Every time you install an application on Android you’re prompted with a warning about the access that you are granting the application. And from the first app you install on Android you’re conditioned to just hit ‘accept’ because even the must mundane apps provide you with warnings about your location, gps, personal info, etc. You notice that even a little free basketball game has a page of ‘access’ warnings and in no time you just accept it and move on. I had assumed that in exchange for a free application the developer was getting ad revenue and location based ads are obviously more effective than random, non targeted, ads. It turns out there’s a lot more data than I imagined being delivered in exchange for Android apps.
Researches from Duke, Intel and Penn State created an application called TaintDroid that captures the data that Android applications gain access to. The results are shocking. They sampled 30 applications that are popular in Android’s market and let TaintDroid collect the data. What they learned is that GPS, phone numbers, IMEI numbers, SIM numbers, phone IDs and GPS data are all being transmitted. And they’ve provided a short video of it in action with a seemingly benign Android app. It’s a simple wallpaper application and just watch the data that’s collected:
So in exchange for a Mickey Mouse wallpaper you’ve provided the developer with your phone number, IMEI, and SIM card number. Now I want to preface this by saying that this app is not alone in data collection and also make it clear that no one is accusing this developer or any developer of any wrongdoing or anything illicit. But it should be noted what a developer with bad intentions could do with that information.
Just yesterday MSNBC ran a story titled “SIM card crime ring arrested, is your phone safe?” This details a ring of people that stole SIM card numbers:
A Subscriber Identity Module or SIM card contains a unique serial number, an internationally unique number of the mobile user, security authentication and ciphering information, and a list of the services the user has access to.
Stolen SIM cards can lead to identity theft
A stolen SIM card ― whether that’s the physical card or simply the code ― gives the holder all of the privileges of the phone’s owner and access to passwords that could unlock more than just the phone. The digital theft is often difficult to detect.
"It’s as if the thief owns the phone, but none of the responsibility that goes with it," Sileo said. "He can make calls as if he is you, load surveillance software onto the phone, charge calls, and commit crimes with your phone number. The consequences fall securely in your innocent lap."
This is some scary stuff. I’m sure a lot of you think that you are smarter than the average user and you wouldn’t install an app that was risky but the researchers found that 2/3rds of the apps they tested sent sensitive data, 1/2 share location data, 1/3 provide the device ID (that may contain phone and SIM numbers). In the 20 applications that sent data they found 68 potential misuses of private information. This isn’t an isolated incident and avoiding applications that are potentially wrongfully using your data may not be a simple task since the Android security warning is very generic.
No, this isn’t a call to throw out your phone obviously. It should make you think about the apps that you’re installing and the developer behind it.
As for testing TaintDroid, we’ll notify you when it’s publicly available. it will require a custom ROM and you’ll need root access to your phone. For more information on the researchers work you can read it in full at http://www.appanalysis.org/.
And I want to personally thank Peter Gilbert from Duke for uploading the video from their website to YouTube so we could embed it for all of you. You guys have done some incredible work that I’m sure will lead Google to make changes to their security policies.