Are your apps spying on you?

DUKE (US) — A newly developed tool called TaintDroid is designed to identify mobile phone apps that transmit private data to online advertisers.

TaintDroid is a prototype extension to the Android mobile-phone platform. It monitors how applications access and use data—such as location and phone numbers—and sends an alert within seconds of using a newly installed app.

In a recent study, the tool identified that 15 of 30 randomly selected, popular, free Android Marketplace applications sent users’ private information to remote advertising servers and two-thirds of the apps handled data in ambiguous ways.

Peter Gilbert, a graduate student in computer science at Duke University, and his adviser, Landon Cox, an assistant computer science professor, helped develop TaintDroid. They collaborated with researchers at Intel Labs and Penn State University.

“We found it surprising that location information was shared with ad networks without further explanation or notification,” says Jaeyeon Jung of Intel Labs, who is lead coauthor, along with William Enck from Penn State, of a new study that describes TaintDroid and the team’s results.

The paper will be posted online Sept. 30 as part of the USENIX Symposium on OSDI, or Operating Systems Design and Implementation. Enck will also present the research findings Oct. 6 at the affiliated OSDI conference in Vancouver, BC.

The team found that some applications shared GPS sensor location information with advertisement servers only when displaying ads to the user. Other applications shared location even when the user was not running the application. In some cases, location information was being shared as frequently as every 30 seconds.

The results support and expand upon a controversial SMobile Systems study published in June 2010 which found that 20 percent of the then-available 48,000 third-party applications for the Android operating system provided sensitive or private information to outside sources.

In the new study, the team only monitored the Android platform, but the findings suggest that investigating other operating systems is warranted.

“We don’t have the data to say that a majority of third-party apps are untrustworthy. This study, however, is a proof-of-concept to show the value of enhancing smartphone platforms to include real-time monitoring tools like TaintDroid to give users an awareness of how their information is being shared,” Cox says.

Currently, mobile-phone operating systems do offer users some controls to regulate whether an application can access private information. When installing an app, Android asks the user which services and data an app may access, Gilbert says.

If the user chooses not to allow this access, the application cannot be installed. But if the user does install the app, the permission checks don’t always explain how these services and data will be used. This forces users to blindly trust that applications will handle private data properly once they are installed, he says.

“The permissions don’t tell the user how their data will be used, and in some cases misused,” Cox adds, noting that in some cases, a privacy violation can occur where services and data are used in ways that are unexpected.

Mobile anti-virus packages such as software sold by SMobile Systems can alert users to the presence of previously identified malicious applications, but they do not provide real-time information about where applications send users’ data.

TaintDroid uses a scientific technique called “dynamic taint analysis” to mark information of interest with an identifier called a “taint.” The taint stays with the information when it is used, and the tracking system then monitors the movement of tainted information, such as the Internet destination of the user’s information.

It then sends the user a notification of the movement of information as soon as the app is closed.

“This automatic feedback gives users greater insight into what their mobile applications are doing and could help users decide whether they should consider uninstalling an app,” Gilbert says.

The team plans to make TaintDroid publicly available to continue to improve smartphone application monitoring.

More news from Duke: