That Angry Birds wallpaper app you’ve downloaded is doing more than decorating your smartphone screen — in the background, it’s also accessing your device’s GPS data, which tracks your location.
As unseemly as that sounds, it’s not uncommon. Security firm Bit9 found that more than 100,000 Android applications in Google’s online marketplace were “suspicious” or “questionable” because of what they do in the background, such as location tracking, accessing contact lists and harvesting the contents of e-mail messages. Those functions go far beyond the programs’ stated purpose.
Android phones do warn users when they download applications about what information the programs will access. Whether most people actually read those warnings is another matter. Google did not respond to a request for comment.
Some of the most aggressive apps are programs purporting to be affiliated with popular brands such as Facebook and Zynga, Bit9 Chief Technology Officer Harry Sverdlove wrote in an e-mail. The extra functions don’t necessarily make the programs malicious, but they do raise questions about the developers’ intentions, he added.
“Including a common app or publisher in the title is not a guaranteed sign of suspicious behavior, but it is certainly a technique that malicious authors use to trick users into installing their apps,” Sverdlove wrote.
The findings illustrate a reality of the application economy: having a vast amount of third-party applications is both good and bad for consumers. With so many unknown developers writing software for smartphones, users must be vigilant about monitoring what permissions they’re granting when they download new programs. Just 8,200 or so of the more than 400,000 applications that Bit9 studied came from what it described as highly trusted developers.
Mobile app privacy is even becoming an issue for law enforcement.
In California, the only state to require privacy policies for mobile applications as well as websites, Attorney General Kamala Harris has warned companies such as United Continental Holdings Inc., Delta Air Lines Inc. and OpenTable Inc. that they are in violation of state law for failing to conspicuously post privacy policies for their mobile applications, Bloomberg News reported.
The companies have 30 days to make the policies readily accessible or face fines of as much as $2,500 for each download of applications that violate the law, which is known as the California Online Privacy Protection Act.