A group consisting of researchers from Duke University, Pennsylvania State University and Intel Labs has recently created a tool that allowed them to analyze data flows out of Android smartphones, and the conclusion of their research should not be surprising to anyone.
The name of the tool is TaintDroid, and you won’t be seeing it on online markets for Android applications since it requires you to modify your device’s firmware (i.e. “jailbreak” your device) in order to work.
But for the researchers, TaintDroid was a perfect tool. A random selection of 30 popular Android applications that are known to have access to sensitive information was tested, and TaintDroid detected that two-thirds of them send out some of it without asking permission from the users.
It is true that before installing an application, the Android user is faced with a permission screen that states which specific data and resources the application will have access to, and he has to press the “OK” button in order to install it. And according to Elinor Mills, Google uses that fact, and the fact that any of these applications can be uninstalled at any time, as a good enough excuse not to worry about the issue.
We consistently advise users to only install apps they trust,” says the Google representative, and the researchers say that they would like to see more EULAs being presented before an application is installed. Personally, I don’t know ow that could help – seeing that users usually fail to read EULAs as much as they just click through any permission screen.
As I see it, the problem stands in the fact that it’s easier for users to assume application developers and device manufacturers have their best interests at heart and are doing everything they can to protect them, then to think for themselves and closely evaluate whether they are going to install an application – every time that option arises.
I recently attended a lecture by Bruce Schneier in which he defined the loss of privacy in this Internet age as a “death of a thousand cuts” – each time we permit some of our information to be collected, each time we don’t take the time to think about how what we put online could affect us is a cut that will eventually contribute to the death of our privacy. And, I must say that I agree.