Researchers at the Data Privacy Lab at Harvard University have published a survey of behind the scenes personal data sharing to third parties by mobile apps on both Android and iOS. The survey, which tested 55 free and popular apps each on both the app stores, looked for apps that shared personal, behavioral and location data.
73% of Android apps shared personal informations like email address with third parties, while 93% of the Android apps tested connected to safemovedm.com domain, which is possibly due to a background process on Android phones. Meanwhile 47% of iOS apps shared geo coordinates and other location data with third parties. On an average, Android apps send potentially private data to 3.1 third party domains, while iOS apps connected to 2.6 domains.
Overall, Android apps were more likely than iOS apps to share personally identifying information as only 16% of iOS apps shared email addresses or username. On the other hand only 33% of Android apps shared location data, including geo-coordinates, with third parties, relatively less than iOS. Interestingly, 3 out of 30 medical and health fitness category apps shared medically related user inputs with a third party. Note that, other than Google and Apple, no other third-party domain in the study received data from more than 14% of the apps tested.
Receiving private data:
Finally, the third-party domains that receive sensitive data from the most apps are Google.com (36% of apps), Googleapis.com (18%), Apple.com (17%), and Facebook.com (14%). This is most likely used for services like Google Now, which displays data from various apps. Similarly, using Facebook to login for various services likely results in the social media platform being on the list.
Android and iOS both offer closed marketplaces to users as an alternative to the more conventional method of simply downloading or buying software from other sources. This is obstinately in the name of security, as the companies claim that apps on the app store when verified, are much safer.
However, the permission systems on both platforms are inadequate to keep users well informed about what user data is being send by which app and to whom. As we saw last month, malicious code can get into these stores compromising user data. Even if apps are not allowed to send data to third party websites, they could just send it to their own database, and distribute it later. User privacy is something a proper Government framework has to address, although this might be too much to ask given our Government doesn’t even believe in the fundamental right to privacy.
Apple removes apps:
Last month, Apple removed over 250 apps from its App Store that used software from a Chinese advertising firm which secretly accessed and stored users’ personal information. The apps somehow got through Apple’s app review process and were apparently unnoticed on the market for nearly two years.
Image Credit: Flickr user Scott Sterbenz