A significant number of apps are sharing data with third parties without notifying their users, according to a new report which attempts to quantify the scale of the problem.
Researchers from Harvard, MIT and Carnegie-Mellon found that these apps were sharing personal information and search terms, leaving the user in the dark about what information is shared with whom.
Around 110 free apps for both Android and iOS were looked at to see what personal, behavioural, and location data is shared with third parties. The report said that out of the two main mobile operating systems, 73 percent of Android apps shared personal information such as email address with third parties, and 47 percent of iOS apps shared geo-coordinates and other location data with third parties.
The report also found that 93 percent of Android apps tested connected to a mysterious domain, safemovedm.com. However, the researchers said that this was likely due to a background process of the Android phone.
The research was carried out by Harvard research analyst Jinyan Zang, alongside researchers from MIT and Carnegie-Mellon. Details of the research were published at the open-access Technology Science forum.
The researchers said that many mobile apps share “potentially sensitive user data with third parties, and that they do not need visible permission requests to access the data”.
The researchers found that on average, Android apps send potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains.
“For location data, including geo-coordinates, more iOS apps (47 percent) than Android apps (33 percent) share that data with a third party. In terms of potentially sensitive behavioural data, we found that three out of the 30 Medical and Health & Fitness category apps in the sample share medically-related search terms and user inputs with a third party,” the report said.
It said the third-party domains that receive sensitive data from the most apps are Google.com (36 percent of apps), Googleapis.com (18 percent), Apple.com (17 percent), and Facebook.com (14 percent).
“Future mobile operating systems and app stores should consider designs that more prominently describe to users potentially sensitive user data sharing by apps,” added the researchers.
Ryan Kalember, SVP, cyber-security strategy at Proofpoint, told SCMagazineUK.com that these apps pose a large threat given all the sensitive data on the mobile devices in the typical organisation – from emails to contact records to key chains to even the users' physical locations.
“Worse, this threat is not well understood by the typical organisation, as it requires both knowing which apps are installed on employee mobile devices and an understanding of the behaviour of those apps,” he said.
He added that users do not frequently check the permissions that their apps have been granted and they often exfiltrate sensitive personal and corporate data with the full "permission" of the end user and without that user even being aware that it has occurred.
“Worse yet, app stores will not flag these apps as problematic, as they often have generic privacy policies or even disclose that they are accessing and siphoning off that information,” said Kalember.
He added that any of this information could easily end up in the hands of criminals.