An alarming proportion of Android applications can find and open private photos on smartphones, track usersâ€™ locations, divulge e-mail addresses over the internet and leak address books and phone logs, according to an analysis of 836,021 Play Store Android applications by antivirus software provider Bitdefender.
The findings further raise privacy concerns in the light of revelations by former US intelligence contractor Edward Snowden that the US NSA and the UKâ€™s Government Communications Headquarters planned to extract data from usersâ€™ smartphones via applications including the popular Angry Birds game.
Most smartphone or tablet owners have at least one app â€“ and probably several â€“ that could be used to siphon sensitive information from their phones.
Some 35.37 percent of apps that Bitdefender analyzed today can track a userâ€™s location; and almost 3 percent can access the location even when the app is running in the background without the userâ€™s knowledge. Some 6.66 percent of these apps can also send the device location over the Internet.
Up to 3 percent of the applications can divulge e-mail addresses over the Internet, the data show. Some 1,749 upload the address over an encrypted connection, while 1,661 do it over an unencrypted connection that can be easily intercepted.
Unauthorized permissions may also provide access to deviceâ€™s location, address books, buddy lists, telephone logs and geographic data from photos uploaded to the mobile versions of Facebook, Flickr, LinkedIn and Twitter.
Facebook and Twitter clear photos of metadata before publication but a third party could duplicate the info as it travels across the carrierâ€™s mobile network and store it for further processing. This can also happen when third-party ad providers take data from the phone to use for targeted advertisements. In this case, the ad network only serves as a vector.
The Bitdefender analysis also revealed that 5.5 percent of the applications can locate and open photos on a phone and almost 10 percent include permissions to read the contact lists. Many have a legitimate need for this data but others are clearly intrusive.
In a mobile environment, applications integrate with each other and apps can access information specific to other applications. For instance, a game could access and use information stored in the address book or read profile data from social connectors such as Facebook or Google+.
Depending on the permissions granted upon installation, an application might process the accessed information and send it to the developer or a third party. This information is mainly collected by third parties such as ad networks that use it to push targeted advertisements.
Smartphones more closely resemble a computer than they do the phones of old. They store immense amounts of highly personal data about oneâ€™s identity, schedule, friends, activities and work.
Smartphone users should pay close attention to the permissions apps request and never allow installation unless convinced the app needs those permissions. Permissions related to social networks and the deviceâ€™s sensors such as the camera, microphone and GPS, are highly likely to collect and report inputs. We advise users to not install such applications unless they feel comfortable with this information landing in a third partyâ€™s hand.
Handy mobile apps such as Clueful can display permissions required by each app and help with privacy decisions. Ultimately, though, a smartphone is not a good store of highly-sensitive data.