App privacy has been a topic for awhile now. Android and iOS are both taking steps to fix the wide spread problem, things like Android’s app privacy settings, where you can choose what an app can and cannot do. Obviously these will be permissions that are known about the app. What about background app activities?
Well, right now here are some scary facts about what some of your free apps are doing.
73% of Android apps shared personal information such as email address with third parties.
47% of iOS apps shared geo-coordinates and other location data with third parties.
93% of Android apps tested connected to a mysterious domain.
A Significant amount of apps share data from user inputs such as personal information or search terms with third parties without Android or iOS requiring a notification to the user.
This information came from an amazingly detailed report by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney. They used some middle man proxy techniques that helped them see exactly what apps are doing on your connection.
They tested 110 free apps, 55 each from the Google Play Store and the Apple App Store. They tested and recorded these apps in two waves. Wave 1 was done on June 24-26, 2014 and Wave 2 on July 15-22, 2014. During Wave 1, they chose the five most popular free apps from the Google Play Store in each of the following categories: Business, Games, Health & Fitness, and Travel & Local. In the App Store, they tested similar categories: Business, Games, Health & Fitness, and Navigation. In July 2014, they expanded our testing with Wave 2 and tested the five most popular free apps in the Play Store categories Communication, Medical, and Shopping and in the App Store categories Lifestyle, Medical, and Photo & Video. In addition, they made deeper dives—testing ten apps rather than five—in the categories Health & Fitness, Social, and Travel & Local for the Play Store and in the Health & Fitness, Navigation, and Social categories for the App Store. They chose the targeted categories in Wave 1 and 2 due to their likely handling of potentially sensitive data including job information, medical data, and location. Wave 2 did not re-test apps previously tested in Wave 1. Table 2 and 3 show the list of the apps in Android and iOS that they tested along with their wave for testing. When there was a problem testing an app, they replaced that app with the next most popular app not already tested. A complete list of all apps, including those they were unable to test is in the Appendix.
Read their report on what they found with just 110 apps.