Mobile

How mobile apps are spying on us

Your favorite mobile apps could be collecting and transmitting your personal information, including your name, contacts, location and even your phone’s unique ID number, to ad networks and other third parties. And worst of all, there’s little you can do about it.

This mobile privacy bombshell was revealed by an in-depth investigation from the Wall Street Journal, which tested 101 popular mobile apps on the iPhone and Android to determine what sort of data they were transmitting. The paper found that 56 apps transmitted the phone’s device ID without consent, 47 apps transmitted user location and five shared age, gender and other personal information to third-parties.

While online tracking is nothing new in the world of mobile and desktop web browsing, the WSJ’s investigation reveals an even scarier prospect in the world of apps — where user’s are completely unaware that information is being shared (there are often no privacy policies to read), and opting out from the data tracking isn’t an option.

The popular music app Pandora, for example, transmits age, gender, location and phone IDs to ad networks in both its iPhone and Android versions. TextPlus 4, a popular free texting app, sent out phone IDs to eight ad companies, and location and personal data to two.

The WSJ says that iPhone apps tended to transmit more data than Android apps, but it’s unsure if the pattern persists among the thousands of apps on each platform.

The most commonly shared piece of data was the unique ID assigned to every phone. According to Vishal Gurbaxani, co-founder of the mobile advertising exchange Mobclix, the ID is effectively a “supercookie” — or in other words, a super-powered version of the cookies used to track web browsing on computers.

Unlike normal cookies, you can’t clear or change your phone’s ID, which is a boon to ad companies. The ID allows advertising companies to see the types of apps users download, how often they run them and how deep into the app users go. The data is aggregated and not linked to an individual, according to Meghan O’Holleran of Traffic Marketplace.

The WSJ points out that both Apple and Google own the largest smartphone platforms, in addition to the largest mobile advertising services by revenue. Google owns AdMob, Apple owns Quattro Wireless, which also formed the basis for its iAds mobile ad platform. Despite how the apps may undermine the security of the iPhone and Android platforms, the data they send is also useful to their parent companies.

Apple says that iPhone apps can’t transmit user data without approval, but the WSJ’s findings reveal many apps that don’t follow that rule. Google leaves it up to app makers to make users aware of the data their apps reveal. Android also gives users specific notes about the phone resources (including hardware and data) apps will use before they’re downloaded.

Unfortunately, there’s little users can do to protect themselves from data-sharing apps, aside from avoiding many popular apps entirely. Many mobile ad companies let users opt-out of their website tracking, but those opt-out lists don’t apply to apps, according to the WSJ. The ad company Jumptap says iPhone users can opt out of app data sharing by emailing their phone’s user ID to them. Apple says its iAd opt-out also applies to apps (but doesn’t prevent iTunes data from being collected).

While it’s no big surprise to find that apps are sharing some of our data, the extent to which it’s happening should be of concern to both users and regulatory agencies. I suspect we’ll see some response from the FTC on this report soon, and that apps will be forced to be more transparent about their data collection in the future.

The WSJ has released a short video explaining its investigation, which you can find below:
http://online.wsj.com/media/swf/VideoPlayerMain.swf


Mobile developer or publisher? VentureBeat is studying mobile app analytics. Fill out our 5-minute survey, and we'll share the data with you.

Trackbacks

  1. [...] were so easily accessible by apps, and a long-running Wall Street Journal feature revealed that many apps are sharing UDIDs, along with other personal information, without users’ [...]

  2. [...] company was sued 2010 by a Los Angeles man because UDIDs were so easily accessible by apps. Also, many apps share UDIDs, along with other personal information, without users’ [...]