Smartphone apps: Is your privacy protected?

Are your apps putting your privacy at risk? We look at the dangers and solutions for Android, BlackBerry and iOS mobile platforms.

1 2 3 4 5 6 Page 2
Page 2 of 6

The legal issues

There may be very little that you can do about one of the biggest privacy issues related to apps: What is done with your personal information after it is gathered by a mobile app.

You can try to check the apps themselves to see whether they have privacy policies in place. Typically, these policies can be found in a Settings screen, on an About This App tab or screen, or possibly through a link at the bottom of a screen. But few apps have or display these types of policies. TRUSTe and Harris Interactive recently studied the top 340 free iOS and Android apps and found that only 19% of them included links to privacy policies.

Troy H. Vennon of the Juniper Global Threat Center warns, "Many developers are collecting device information and storing that information on third-party servers as a means to build ad profiles or device profiles for delivering application content.... It's worth noting here that nearly all free applications use some sort of adware kit in order for the developers to generate revenue on their free applications. How many of these free applications are collecting and transmitting this 'private' device data to build those ad profiles?"

No one knows the answers to those kinds of questions, because there are no legal requirements to provide them.

Congress is concerned enough about the issue that it has held hearings on the matter. After a recent hearing of the Senate Judiciary Committee's privacy and technology subcommittee, Sen. Al Franken (D-Minn.), chairman of the subcommittee, called for Apple and Google to require that location-aware apps include privacy policies.

"Apple and Google have each said time and again that they are committed to protecting users' privacy," Franken wrote in a letter to the companies. "This is an easy opportunity for your companies to put that commitment into action."

However, that would be a relatively small step, because it would cover only location-aware apps, and would not limit how the apps share personal information, only that they reveal how they will use it.

Other senators would like to see the federal government take stronger measures. Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introduced the Commercial Privacy Bill of Rights Act in April, which would require any Web-based businesses, including mobile ones, to give a clear notice to consumers about what data is being collected about them. And Sen. Jay Rockefeller (D-W.Va.) introduced a bill that would in essence create a national do-not-track mechanism to allow users to opt out of being tracked. It would apply to mobile network operators, websites and ad networks.

It's not clear that either bill will pass, especially because they face opposition from groups such as the technology trade group Association for Competitive Technology (ACT).

How to protect yourself

Given all that, what can you do to protect your privacy when using apps?

First, keep this in mind: The very nature of using a mobile app exposes you to potential privacy intrusions. So you need to balance the benefit you expect to get from an app against the potential privacy risk.

Even the most rigorous privacy protectors don't say you should avoid downloading apps altogether. Rather, they say, the key is making sure that the app you're downloading truly requires the permissions it's asking for. If, for example, a single-player game asks for permissions to send SMS messages, that should be a clear warning sign, because there's no need for a game like that to send text messages.

Keep reading for a look at how some of the major mobile operating systems handle permissions -- and to learn what you can do to protect yourself.

Preston Gralla

Android: Permission granted?

Troy H. Vennon was a researcher with SMobile Systems when it conducted the research that found that 20% of Android apps allow third parties to get access to private or sensitive information. (SMobile Systems has since been acquired by Juniper, and Vennon is now research engineer with the Juniper Global Threat Center.) He emphasizes that, while every permission available to an Android developer has a legitimate purpose, it is important for consumer to decide whether the permissions demanded by a particular app are necessary.

"For example," he says, "in many cases the SEND_SMS permission is completely benign and has a legitimate purpose. But if that same permission is requested in an application that has no discernable SMS functionality, you may be looking at an SMS Trojan app that might be capable of sending SMS messages to premium rate numbers without the user's consent."

William Enck, who as a doctoral student at Pennsylvania State University was one of the researchers who found Android apps send geographic information about users to remote ad servers without the users' knowledge, says, "When you install a new application, look closely at the permissions listed.... Users can also contact developers if they do not understand why an application has certain permissions. I have done this several times, and in at least one case, the developer removed the permission."

According to Jay Nancarrow, a Google spokesperson, the permissions that an app displays before installation limit what the app can actually do -- essentially the app is "sandboxed" and can't get data outside the sandbox. So, for example, if you install an app that doesn't ask for permission to "read Browser's history and bookmarks," there's no way that app can subsequently get that information, he says.

1 2 3 4 5 6 Page 2
Page 2 of 6
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon