In December 2010 the Wall Street Journal conducted a small test of the 101 most popular apps on iOS and Android, finding fifty-six apps transmitted the phone unique device ID to third parties, forty-seven apps transmitted the phone’s location to third parties, and five transmitted age, gender and other personal details to third parties; in that particular test the WSJ found iPhone apps transmitted more data than Android apps. Last year the smartphone world was hit with scandal when it was discovered an app was logging users’ every keystroke and URL visited. Carrier IQ, the app in question, was discovered to be operating on a wide range of Android handsets (specifically AT&T, T-Mobile USA, and Sprint handsets) and – in a limited fashion – on the iPhone, too. After public outrage, the culprits pledged to either disable or totally remove Carrier IQ from the devices in question.
Now a new wave of privacy concerns has swept the digital world after it was discovered last month that social networking apps – on Android and iOS – are transmitting user data (in particular, data about contacts) without notifying the users first. The violating apps aren’t just from some unknown, rogue developers. On the contrary, the apps in question are from well-known companies such as Twitter, FourSquare, Instagram, FoodSpotting, and Path. (Twitter app was found to transmit user data on Android and iOS while Path was found to do it on iOS but probably does it on Android too.. For the remaining three it is not specified but Instagram is an iOS only app at the moment.) In each instance the just-mentioned apps where trasmitting some sort of private information, typically focused around contacts data.
In response to these findings, two US Representatives wrote to Apple more or less asking Apple to explain what is going on. Apple responded that gathering contacts data without permission is in violation of Apple’s guidelines and the next iOS update will force apps to explicitly gain permission before gathering the data. However, privacy experts are not buying Apple’s story. And rightly so. Apple maintains strict control over apps submitted to Apple App Store; each app goes through a rigorous review process before being approved, according to Apple. Thus, unless Apple has incompetent people reviewing apps or Apple lied about its review process, it is highly unlikely Apple did not know about the privacy violations prior to these recent developments.
So what about Google? Well Google has always had a “hands-off” approach to Android Market/Play Store, insisting it is up to app developers to determine how to responsibly handle user data. But does that give Google a get-out-of-jail-free card? No, not at all. Many people, including myself, have raged against Google’s hands-off approach and there have been consequences of this policy, e.g. incidents of malware apps on Google Play Store. But Google’s approach does mean Android makes it a bit easier to detect when an app may be violating privacy by simply scanning the permissions an app requests (although this isn’t foolproof, as shown by the Twitter example).
All in all, the tussle between pro-privacy advocates, app developers, and OS creators will continue to rage. Just be aware the data on your smartphone may not be as safe as you may think.
Update: Read Tip: How to protect your privacy on Android devices
Feel free to share your thoughts on this topic in the comments below.