CSAIL Research Examines How Smart Phone Apps Track Users
14 September 2012
Chances are that if you own a smart phone you have downloaded a host of different applications, from weather tools to maps, social media applications and games. Many consumers are aware that smart phone applications tend to gather personal information about users, oftentimes tracking location and usage activity. New research from CSAIL’s Decentralized Information Group (DIG) shows that a majority of applications not only collect user information when the application is in operation, but also when the application is inactive or when the user has turned off his or her smart phone screen.
Under the guidance of Professor and CSAIL Principal Investigator Hal Abelson, CSAIL graduate students Fuming Shih and Frances Zhang are investigating how much certain smart phone applications know about users. They started by exploring Google maps, a common download for smart phone users. Shih and Zhang found that the Google maps application continues to gather location information from users even when the application has been closed. Based on their initial investigation, the researchers were curious to see how many other applications continued to track users when not in operation.
After evaluating 36 applications - ranging from popular games like Angry Birds to text messaging platforms, social media applications and photography applications - researchers found that most applications collect personal information about their users even when the phone is not in operation. Shih and Zhang found that applications tracked everything from location information to stored contacts and the device’s Web history.
The research was inspired by DIG’s commitment to personal data management and information transparency, especially in the new world of mobile communications.
“Our group stresses the importance of transparency, and the right people have to be informed about how their information is being used. We feel that it is important for people to be able to evaluate the privacy risk they are facing,” said Shih. “You should be informed that when you turn off your phone’s screen that some smart phone apps are still collecting information.”
To evaluate the operation of specific applications, researchers modified the Android operating system, which is open to changes from independent users. Shih and Zhang altered the Android operating system so that all tracking activity was reported to their app tracking platform. By collecting this data, they were able to see which applications recorded personal information, when they gathered information, and what type of data was being tracked.
Researchers were unable to evaluate how iPhone applications gather personal information, as the Apple operating system is not open source.
For the purposes of the study, researchers based their definition of a phone not being in use as the device’s screen being turned off, a state they refer to as “idle mode,” as opposed to actually powering down the device.
Another interesting finding from Shih and Zhang’s research was that free versions of applications often gathered personal information while paid versions did not, possibly a technique for making money off an application, according to Shih.
Researchers hope that their app tracking technology can be used to help increase transparency, possibly spawning information sharing sites where people could contribute information on the information gathering techniques of specific applications. In the future, Shih would like to see Android, iPhone or a third party develop a system whereby consumers could see how each application gathers and uses their personal information, such as a privacy rating system.
“We are trying to get a better understanding of what information is being shared and when it is being shared,” said Abelson. “What we have found is that even for people in research groups, it’s hard to understand what is being shared and the consequences.”
Abby Abazorius, CSAIL