It's little surprise that mobile apps regularly access our location data. In many cases, it's a sensible deal. Maps, weather apps, social networks, and shopping services serve up useful info based on where we are. But while everyone understands the intrinsic privacy trade-off, few may realize just how often apps ping their location. According to a Carnegie Mellon study, it happens thousands of times a week.
That study, by the university's Institute for Software Research, followed 23 Android phone owners for three weeks. In the first week, they were asked to use their apps as they normally would. In the second week, the participants used an app called App Ops to monitor and manage the data those apps were using. In the third week, the research team introduced a "privacy nudge” alert that would ping the participants each time an app requested location data.
The title of the study, which will be presented at a conference in Seoul next month, tells you all you need to know: Your Location Has Been Shared 5,398 Times! A Field Study on Mobile App Privacy Nudging. (Link to PDF)
That's right. More than 5,000 pings in 14 days. Once participants in the study knew how frequently data was being collected, many adjusted their settings or deleted some apps entirely. But Professor Norman Sadeh, a member of the research team that conducted the research, says the volume of location-harvesting isn’t the biggest issue.
“There are some applications where you could justify this level of frequency---think for instance of a navigation app,” Sadeh told WIRED. “So the frequency by itself is not the problem. Instead it is whether the frequency is justified, and obviously whether users are informed of these practices and have some level of control.”
Sadeh has pinpointed Groupon as a notable frequent pinger, saying the deals app requested one participant's location more than 1,000 times in a two-week period. Bill Roberts, head of global communications for Groupon, says that data is needed to deliver the best location-based deals on goods and services. He insists Groupon doesn't share the data with other companies.
"We access a user's location, when permitted, in order to show our customers the most pertinent deals near them," Roberts says. "We do not share individual location data … On Android, you opt-in to location tracking when you download the app. On iOS, this is done on the device when you first attempt to use location."
Which sounds reasonable enough, until you remember Groupon's app is accessing that location up to 70 times per day. And it's difficult to imagine why hundreds of games, flashlights, digital bibles, and even fart apps want to know your location. Some of these apps request this info frequently enough to plot your route on a map, if they wanted to.
It’s one thing to have a mapping app or service like Foursquare repeatedly request your location, as that's implied by the nature of the service. But when you're talking about games, flashlight apps, and bibles, where is this data going?
Usually, the answer is mobile ad networks. Jason Hong, who leads Carnegie Mellon's CHIMPS Lab (Computer Human Interaction: Mobility Privacy Security) and has collaborated with Sadeh on other mobile-privacy studies, says many apps shuttle your location information to third-party services that serve ads based on your whereabouts.
Part of CHIMPS Lab's project roster is Privacy Grade, which uses crowdsourcing and static analysis---inspecting the code, basically---to rank free apps from A+ to D for their privacy practices. Popular games like Words With Friends, Jetpack Joyride, and Fruit Ninja Free have received Ds for sketchy behavior. The worst grades typically go to apps that ask to do much more than pinpoint your location, like seeking permission to write to your phone’s USB storage, sending texts, and worse.
"These are very rare cases, but some of them want to get your microphone data, your contact list data, and it's really sensitive data at that point," Hong says. "Right now, Android will tell you if an app uses location data, but what we do in our analysis is to say this app uses location data for X, where X might be social networking or advertising or analytics."
The Privacy Grade database concentrates on free Android apps. According to Hong, free apps on all platforms are leading culprits when it comes to privacy-offending behavior, because developers need to make money. "It makes sense from an economic perspective, which is: I want people to use my app, I can either charge 99 cents for it or I can offer it for free and do advertising," Hong says. "And if I go the advertising route, it makes sense to just hook into an existing advertising network, and then you see where the problem comes in."
According to Hong, many developers don't even realize how sketchy their app's behavior can be. For advertising revenue and other in-app features, they hook into code libraries that offer integration with ads and other services.
"If you imagine an app is made out of lots of Lego pieces, then some of those Lego pieces are made by other people," Hong explains, likening libraries to those Legos. "Facebook has a library to access the Facebook services, Twitter has one, advertisers have one, and so forth. It makes it really easy to reuse other people’s code. A lot of these apps, the privacy problems usually aren’t with the app itself but often with the libraries. It’s usually the advertising library that’s trying to get your location data."
Not all of them are up to no good, of course. Tim Wyatt, director of security for mobile-security company Lookout, says there are a few tiers with the industry.
"There are standalone advertising networks, and there are aggregators that may be sending data to multiple other networks," says Wyatt. "It's reasonable to assume that mainstream mobile advertising networks such as Google's AdMob and Apple's iAd are hyper-conscious about how they handle data such as your location. There's no real transparency here, though, so it's natural to be concerned that not everyone is a major, publicly-traded company."
The privacy threat doesn't end with the ad networks, either. As Sadeh notes, lots of harvested info is sent to insurance and mortgage companies that may use it to set premiums and rates. And as Wyatt says, any data that is accessible by someone is inherently insecure. Unless you know which ad network or business is tapping your info---and you rarely if ever do---there's no way of knowing where that personal data will wind up.
While Android is the focus of the Privacy Grade database, and the Carnegie Mellon study was run with Android phones, that's not because it's necessarily any more vulnerable a platform than iOS. But “Android is more open than iOS and easier to experiment with,” Sadeh says.
While iOS generally gives users more control over app permissions than Android in its current state, iOS apps are not immune to privacy activities.
“iOS makes many of the same types of APIs available to its developers,” Sadeh says. “So it is not unreasonable to expect somewhat similar behaviors." Both iOS and Android/App Ops have significant limitations, he says, noting that even in current form, they expect users to configure a large number of settings, which do not distinguish between the different possible purposes of these permissions.
As for taking control over your mobile permissions, Sadeh says there's no easy answer. He says the best option is to choose non-invasive apps and delete those that are particularly aggressive, though he admits this is "not terribly practical."
But as Wyatt notes, "A data source that exists is a data source that may be attacked, and it must be safeguarded. The only truly safe data repository is one that doesn't even exist."
