Do you know how much information your smartphone is giving away to app makers and advertisers?
Lots of people have “no idea,” according to a computer scientist at Carnegie Mellon University, who recently studied how people responded to discovering how much of their data was being shared.
But the truth is it’s very hard to know exactly what data is being accessed, how often, and when – and that makes it far less likely that users will take steps to preserve their privacy.
According to the study, apps are constantly collecting our data and sharing it with third parties, with some apps sharing location data thousands of times per week.
“I felt like I’m being followed by my own phone. It was scary,” one study participant said after learning that their personal information was tracked 4182 times in just two weeks.
In the study, a group of two dozen Android users were given the opportunity to see which apps were accessing their data, and how often, and had the opportunity to change their device settings upon receiving a privacy “nudge.”
One of the “nudges” looked like the screenshots below, which revealed that the user’s location data had been shared 5398 times by 10 apps in just 14 days.
Location data is useful information, so that apps can do what users want them to do, like get directions or find out what the weather will be the next day.
But do apps like Groupon, which serves up deals from businesses near your location, really need to know your exact location 1600 times in two weeks?
When people in the study found out how often their data was shared, most of them (58%) took steps to better protect their privacy by changing app settings.
The study participants were given an app that used a feature on their Androids called App Ops, which gave them the ability to change app permissions to restrict the types of data their apps could access such as location data.
Unfortunately for users of Android 4.4 and above, App Ops – which briefly appeared in Android 4.3 – is no longer available.
And without the ability to change app permissions on a granular level, users are left with little choice – you can either use the app or not.
People’s attitudes towards their online privacy are increasingly suspicious of governments and businesses that scoop up vast quantities of data, as recent surveys like one conducted by the Pew Research Center have found.
What’s somewhat baffling is how few people actually change their behaviors to reflect those attitudes.
In the Pew survey, 57% of Americans said they thought NSA surveillance of Americans was “unacceptable,” but only about a third of people who had heard of the NSA’s activities took any steps to improve their privacy.
Partly it’s because people just don’t know how – 54% of the people surveyed by Pew said it would be “somewhat” or “very difficult” to find tools and strategies to be more private online and on their phones.
Norman Sadeh, a lead researcher of the Carnegie Mellon study, said even permission managers like App Ops aren’t enough to change people’s behaviors:
App permission managers are better than nothing, but by themselves they aren't sufficient. Privacy nudges can play an important role in increasing awareness and in motivating people to review and adjust their privacy settings.
Sadeh suggested that we may need “personalized privacy assistants” to gauge what permissions we want for certain types of apps, and let us know when we should change settings.
For users that aren’t savvy enough to “root” or modify their devices to manage their own settings, that might be a long way off – app and device makers would need to buck the wishes of advertisers who want to suck up all our data.
There are ways you can preserve your privacy right now – why not start with our “three-step privacy plan diet” and check out our 10 tips for securing your smartphone?
For Android users, you can also download the Sophos Free Anti-Virus and Security app from Google Play. It comes with a privacy advisor to help you make informed choices about what apps you use.
Image of cyber eye courtesy of Shutterstock.
-Smoke-
You CAN have granular permissions per app on Android 4.4… if your phone is rooted. The XPrivacy app, which runs on the XPosed framework gives you this capability. You can even have it feed an app fake location (or any other) data. It would be interesting to find out if this location-reporting-reporting app still works, even without App Ops to change settings, just to see what is going on “underneath the hood”.
Paul Ducklin
As we said in the article, “for users that aren’t savvy enough to root or modify their devices to manage their own settings, [a solution] might be a long way off.”
Cyanogenmod has Privacy Guard, which is pretty handy. But setting it up is (or was, last time I tried it back on Android 4.4) not for the fain- hearted. You pretty much had to configure each app, one at a time. Just remembering where you were up to in the process when you first activated it was a fair old effort…
Tom
I was recently required to track the use of the free wifi we provide where I work. In looking at the logs from an off the shelf router, I was surprised that most people name their smartphones with some identifiable name, and that whether they actually connect to the free wifi or not is irrelevant since the phones poll for a wifi signal using the name.
Kim
What security program do you suggest for iPhones? The one you recommend is only for Android. Thank you.
John
Is the iPhone equally vulnerable? I have been avoiding the switch due to the lack of LED notification, but I’m really beginning to wonder about Android…
noTech4u
Glad I don’t have a smart phone or any mobile device for that matter.
Mumover
Sophos’ own security app (mentioned above) needs location services turned on for the phone finder feature to work no?
Paul Ducklin
Yes. (We do try to explain why we need various permissions. Sadly we need to ask up front for everything we might need later, even if we never use it.)
Terry D
so will you be creating “Sophos free antivirus and security” for windows phones any time soon, as you have done for Android users?
And if not, do you know of any similar phone security I could use?