A joint study by Intel Labs, Penn State, and Duke University has identified that publicly available cell-phone applications from application markets are releasing consumers’ private information to online advertisers. Researchers at the participating institutions have developed a realtime monitoring service called TaintDroid that precisely analyses how private information is obtained and released by applications “downloaded” to consumer phones. In a study of 30 popular applications, TaintDroid revealed that 15 send users’ geographic location to remote advertisement servers. The study also found that seven of the 30 applications send a unique phone (hardware) identifier, and, in some cases, the phone number and SIM card serial number to developers.
Smartphones offer a convenient way to download and install third-party applications. Over 200,000 applications are currently available in Apple’s App Store and over 70,000 in Android’s Market. Many of these applications access users’ personal data such as location, phone information, and usage history to enhance their experience. But users must trust that applications will only use their privacy-sensitive information in a desirable way. Unfortunately, applications rarely provide privacy policies that clearly state how users’ sensitive information will be used, and users have no way of knowing where applications send the information given to them.
Tracking how apps use sensitive information required integrating our software into the Android platform at a low level. As a result, it was not possible to implement TaintDroid as a stand-alone app. Instead, to use TaintDroid you must flash a custom-built firmware to your device, similar to a number of popular community-supported Android ROMs.