User beware: That mobile app is spying on you

A recent study of the 400 most popular iOS and Android apps reveals that nearly all free apps collect users' personal data

Those apps you download on your smartphone may be free or very cheap, but there's a hidden price you should be aware of: loss of privacy.

The vast majority of the most popular iOS and Android mobile apps collect a variety of personal data from users, including location details, address book contacts, and calendar information, according to a just-released survey by Appthority, a company that advises businesses on security.

[ Get expert advice about planning and implementing your BYOD strategy with InfoWorld's "Mobile and BYOD Deep Dive" PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

The report does offer some significant good news. Appthority found that very few of the apps it analyzed carried malware.

Appthority, which says it has a catalog of around 2 million apps, analyzed a total of 400 of the most popular mobile apps available (based on downloads) in Apple's App Store and Google Play. When it comes to free apps, there was essentially no difference between the two platforms.

However, "paid iOS apps surprisingly collect more data and share that information with more third parties than Android paid apps, making iOS slightly more risky than Android. On the whole, free apps remain the most risky category, exhibiting the greatest number of risky behaviors across both platforms," according to Appthority.

Here's a breakdown of the most frequently collected data:

  • 82 percent of the top Android free apps and 49 percent of the top Android paid apps track user location
  • 50 percent of the top iOS free apps and 24 percent of the top iOS paid apps track user location

You might not expect a flashlight app or a calculator to track your location, but many do.

"One of the main reasons app developers initiate app tracking is to generate supplementary revenue by sharing app user data with advertising networks and analytics companies. In some cases, particularly with free apps, developers are paid based on the amount of data they collect and share about users," explains Appthority.

  • 30 percent of the top Android free apps and 14 percent of the top Android paid apps access user address books
  • 26 percent of the top iOS free apps and 8 percent of the top iOS paid apps access user address books

App developers often transmit users' contacts or even full address books. One reason why is to increase the viral or network effects of the app. In other words, developers want to use owners' contacts to expand their customer bases. However, only a small percentage of the apps Appthority analyzed grabbed calendar or meeting invites.

  • 88 percent of the top Android free apps and 65 percent of the top Android paid apps access IMEI/UDIDs
  • 57 percent of the top iOS free apps and 28 percent of the top iOS paid apps access IMEI/UDIDs

IMEIs and UDIDs are unique serial numbers embedded in mobile phones. Appthority explained the risk associated with IMEI/UDIDs:

"Access to UDIDs is a concern because with a unique device identifier, developers can correlate user behavior across multiple apps (even if they have different usernames and passwords for each of the apps) and then match them to a unique user. While Apple has prohibited iOS developers from using UDIDs as a means to track and identify users, Appthority discovered that the new rule is only enforced on devices which are running the latest version of iOS."

This story, "User beware: That mobile app is spying on you" was originally published by CIO .

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies