Using a free app on your Android phone? You might have passively visited 1,000 websites and not even known it.
Researchers from France-based Eurecom shared the startling data with MIT Technology Review, uncovering the undesirable situation. The team downloaded 2,000 free Android apps from the top 25 app categories in the Google Play Store and monitored web traffic from apps. Their finding? The apps in total connected to a whopping 250,000 URLs.
Some reasonable portion of those quarter million web site visits are certainly explainable. Free apps are often supported through ad networks, for example. To get the advertising data, an app would have to reach out across the web. Indeed, 9 out of 10 of the free apps that hit advertising sites were visiting Google's ad sites during the study.
But how many ad site visits is too much? In one particular case, an app that doesn't require any external data to function, may go over the top according to the group at Eurecom: "We find the app Music Volume EQ connects to almost 2,000 distinct URLs."
An app that provides custom volume and music equalization features really shouldn't need network access to begin with, but Music Volume EQ does; I checked the app permissions. I also see that's it's a very popular app, with the Play Store reporting 10 and 50 million downloads. That's a lot of Android devices unknowingly hitting web sites for ads and whatever else.
Perhaps worse are the apps that the Eurecom team found visiting user tracking sites. The majority of test apps don't but around 30 percent do. And the apps aren't just sending information to a few sites; the worst offending apps are visiting more than 800 user tracking sites. Eurosport Player was specifically noted as connecting to 810 sites that track user data.
The unfortunate part here is that people who use these free apps have no way of knowing if the software is reaching out on the web to get or share data.
Sure, you can check the permissions of any app to see what it can or can't do. But once an application has network access -- and many clearly need it -- you can't limit what websites it goes to or what information it might be passing on to them.
Google has placed itself in a tough spot here, mainly because it's difficult to balance the open spirit of Android with privacy and security. Google generally accepts all applications in its Play Store, removing those that are clearly bad for the community. Perhaps it's time for more controls to help adjust that balance and give Android users more control over what apps can and can't do.
Regardless of what Google may or may not do, Eurecom is planning to release an app of its own called NoSuchApp. The software will help users monitor and understand exactly what websites other apps on their Android phone or tablet are visiting.