Everything has a price–at least for Android users. According to a joint study conducted by Duke University, Penn State University and Intel Labs, a number of purportedly free application designed for the OS are in reality forcing users to unknowingly pay through the nose. The Android users weren’t sending the developers any money, but rather, an alarming amount of personal information such as precise GPS locations and phone numbers.
The researchers came by their information after developing a piece of software called TaintDroid (awesome name, no?) When deployed on an Android handset, TaintDroid sniffs out seemingly harmless applications that in actuality pack a whole lot of nefarious intent; locating those that are leeching personal information such as SIM numbers, user contact lists, SMS messages and other private bits and pieces to remote servers.
Given the open-source nature of Android, Google was careful to implement a number of security safeguards against exactly this sort of behavior. The company also encourages software developers to make their privacy policies readily available to users so that they know what they’re in for. With this being the case, how is it that the applications are able to send out your deepest, darkest phone secrets to parts unknown?
Well, You most likely gave the applications permission to do so.
For example, a lot of applications will politely ask whether or not they can use your GPS location for the sake of a better user experience. By clicking yes, you’re not only giving the application permission to do so, but also, theoretically, you’ve granted a go ahead to allow that app to fire off morsels about where you are anytime it pleases, even if that information isn’t being used to enhance the application’s feature set. Now that’s underhanded.
If you’re interested in learning more about the TaintDroid research team’s findings, they’ll be revealing all of what they were able to dig up at next week’s USENIX OSDI Conference in Vancouver, Canada.
Follow this article’s author, Seamus Bellamy on Twitter.