“As the market expands, it has become a question of freedom versus control in the Android app market. Security is playing catch-up, as the breaching of personal privacy increases due to a deluge of malicious software being released into the marketplace,” said the University. “In a recent case, the social network Path found itself at the centre of fierce controversy, after accessing and uploading iPhone users’ contact databases without their permission.”
A large proportion of downloaded apps, according to the University (see below) rely on a business model that involves the developers collecting information about the user without their full knowledge and passing this on to advertisers – including contact numbers, current location and web history.
“Various researchers have proposed ways of protecting privacy in the past, by either blocking information or giving fake information to the mobile application. However, if we follow this paradigm this would significantly reduce the number of free ad-supported applications that are available today. In our work we have tried to design a new approach that can reach a balance between the need for developer’s revenue and the need for user’s privacy,” said the team: Dr Ilias Leontiadis and Dr Christos Efstratiou of the University’s computer laboratory.
Their replacement model is based on applying a more sensitive approach to privacy control.
“The process focuses on decoupling privacy control between the application and the advertisement support component, where two separate flows of information are allowed: one towards the application/developer and one towards the ad-networks,” said the University.
Decoupling allows the specification of distinct privacy requirements for the two entities.
For the application, this allows the specification of privacy requirements that are directly related to the actual service offered by the application.
For the ad-network component, the distinct flow of private information can allow the implementation of privacy control techniques specifically designed to support an ad-driven market.
“We’ve developed a method that can control how much personal information is released to advertisers depending on the revenue that a developer receives,” said Leontiadis. “This means that if a developer gets enough money for their ad-supported applications, then private information can be selectively blocked to protect users.”
Concern about user data privacy, according to the University, has led the US White House to draft a Consumer Privacy Bill of Rights which aims to give consumers the right to exercise control over what personal data companies can collect and how they use it.
Cambridge app privacy analysis:
To understand the privacy implications of mobile applications, the Cambridge team wrote a programme that collected and analyse metadata from 251,342 applications available on the online market.
The Android market consists mainly of free applications (73%).
80% of those are supported by targeted advertisements.
Free apps are far more popular in terms of downloads
– only 20% of paid apps get more than 100 downloads and only 0.2% of paid apps have more than 10,000 downloads, compared to 20% of free apps.
Free apps request significantly more permissions to access sensitive information such as the user’s location, messages (e-mail/sms), contacts, calendar, phone number and IMEI (phone ID number).
– Including 35% of free applications in the “comics” category that request access to the user’s location, or games asking for the user’s phone number and contacts (just to name a few).
>70% of free apps request one such ‘dangerous’ permissions
40% of paid apps request one such dangerous permissions.
Although the Android market raises alerts for applications that require dangerous permissions, analysis revealed that these alerts have no impact on the decision of users to download.
The number of downloads for a given application appears to not be correlated to the number of dangerous permissions they request.
“Free applications request additional information to support their own revenue as mobile advertisements typically capture personal information in order to profile the mobile phone user and deliver relevant advertisements to the phone. However, as the media stories have revealed, not all of the 52,680 developers can be trusted,” said the University.