Android and iOS applications send user data to third parties much more often than is commonly believed.
After analyzing 110 applications (both Android and iOS), a team of experts concluded that the transfer of personal data of users of these applications to third parties occurs quite often. In this case, the user, often, simply has no choice. As it turned out, the vast majority of verified applications provide Google, Apple and third parties with data such as e-mail, names and coordinates of their users. On average, one Android application sends data of this kind to 3.1 addresses (domains), and an iOS application does the same for 2.6 addresses (domains). In some cases, medical applications send search results for the words "herpes" or "interferon" for at least 5 different domains, without notifying the user about what is happening.
“The research results show that the current permission system for iOS and Android is quite limited. In addition, the user is simply not notified of the level of dissemination of his personal data among third parties, ”the authors of the study write in their work, which was named“ Who Knows What About Me? ” Apps ". "Today, Android and iOS applications do not require additional permissions to request a user to send his data," experts comment on the situation.
Most often, applications for Android send user data such as his e-mail, this makes 73% of tested applications. 49% of Android applications send user names, 33% transmit GPS coordinates, 25 transmit addresses, and 24% send even IMEI of the phone, along with other data. An example is the Drugs.com application, which sends search results for the words "herpes" and "interferon" to five different recipients at once, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com. True, only this information is sent, and no other.
')
The names of users and their coordinates are sent to Facebook by applications such as American Well, Groupon, Pinterest, RunKeeper, Tango, Text Free, Timehop ​​m. Domain Appboy.com receives data from the application Glide.
51 out of 55 analyzed applications tested the connection with the safemovedm.com domain.
Experts write: “The purpose of the connection with this domain is unclear, however, the prevalence of this phenomenon is surprising. Even when we used the phone without running applications, we saw attempts to connect to this domain. This may be the background data exchange, which produces Android OC. An example of such a connection is below.
In the case of safemovedm.com, the command mentioned above is far from the first to discover attempts to connect the Android OS with this domain. There are several theories on the Web about why Android connects to this domain.
As for iOS, the current location is most often sent to third parties. This was done by 47% of tested applications. In general, about 18% of applications sent user names, and another 16% sent e-mail addresses. The Pinterest app sent user data to four domains at once, including yoz.io.facebook.com, crittercism.com, and flurry.com.
Several other applications that were analyzed by users also sent personal data. For example, the Period Tracker Lite medical app, which helps women to track the frequency of the menstrual cycle, sent entered queries on the symptoms of “insomnia” to the apsalar.com domain. And applications that help the user to look for a job, Indeed.com and Snagajob, sent inquiries such as “nanny” or “auto mechanic”, to three domains at once: 207.net, healthcareresource.com, google-analytics.com, scorecardresearch.com .
Almost nothing. To protect their data, researchers recommend specifying ... incorrect data when possible. In addition, experts consider it necessary to revise the system of application permissions so that the programs inform the user about the actions they are taking and also report on a third party that can get any user data.
“The research results show that the current permission system for iOS and Android is quite limited. In addition, the user is simply not notified of the level of dissemination of his personal data among third parties, ”the authors of the study write in their work, which was named“ Who Knows What About Me? ” Apps ". "Today, Android and iOS applications do not require additional permissions to request a user to send his data," experts comment on the situation.
Most often, applications for Android send user data such as his e-mail, this makes 73% of tested applications. 49% of Android applications send user names, 33% transmit GPS coordinates, 25 transmit addresses, and 24% send even IMEI of the phone, along with other data. An example is the Drugs.com application, which sends search results for the words "herpes" and "interferon" to five different recipients at once, including doubleclick.net, googlesyndication.com, intellitxt.com, quantserve.com, and scorecardresearch.com. True, only this information is sent, and no other.
')
The names of users and their coordinates are sent to Facebook by applications such as American Well, Groupon, Pinterest, RunKeeper, Tango, Text Free, Timehop ​​m. Domain Appboy.com receives data from the application Glide.
51 out of 55 analyzed applications tested the connection with the safemovedm.com domain.
Experts write: “The purpose of the connection with this domain is unclear, however, the prevalence of this phenomenon is surprising. Even when we used the phone without running applications, we saw attempts to connect to this domain. This may be the background data exchange, which produces Android OC. An example of such a connection is below.
In the case of safemovedm.com, the command mentioned above is far from the first to discover attempts to connect the Android OS with this domain. There are several theories on the Web about why Android connects to this domain.
As for iOS, the current location is most often sent to third parties. This was done by 47% of tested applications. In general, about 18% of applications sent user names, and another 16% sent e-mail addresses. The Pinterest app sent user data to four domains at once, including yoz.io.facebook.com, crittercism.com, and flurry.com.
Several other applications that were analyzed by users also sent personal data. For example, the Period Tracker Lite medical app, which helps women to track the frequency of the menstrual cycle, sent entered queries on the symptoms of “insomnia” to the apsalar.com domain. And applications that help the user to look for a job, Indeed.com and Snagajob, sent inquiries such as “nanny” or “auto mechanic”, to three domains at once: 207.net, healthcareresource.com, google-analytics.com, scorecardresearch.com .
What can the user do?
Almost nothing. To protect their data, researchers recommend specifying ... incorrect data when possible. In addition, experts consider it necessary to revise the system of application permissions so that the programs inform the user about the actions they are taking and also report on a third party that can get any user data.
Source: https://habr.com/ru/post/270181/
All Articles