back to article The spy in your pocket: Researchers name data-slurping mobe apps

Android app developers are more promiscuous with your personal data than iOS devs, according to research that examined more than 100 popular apps to sniff the way they handed data to third parties. However, both iOS and Android developers are quite happy to scrape personal data and fire it off to third parties without asking …

  1. SuccessCase

    Even your friends do it. The number of my friends that upload their entire contact list to services like "Linked-In" is huge. I've never been asked if it is ok they provide Linked-In with my personal contact details. Yet it was only about 7 years ago it was considered completely unacceptable to pass someone's telephone number or email address on without asking their permission first.

    1. Zog_but_not_the_first

      "Yet it was only about 7 years ago it was considered completely unacceptable to pass someone's telephone number or email address on without asking their permission first."

      It still is.

      1. Neil Barnes Silver badge

        "It still is."

        To those of us who care.

        But so many billions don't...

        To be honest, I never understood the purpose of the telephone book: if someone knows me, they can ask for the number; if they don't, do I want to talk to them? (I except commercial listings).

        1. Michael Wojcik Silver badge

          Re: "It still is."

          if someone knows me, they can ask for the number

          What if someone knows you, did not think to ask for the number the last time they saw you in person, and needs to contact you now?

          Back in the days when I routinely used a phone book to contact individuals (as opposed to organizations), that was the general use case: I want to communicate with someone I don't know, but whose phone number I don't have handy. For that matter, I seldom asked people for their number, and they seldom asked for mine, because - wouldn't you know it! - those were available in the phone book.

          It's almost like, oh, an index for finding someone's number when all you have is their name (and, perhaps, address).

      2. Ed_UK

        "Yet it was only about 7 years ago it was considered completely unacceptable to pass someone's telephone number or email address on without asking their permission first."

        I lose patience with the well-intentioned numpties who insist on forwarding jokes and email hoaxes without:

        1. Being arsed to edit out the previous sender's details (and probably their distribution list)

        2. Thinking to use 'bcc' instead of sending my address to dozens of strangers

        3. Bothering to check that the virus warning from a friend's friend's cousin who works at Microsoft is a hoax. Or that Nokia might not actually be rewarding people for doing something useless, like sending emails.

        Funny how otherwise-polite people lose all sense of ettiquette when sitting at a computer.

    2. Anonymous Coward
      Anonymous Coward

      The number of my friends that upload their entire contact list to services like "Linked-In" is huge

      As is the number of absolute nitwits that allow LinkedIn access to their email to forage for contacts (at least, that is what they SAY they do - I wouldn't touch that idea with a barge pole).

      1. Kubla Cant

        absolute nitwits that allow LinkedIn access to their email to forage for contacts

        I fear I was that nitwit. I've accessed LinkedIn via the browser for years, and never allowed it to access any address book. Then I unwisely allowed myself to be persuaded to install the phone app. Suddenly my phone contacts list is gobbled into LinkedIn and it's asking me if I want to connect with people from it. I guess they sneaked in permission to access the contacts list when the app installed.

    3. BillG
      Megaphone

      The number of my friends that upload their entire contact list to services like "Linked-In" is huge. I've never been asked if it is ok they provide Linked-In with my personal contact details.

      One of the reasons why LinkedIn members are so angry at the service - that, and the impending discontinuation of LinkedIn Groups.

      Thanks to this article I have uninstalled the Drugs.com app from my Android!

  2. Anonymous Coward
    Anonymous Coward

    Things are not remotely as bad on "the boring-old World Wide Web".

    Unlike Android, the web has a sand-box worth a damn, severely restricting what data it can access.

    A far more limited API (assuming Flash isn't installed), and senstive APIs like geolocation and webcam are locked behind per-use permissions.

    There's a mature set of tools for hardening the browsers; adblock, noscript, webbug blockers, browser fingerprint reducing addons, and so on.

    Finally as an open environment the built in development tools let you see what pages are up to, in a way that's obscured in native apps.

    1. sabroni Silver badge

      The apps discussed aren't necessarily accessing data without the users consent, it's the way they're sharing that data with third parties that's the issue. Nevertheless, you are correct in saying that it's easier to investigate what a web site is doing from the client. That doesn't let you see what they do with your data server side though.

  3. SuccessCase

    There seems to be a "flaw" or rather weakness in the survey. They categorise data as sent to Primary and to third party domains. But the OS provider is treated in the survey as a third party domain. The primary domain is the domain of the app maker. What would have been more useful would have been to categorise the data into App Maker Primary, OS Maker Primary and Third Party.

    The problem is that for example company X creating an app and sending data to X.com and Google.com isn't necessarily failing to ask permission. On iOS also, sending data to X.com and an Apple domain isn't failing to ask permission if the transaction is for e.g. an iCloud sync. iCloud is built in and expected by the users. The user has control to turn it on or off for all apps and it has built in privacy protections. As an app maker you don't need to ask the users permission for a service they have already given permission can be used to the OS. The higher location sharing iOS has with "third party" domains is almost 50% with Apple's own servers.

    So to get a view of the level data permissions abuse, it would be far more useful to split out that further categorisation,

    Still all the data is there, so perhaps someone could volunteer to make this refinement ?

    1. Doctor Syntax Silver badge

      Why should the OS maker be considered primary unless they're the app-maker? If I run, say a mail client under Debian Linux there's no good reason why it should require any interaction with either the Debian project or the Linux kernel team. The OS maker is as much a 3rd party as any other.

      1. SuccessCase

        Because, to use iCloud as an example. iOS provides iCloud services. A user understands that is how app context and state is synchronised between a user's devices. ICloud services has it's own built in security model such that the logical boundaries of an app and it's "sandbox" surrounds it's state distributed across a user's iOS devices. For an app to use iCloud services that are secured within a sandbox fully encrypted and using a framework managed by Apple without asking the user is a completely different category of "liberty" than posting data to a third party server that is not either the App makers own domain or an Apple domain without asking permission. The former is expected and a normal part of the services supported by the OS itself and the latter is surreptitious and suspicious.

        Additionally it rather looks as though the report authors have missed that per app control over iCloud access and location services is provided in settings by the OS.

        So I think it would be much more useful if these two categories were separated out rather than all bundled together in a single column under the title "third party access."

        So to be clear, I'm not saying the data should be ignored, but that as it is structured, the summary results are not as useful or revealing of bad practice as they might be. I think there is still an argument that an app should ask permission to use iCloud (though if it states it synchronises via iCloud in the AppStore description and that is obviously a part of its purpose then doing so really is unecessary cruft and, it just becomes an extra step where for many apps saying "no" means the app simply doesn't work properly and saying yes only means it works with standard OS services in the logical sanbox). The argument for still asking permission to use the OS standard iCloud service I think is more relevant to ensuring a user gets full control over data usage than problems with a third party having access to the data (remember control is there in settings anyway) and is only going to be a problem for the most uncompromising free software advocates. But then such people will be aware of he role iCloud plays in many if not most major apps these days anyway (and will probably be opting for an Ubuntu based handset or some such like).

        1. SuccessCase

          BTW, it just occurs to me that because I do development for iOS, general users might not understand that the way iCloud is implemented, it will appear as though the app process is generating iCloud requests in the same way as it will appear if the app uses the NSURL API to make a connection to any Web server, it will appear as though the app is making that request. The implementation could easily be different. iCloud transaction could have been initiated after as an OS system process after a request to the OS. Given the security protections are independent of the App layer, really whether requests are issued by the Core OS in an independent process or in the App process is an implementation detail. I suspect Apple implemented it as they have so that the App author has to account for power management and leasing of multi-tasking time relating to the apps use of iCloud (though this could also be managed if it were an OS process there would be perhaps an extra unnecessary level of indirection in the code to do so).

          This also makes the research - without a thorough exposition of how OS services are accessed from OS to OS, potentially a bit arbitrary because there might be different policies from OS to OS. I don't know Android as well as I know iOS so, in this regard, can't comment on it.

          Just a note.

  4. Anonymous Coward
    Anonymous Coward

    And the top

    Data slurping apps on windows phone (8.1) are......??????

    1. Fraggle850
      Joke

      Re: And the top

      Windows? On phones? And they have apps? Never seen such a thing!

      Good luck running your marketing analytics on a platform that has <100 users

    2. nkuk

      Re: And the top

      The apps that come with the phone, as no-one else bothers making apps for Windows Phone.

  5. Fraggle850

    For *deity's* sake don't tell the EU!

    They'll have a field day. Safe Harbour has caused enough trouble, how the heck will they deal with this?

  6. Anonymous Coward
    Anonymous Coward

    IOS Location Services

    This is disabled on my company iPhone 5s. So no problem there then

    I looked at all the apps and everyone of them can have it enabled/disabled but naturally these were all set to 'Never' because of the phone's privacy setting.

    I do enable it from time to time to access maps but that is it.

    I also keep the number of apps installed to a minimum.

    Who needs 20 fart or cat piccy apps anyway?

    If you (and this applies to any type of smartphone) install lots of crap from unverified sources AND don't set the apps settings properly then you get what you deserve.

  7. Adam 1

    It's a bit limited to consider what addresses the phone shares information with because it doesn't (and can't) consider anything shared through backend communications. It would be trivial to create an app that sent all information to the primary domain and then distributed it from there. That app would look good on this sort of survey.

  8. Anonymous Coward
    Anonymous Coward

    Thanks - MapMyWalk and MapMyRun now uninstalled

    FUCK you app makers

    1. P. Lee

      Re: Thanks - MapMyWalk and MapMyRun now uninstalled

      "The only winning move is not to play."

      Ancient words, ever true.

      I find it hard to like all these apps. I've got so many better things to do than fiddle with a phone.

      Email is fine for emergencies. Video is mostly too small, maps are handy for the GPS, the 4g Modem is handy too.

      SMS and telephone calls, also seem to be a good idea. The web browser, ebook reader and music players (local content only) are also fine for the commute by rail.

      Apart from that, I rather dislike using the teeny-tiny inaccurate interface.

  9. semijacki
    Thumb Up

    Spy Apps - TheOneSpy Mobilespy software

    Bundles of apps with same features can be found on app stores for free. According to researchers these stalking app could lead to data slurping smartphone apps. These apps with full features can be download from main website. This informative material would let you understand better for both iOS and Android developers, who are quite happy to scrape personal data and fire it off to third parties without asking. Do not worry about them, its their duty to make it happen, concern community just have to acknowledge spy apps producing channels. Please read their privacy policy in order to stay legal. An authentic and optimistic platform for parents and employers to keep track and keep an eye on their kids, teens and employees respectively.

    Reference: http://www.theonespy.com/android-spy-software/

  10. Anonymous Coward
    Anonymous Coward

    Sending info to 3rd party domains? Like Doubleclick, Datapoint and Google, eh, El Reg?

  11. Anonymous Coward
    Anonymous Coward

    The Endurance International Group, Inc & SafeMoveDm.com?

    Looks like SAFEMOVEDM.COM is a domain possilby owned by The Endurance International Group, Inc. They are a small business advocacy group that provides social media and SEO strategies and marketing to their customers. I can only speculate that these apps in particular are selling user information to The Endurance International Group, Inc. We'd have to ask them to be sure.

    http://whois.domaintools.com/safemovedm.com (Follow the registrants address)

    Who knew our browsing habits and location could be worth so much? Sounds like free labor disguised as mobile entertainment.

  12. Anonymous Coward
    Anonymous Coward

    F-Droid

    There are the usual traceability pitfalls (ensure the binary comes from the accompanying source) and the like, but my phone uses exclusively FOSS applications and there is no Google account configured (I do not have a Google account anyway).

    Having made an unscientific but more or less comprehensive test by wiresharking my phone's wifi connection, their promises appear to have been upheld. I did not find anything untoward coming from the OS either, but I did take the precaution to uninstall or otherwise disable or cripple a significant number of OS components.

    Yes, I am paranoid. But they're also after me, so every little bit helps. :-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like