-gathering schemes or until app stores lift the level of transparency of third-party recipients of your personal data, the researchers suggest that you lie to the apps using false personal data. That’s a rather drastic way, but it works.
Stay abreast of the latest developments in data privacy and sharing with more Techlicious stories on protecting your privacy.
[Image credit: JohnKwan via Shutterstock]