Android apps expose personal data to advertisers

A number of free Android apps give advertisers access to personal information including contacts, calendars and location, according to UK security company MWR InfoSecurity

Free Android apps in the top 50 applications on Android Market are exposing user data such as contacts, calendar and location information to advertisers, according to research undertaken on behalf of Channel 4 News.

Android phones

A number of free Android apps are turning over user data to advertisers, according to research undertaken on behalf of Channel 4 News. Image credit: CNET News

The user permissions granted to certain apps are also passed on to advertisers via a mobile ad network, Channel 4 News said in a blog post on Sunday. The Channel 4 News research was undertaken by UK security company MWR InfoSecurity.

"We found that a lot of the free applications in the top 50 apps list are using advertising inside the applications, and that the permission that you grant to these applications is also granted to the advertiser," a representative of MWR InfoSecurity told Channel 4 News. "If users knew about this, I think they would be concerned about it. But at the moment I don't think they are aware of the situation and how widely their information can be used."

MWR InfoSecurity researchers told ZDNet UK on Monday that the apps involved were SoundHound Free by SoundHound Inc; Talking Tom 2 free, Talking Tom and Talkingpierre by outfit7; Fruit Ninja by Halfbrick; and Cartoon Camera by Fingersoft, and that the code used to grant advertiser access pointed to mobile advertising network MobClix.

"When an app wants an ad in the app, it needs to refer to a third party," MWR InfoSecurity security consultant Rob Miller told ZDNet UK. "That third party was MobClix."

Reverse engineering

The security company reverse-engineered a number of free Android apps to look at the source code, and found Java functions that gave advertisers access to personal information via MobClix.

"The apps talk to adverts they are hosting via JavaScript — the apps contain Java, which the the ads, containing JavaScript, can talk to," said Miller. "The app will open Java functions... interacting with calendar or contact details."

MobClix, part of the mobile marketing company Velti, had not responded to a request for comment at the time of writing.

European justice commissioner Viviane Reding, who is leading regulatory efforts to update European law, told Channel 4 News that users need to consent to sharing personal data.

"This really concerns me, and this is against the law because nobody has the right to get your personal data without you agreeing to this," said Reding. "They are spotting you, they are following you, they are getting information about your friends, about your whereabouts, about your preferences.

"That is certainly not what you thought you bought into when you downloaded a free-of-charge app. That's exactly what we have to change."

Miller told ZDNet UK that apps on Google's Android Market, which are screened by Android Bouncer for security issues, are not screened by Google for privacy issues.

"It's up to the user to read the permissions when installing the app," said Miller. "If you're not willing to divulge your information, don't install it."

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.