Study finds Android app-makers careless with some data

Researchers found 'widespread misuse' of data that should be kept private

A lot of the software written for Google's Android mobile phones falls short when it comes to user privacy and security.

Those are the conclusions of researchers from Pennsylvania State University and North Carolina State University, who took a look at the top 1,100 free applications available in the Android Market. They didn't find anything malicious, but a surprising number of the programs used unique identifiers such as the phone's IMEI (International Mobile Equipment Identity) number -- sometimes without obtaining permission to do so from the user.

One concern is that these unique identifiers could be linked to Android users in databases, essentially providing a stealthy way to track what mobile phone users are doing online, similar to the tracking cookies stored by Web browsers. Unlike a tracking cookie, a mobile phone's IMEI cannot be deleted.

The research follows up on work done by some of the same researchers who last year looked at 30 smartphone applications and found widespread sharing of location data and unique identifiers.

Researchers are only now beginning to put together a picture of what's going on beneath the surface with these mobile phone apps, said William Enck, an assistant professor with North Carolina State University and one of the authors of the study. "I think people are starting to become more aware of this, but I don't think there is widespread understanding of what the implications are," he said.

"The paper really expands our understanding of what applications under Android really are doing.... and what they are doing with our data," said Lee Tien, a staff attorney with the Electronic Frontier Foundation.

The EFF is concerned that these unique identifiers could be used to track consumer's online activity, but Tien did find some encouraging findings in the study, too. "I was kind of happy to see that there doesn't seem to be any obvious misuse of the audio video recording capacity for listening in and that sort of thing."

Enck and his fellow scientists built a program that took the Java bytecode that runs on Android phones and then decompiled it, converting it into something that humans could more easily look at and understand. In total, the researchers analyzed 21 million lines of code. Most of this work was done by computer but the Enck's team would often go in and manually inspect software that seemed interesting.

"Our analysis uncovered pervasive use/misuse of personal/phone identifiers and deep penetration of advertising and analysis networks," said the paper, which was presented this week at the Usenix Security Symposium in San Francisco.

The researchers call their work the "initial but not final word on Android application security."

One of the problems with this kind of analysis that the while it can show what programs are capable of doing, it doesn't prove that the Android apps are actually using their built in functionality when they are run on mobile phones.

Still, there findings are interesting. More than 22 percent of the applications the Penn State researchers looked at could send unique identifiers -- typically the IMEI identifier -- across the network.

Although there are times when programmers might want to actually want to use these unique identifiers -- to help police locate a stolen phone, for example -- they can easily be misused, and that can lead to serious security problems said Kevin Mahaffey, chief technology officer with mobile phone security software maker Lookout. "Any time you have a unique identifier... people tend to use it for all sorts of crazy purposes, particularly for authentication."

Verizon is one of those companies using IMEI for authentication, according to M.J. Keith, a security researcher with the Denim Group in San Antonio, Texas. All it takes is an IMEI and phone number in order to access Verizon's portal for mobile phone users, he said in an interview.

"You can actually use that to reset the portal password," he said. "You can take over the entire account, change the billing address. You can actually have a phone shipped to you."

Last month, Lookout reported that one of the application developers cited in the paper -- Callmejack -- had helped create more than 80 Android wallpaper applications that collected this type of data, sending it to servers in China.

Mahaffey believes that many developers reuse code that's been written by other developers, and that often this type of data collection may happen without the software maker even realizing that it's going on. "It puts developers in an interesting place if they're using opaque third-party code," he said. "If they have no idea that tracking is going on, it's very difficult for them to tell users about it."

Robert McMillan covers computer security and general technology breaking news for The IDG News Service. Follow Robert on Twitter at @bobmcmillan. Robert's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags M.J. KeithWilliam EnckPennsylvania State UniversitymobileNorth Carolina State UniversityKevin MahaffeyprivacyElectronic Frontier FoundationVerizon Wirelessmobile applicationsLee TienGooglesecurityLookoutDenim Group

More about EFFElectronic Frontier FoundationGoogleIDGVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert McMillan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place