7 in 10 smartphone apps share user data with third-party services, says study

When people install a new Android or iOS app, it asks the user’s permission before accessing personal information.

Generally speaking, this is positive. And some of the information these apps are collecting are necessary for them to work properly: A map app wouldn’t be nearly as useful if it couldn’t use GPS data to get a location.

But once an app has permission to collect that information, it can share your data with anyone the app’s developer wants to – letting third-party companies track where you are, how fast you’re moving and what you’re doing.

An app doesn’t just collect data to use on the phone itself. Mapping apps, for example, send your location to a server run by the app’s developer to calculate directions from where you are to a desired destination.

The app can send data elsewhere, too. As with websites, many mobile apps are written by combining various functions, precoded by other developers and companies, in what are called third-party libraries.

These libraries help developers track user engagement, connect with social media and earn money by displaying ads and other features, without having to write them from scratch.

However, in addition to their valuable help, most libraries also collect sensitive data and send it to their online servers – or to another company altogether. Successful library authors may be able to develop detailed digital profiles of users. For example, a person might give one app permission to know their location, and another app access to their contacts. These are initially separate permissions, one to each app. But if both apps used the same third-party library and shared different pieces of information, the library’s developer could link the pieces together.

Users would never know, because apps aren’t required to tell users what software libraries they use. And only very few apps make public their policies on user privacy; if they do, it’s usually in long legal documents a regular person won’t read, much less understand.

"Our research seeks to reveal how much data are potentially being collected without users’ knowledge, and to give users more control over their data. To get a picture of what data are being collected and transmitted from people’s smartphones, we developed a free Android app of our own, called the Lumen Privacy Monitor. It analyzes the traffic apps send out, to report which applications and online services actively harvest personal data," read the website of IMDEA Networks Institute in Spain

"Because Lumen is about transparency, a phone user can see the information installed apps collect in real time and with whom they share these data. We try to show the details of apps’ hidden behavior in an easy-to-understand way. It’s about research, too, so we ask users if they’ll allow us to collect some data about what Lumen observes their apps are doing – but that doesn’t include any personal or privacy-sensitive data. This unique access to data allows us to study how mobile apps collect users’ personal data and with whom they share data at an unprecedented scale," it said.

In particular, Lumen keeps track of which apps are running on users’ devices, whether they are sending privacy-sensitive data out of the phone, what internet sites they send data to, the network protocol they use and what types of personal information each app sends to each site.

Lumen analyzes apps traffic locally on the device, and anonymizes these data before sending them to us for study: If Google Maps registers a user’s GPS location and sends that specific address to maps.google.com, Lumen tells us, “Google Maps got a GPS location and sent it to maps.google.com” – not where that person actually is.