Researchers name apps sending user info to third parties

Harvard University researchers have conducted a large-scale study of Apple iOS and Google Android apps, revealing many are quietly passing on customer details to third parties. 

The team of researchers conducted the testing with US consumer watchdog the Federal Trade Commission last year, analysing plaintext HTTP and encrypted HTTPS traffic from 110 popular free Android and iOS apps with an intercepting proxy.

A "signficant portion" of the apps tested from the businesss, communications, games, health & fitness, medical, shopping, social and travel & local categories would share user data with third-parties, without notification this was taking place, the researchers found.

The data included user input, personally identifiable information, exact locations, and search terms. Apps can also request device information which in turn can be tied up with other user data.

"We found that the average Android app sends potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains.

"Android apps are more likely than iOS apps to share with a third party personally identifying information such as name (73 percent of Android apps versus 16 percent of iOS apps) and email address (73 percent versus 16 percent)," the researchers wrote.

On Android, the researchers found that communications apps Text Free and Glide "sent potentially sensitive data to the most primary and third-party domains" along with health app Map My Walk.

LocalScope, a location browser app, sent the most potentially sensitive data to outside domains on iOS overall. Pinterest, Map My Run, MapQuest, Piano Tiles and Timehop were also found to send personally identifiable information to third-party domains.

Potentially sensitive data such as medical search terms also left users' apps without notification.

"For example, the Drugs.com app shared medical info input by the user in testing - including words such as “herpes” or “interferon” - with five third-party domains: doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com," the researchers discovered.

Google.com, googleapis.com and facebook.com and the mysterious safemovdm.com were the most popular domains that Android apps connected to. For iOS, user data was sent to apple.com, yahooapis.com and exacttargetapis.com, the researchers found.

iOS and Android apps currently do not need to notify users that their personally identifiable information or behaviour data is being accessed and captured;  the researchers suggested that app stores should be redesigned to inform people about third parties who might receive their data.

Users should also be allowed to opt out of data collection, they said. Another remedy suggested is to return false data for the app permission requests. There are already tools such as MockDroid, TISSA and AppFence that send fake information to apps that make certain application programming interface calls.

There are drawbacks to using bogus data though, is it could affect apps and targeted advertising that depend on accurate user information.

Into the future, the researchers intend to improve their methodology by checking for non-Transmission Control Protocol (TCP) traffic emitted by apps as well as other protocols than HTTP/HTTPS, and weakly encrypted data being sent, and expanding the testing to encompass more app store categories.