Thursday, September 30, 2010

Android Based Cell Phones Sending User Data Including Location, Telephone Number To Ad Servers

"Even the most cautious of privacy-conscious Android users may be unwittingly sharing more sensitive data with more third parties than they realized -- or even intended to authorize.

In a recent joint study by Duke University, Penn State, and Intel Labs, researchers found that 15 of 30 popular Android applications sent users' geographic location to remote advertisement servers -- even though users may have only granted the app permission to access that data for the sake of unlocking location-based features

Meanwhile seven of the 30 applications -- without explicit warning -- sent unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers. All in all, researchers found that two-thirds of the applications in the study exhibited "suspicious handling of sensitive data."

InfoWorld - Android apps share more sensitive data than users realize

----
"Specifically, the researchers found that two-thirds of the 30 apps in the sample used sensitive data suspiciously, half share location data with advertising or analytics servers without requiring "implicit or explicit user consent," and one-third expose the device ID, sometimes with the phone number and the SIM card serial number. In all, the researchers said they found 68 instances of potential misuse of users' private information across 20 applications.

"The permissions screen says, 'here is what the app can access'...but that screen doesn't say how the app is going to use that information once it retrieves it," William Enck, a PhD student at Pennsylvania State University and one of the co-leaders on the project, told CNET today. "Right now users have to be more diligent with the apps they install, look closely at the permission screen, and assume that that information may be misused. Just like when you are on a Web site. Better to be safe than sorry."

CNET - What's that Android app doing with my data?

----
"The study may be the best evidence yet that Android users have little way of knowing what happens to the wealth of information stored on their phones when they install any one of the 70,000 or so apps available in the Google-sanctioned Market. The search giant is quick to say that before Android apps can be installed, users see a screen informing them what personal information can be accessed by the software. But as the researchers point out, knowing what an app is capable of is different than what knowing what it actually does."

"And to be fair, there's no way of knowing what liberties apps on competing platforms take with users' personal information. The researchers were able to monitor Android apps only because the operating system is open source. That allowed them to develop TaintDroid, software that labels, or taints, data from privacy-sensitive sources so it can be monitored in real time. There are no guarantees apps for Apple's iPhone or Research in Motion's Blackberry would fare any better if subjected to the same scrutiny."

The Register - 2 out of 3 Android apps use private data 'suspiciously'

----
"A controversial study released in June 2010 by smartphone security vendor SMobile (just acquired by Juniper) said that 20% of Android applications were seeking access to sensitive data. The report was trumpeted in an barrage of scare headlines implying the applications therefore were unsafe. (Network World's own headline was a more circumspect: "20 percent of Android apps can threaten privacy, says vendor".) Many Android developers noted that users explicitly grant permission to these applications, and access to such data is often necessary.

But the TaintDroid project digs deeper: the question is, once access is granted, what actually does the application do with the data?"

NetworkWorld - Many Android apps leak user privacy data: Researchers find permitted apps transmit phone numbers, location, and SIM card IDs

----

The InfoWorld article says it best when it says:

"The moral in all this remains "download mobile-phone apps with discretion," a mantra that doesn't apply only to Android users. At the BlackHat conference in August, Lookout Mobile Security revealed that third-party smartphone apps for both Android and iPhone were stealing user information and transmitting it to China."

----

I am not sure how much I need to add to the above. People have learned to be concerned about viruses on computers and to be wary and protect their online banking and such, but cell phones are "fun" gadgets that are not daunting or scary to people the way computers are.

So they just merrily download whatever seems fun at the time.

Now scroll back up the page and look at the picture of the van - and think...

Wednesday, September 29, 2010

"Project 'Gaydar': At MIT, an experiment identifies which students are gay, raising new questions about online privacy"

"It started as a simple term project for an MIT class on ethics and law on the electronic frontier.

Two students partnered up to take on the latest Internet fad: the online social networks that were exploding into the mainstream. With people signing up in droves to reconnect with classmates and old crushes from high school, and even becoming online “friends” with their family members, the two wondered what the online masses were unknowingly telling the world about themselves. The pair weren’t interested in the embarrassing photos or overripe profiles that attract so much consternation from parents and potential employers. Instead, they wondered whether the basic currency of interactions on a social network - the simple act of “friending” someone online - might reveal something a person might rather keep hidden.

Using data from the social network Facebook, they made a striking discovery: just by looking at a person’s online friends, they could predict whether the person was gay. They did this with a software program that looked at the gender and sexuality of a person’s friends and, using statistical analysis, made a prediction."


The title and story ripped off from the Boston Globe. Please read the full article there so they can get page hits and advertising dollars.

Boston Globe - Project 'Gaydar'

----

This is an example of the power of data mining - and new applications for the kinds of algorithms used for searching, data mining, and market research. These two researchers have used the same kind of techniques that facebook uses when its automated systems decide what ads you should see when you are logged in.

The information about whether a person is gay or not could have potentially devastating consequences for the individual. Think about what would happen if the government of Iran or another fundamentalist (like Saudi Arabia) or stridently anti-gay regime (think Uganda [Fear grows among Uganda’s gay community over death penalty draft law]) decided to keep track of its students living abroad...

Privacy and information security concerns can come out of no-where.