4 Mar 2012

Android apps share personal data with advertisers

Many of the applications which users load onto their Android mobile phones are sharing personal data with advertisers without people’s knowledge or permission, Channel 4 News has learned.

Few of us stop to think about how much highly private information is stored on our smartphones – intimate photographs, texts and emails to loved ones, who we call and where we go

But now millions of us are downloading applications to run on them. These fun and useful little programmes claim to enhance the features of your phone.

But research for Channel 4 News has uncovered how easy it is for apps on Android phones to access and share our data and, shockingly, how advertisers can see our personal information without us even knowing.

Using ads inside apps

Users can download apps onto their Android phone by going to the app market. When you select an app you are given list of permissions that you are granting the application – for example, to look at the contacts book, access the camera etc. You have to grant permission in order to install it.

But it is not just the apps you are granting permission to.

One researcher with MWR InfoSecurity told Channel 4 News: “We found that a lot of the free applications in the top 50 apps list are using advertising inside the applications, and that the permission that you grant to these applications is also granted to the advertiser.

“If users knew about this, I think they would be concerned about it. But at the moment I don’t think they are aware of the situation and how widely their information can be used.”

The code that MWR InfoSecurity found gave advertising networks access to your contacts, calendar, and location. It came from a large US ad network called MobClix. Despite numerous calls and emails from Channel 4 News, the company has not explained what it is doing there.

Stealing personal data

To demonstrate how easy it is to gain access to personal data, we asked a programmer to design an innocuous-looking Rick Astley photo app – but it is really stealing my personal data.

Potentially you can give it access to your camera, media and data – and it can be sending this to a third party. Robert Miller, MWR Infosecurity

Robert Miller, of MWR Infosecurity, explains: “In this case it’s taken whatever text messages you have on your phone, your call log and people’s details from your contacts book.

“But it depends what permissions you’ve given it – potentially you can give it access to your camera, your media and any data on your phone and it can be sending all this to a third party.”

It may well be that there are lots of apps like this that exist only to steal personal data.

‘Against the law’

I took our findings to the vice-president of the European Commission, who is trying to push through continent-wide legislation to reform data protection.

Viviane Reding told me: “This really concerns me, and this is against the law because nobody has the right to get your personal data without you agreeing to this.

“Maybe you want somebody to get this data and agree and it’s fine. You’re an adult and you can do whatever you want. But normally you have no idea what others are doing with your data.

This really concerns me, and this is against the law because nobody has the right to get your personal data. Viviane Reding, European Commission

“They are spotting you, they are following you, they are getting information about your friends, about your whereabouts about your preferences.

“That is certainly not what you thought you bought into when you downloaded a free-of-charge app. That’s exactly what we have to change.”

Google runs the Android system. It told us that it has best practises for app makers to follow when it comes to user data but it does not screen applications before they are offered for download.

The problem for users is that it is almost impossible for them to tell how any of the 300,000 Android apps available for download are accessing our data and selling it on to third parties.

Many of the applications which users load onto their Android mobile phones are sharing personal data without their knowledge or permission, Channel 4 News has learned. (Reuters)

We have no idea what is being done with our data

Our investigation into apps reveals a central flaw with the entire apps industry, writes Channel 4 News Technology Correspondent Benjamin Cohen.

As a user, unlike when I visit a website, I have no real idea who is accessing my personal information, what they are doing with it or how I get it back or delete it.

When I visit a website, the website owner can only really collect information that I voluntarily hand over – say, for example, my name and address. Sure, they can gather other bits of information such as my IP address (the unique internet address of my computer, phone or tablet). But on the whole I know what I’m handing over.

With apps, it appears that the application can access literally anything on my phone. On the iPhone there is no warning which applications access what parts of my phone. I don’t know when they access anything other than my location, something that I have to give consent for.

Access warning

On Google Android devices, the applications must warn me with a list of parts of the phone the app will gain access to when you install it. These range from text messages to photos. Although you are warned, you are not given the option to install the application without agreeing to all of the “permissions” the app has requested. Most people don’t bother to read these lists (according to a YouGov study) before installing.

Because iPhone apps do not list these permissions, it’s harder to investigate what they are doing. Apple apps go through a rigorous approval process, so we assume Apple checks whether the permissions are appropriate, but we can’t be sure. Android apps can be published without any approval, although Google, which operates the Android system, does remove some rogue apps retrospectively.

With apps, it appears the application can access literally anything on my phone.

As we could identify which Android apps were asking permission to access personal data on phones, we asked MWR Info security to look at what they access and why. During the investigation, they discovered that in a lot of cases, advertisers within the apps also gain access to the same data.

The research has revealed that in the apps we looked at (which make up a lot of the top 50 free apps), one advertising network, MobClix, appears to gain access to users’ contacts, location and calender. At no point are you warned that a third party is going to gain access to this data. Indeed Android doesn’t appear to have an option for app makers to warn users either.

Against European law

Channel 4 News tried to speak to MobClix, which is part of a large, Nasdaq-listed company, Velti, over the course of the week, on multiple occasions but we’ve not received an answer to what they are doing with this data or if they are storing it.

As the vice-president of the European Commission, Viviane Reding explained to me in tonight’s report that, collecting data without the consent of users is against European law. The company, although listed in the USA, has a base in Dublin so is subject to European data protection legislation, which is among the strictest in the world.

At no point are you warned that a third party is going to gain access to the data.

It is perfectly possible that MobClix isn’t actually storing the data, but we have no idea what it is doing with the data they have “permission” to access as the company hasn’t responded to us.

We decided not to name the apps we found the code in for a few reasons, partly because it was hard for us to gain “right of replies” but also because we don’t know if the app makers themselves know what’s inside the advertising code they have put inside their applications.

No clues

In the view of the experts we have spoken to, the code may be in tens or hundreds of thousands of apps. We merely selected a few of the top 50 to examine with a fine tooth-comb. Hopefully after our broadcast, the ad network concerned will confirm what it’s doing.

In my view, this reflects a really serious issue. We have huge amounts of personal data on our phones, arguably more than we now store on our computers. Websites we access on PCs can’t really access our entire hard drives without anti-virus and firewall software alerting us.

This isn’t the case on smart phones. Unlike on websites, we can’t view the “source code” contained within apps. We’re given no clues without having taken them apart, as MWR did for Channel 4 News as to what is actually lurking behind the apps we use day in day out.