For roughly a year, we have been collecting applications from the Play Store and iTunes to analyze both statically and dynamically. For the Android version of Clueful, we’re aggregating 314,474 free applications, while the iOS version of Clueful holds references for 207,843 free apps. These applications are broken down into clues which give the user a transparent and comprehensive overview of what the application tries to access, what privileges it requires and how it is going to handle the data it has access to when sending it over the web.
Before digging further, we need to mention that application permissions differ from one operating system to another. For instance, while Android permissions are declared at install and cannot be altered later, iOS permissions are granted at runtime, when device owners have to allow or deny access to various resources, such as current location. Regardless, both applications for Android and iOS can perform a range of interactions with the user’s device, but also with third-party internet services.
Our analysis focuses on the most intrusive behaviors that the application developer may have included in their software products. We have also taken into account behaviors that are very similar in both Android and iOS:
1. Tracking location
Location tracking is a major concern for both Android and iOS platforms. Its implementation and use are similar in both platforms and is often requested by advertisers via framework APIs to track users’ habits. The Clueful test reveals that 45.41% of the iOS apps have location-tracking capabilities, even if they don’t explicitly do that, as opposed to only 34.55% of the Android applications.
Applications that track location:
- Android - Latest Nail Fashon Trends (v. 3.1) – com.nail.fashion.trends - with an estimated user base of between 100,000 and 500,000.
- iOS - PokerStars TV (v. 22.214.171.124) - uses geolocation to track users’ exact location
- iOS - Cheezburger (v. 1.2.2 ) - uses geolocation to track users’ exact location.
While only 7.69% of Android applications could read the contact list, iOS applications are much snoopier – 18.92% of applications designed for iOS are technically able to looking into the contact list.
Android applications that read the contact list:
- Longman Contemporary English (v. 1.81) - com.flexidict.data.longmancontemporary, currently removed from the Play Store
- Cambridge American Idiom (v. 1.81) - com.flexidict.data2.cambridgeamericanidioms – currently removed from the Play Store.
- OLJ (v. 1.1) - reads contact names and contacts’ email addresses and send them to a remote server.
- 3D Badminton II (v. 2.026) - reads contacts’ emails and sends them to a server in Hong Kong.
Among the most interesting pieces of information for an advertising network are e-mail addresses and unique device IDs / IMEI. This data also may be shared with third parties to, for example, send consumers behaviorally targeted advertisements, according to a recent Federal Trade Commission report.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.