The vast majority of tested Android apps share users' personal information like email addresses with third parties "behind-the-scenes," a report has uncovered. Many apps aren't required by the OS to notify users of the data being shared, the study finds.
Out of 110 tested Android and iOS apps, 93% of the Android apps connected surreptitiously to a strange domain called safemovedm.com, for example.
It's probably part of a background process, surmises the authors of a report published at the end of October on Harvard's open forum Journal of Technology Science (JOTS) website.
The study found that 73% of Android apps shared Personally Identifiable Information (PII), and that "47% of iOS apps shared geo-coordinates and other location data with third parties."
The report's authors, whose work was completed over a year ago, found that "a significant proportion of apps" share user-inputted PII "without Android or iOS requiring a notification to the user."
'The most popular free apps'
The researchers, who included Jinyan Zang of the Federal Trade Commission and Harvard, and Latanya Sweeney, Editor-in-Chief of JOTS, along with three students, chose nine categories of apps for the the study.
They chose apps that could "handle potentially sensitive data about users including job information, medical data, and location," the study says.
Snaring the apps involved setting up a man-in-the-middle proxy to record internet traffic. The hunters then tried to identify PII in the HTTP and HTTPS sent data while the user engaged the app. Search terms and location data were among the "behavior data" they looked for.
The researchers uncovered mass purloining of PII by the apps. They found that the average Android and iOS app sends "potentially sensitive data" to between 2.6 and 3.1 third-party domains, depending on OS, the researchers say in their report.
In other words, regardless of operating system, about three unrelated domains get PII of varying kinds from each app.
How are the app publishers getting away with this, one might ask?
The answer is that some apps "may not need to notify the user in current permissions systems," the report explains.
The Android loot
Email addresses were the most common swag taken by Android apps, they found. But 25% shared user name, while 49% shared the user's actual name.
The study also discovered peculiar app behavior.
Drugs.com, for example, shared medical-term search requests "input by the user" with five third-party domains, such as doubleclick.com. Although none of the five domains received PII, "google.com and googleapis.com did receive names and email addresses while the app ran," the study says.
Presumably with time-stamping and merging of databases this data could someday be joined, although no one is saying that it is now, or that the companies involved intend to do that.
Some findings were pretty spectacular. Facebook.com apparently connected to American Well, Groupon, Pinterest, RunKeeper, Tango, Text Free, and Timehop. It also accessed a combination of users' current GPS location and name and sent that data to a third-party domain.
The iOS spoils
While the Android apps liked collecting emails best, the scientists found that iOS apps like to share a current location GPS position with third parties. Forty-seven percent shared that data.
Consumers are sensitive about sharing data. The report mentions a separate survey of more than 1,100 American users, where "70% of respondents said that they would 'definitely not allow' a cellphone provider to use their location to tailor ads."
This article is published as part of the IDG Contributor Network. Want to Join?