More than 100,000 applications available for download from Google's Play Store may be collecting too much data from users, a research firm says.
About one-quarter of more than 400,000 applications studied are "suspicious" or "questionable" because of what they do in the background, such as location tracking, accessing contact lists or harvesting the contents of email messages, according a report issued yesterday by security firm Bit9. Those functions typically go far beyond the programs' stated purpose, Bit9 said.
Android phones warn users when they download applications about what information the programs will access. Whether most people actually read those warnings is another matter. A Google representative didn't immediately respond to a request for comment.
Some of the most aggressive apps are programs purporting to be affiliated with popular brands, such as Facebook and Zynga, Bit9 chief technology officer Harry Sverdlove wrote in an email interview. While the extra functions don't necessarily make the programs malicious, they do raise questions about the developers' intentions, he said.
"Including a common app or publisher in the title is not a guaranteed sign of suspicious behaviour, but it is certainly a technique that malicious authors use to trick users into installing their apps," Sverdlove wrote.
The findings illustrate a reality of the application economy: having a vast amount of third-party applications is both good and bad for consumers. With so many unknown developers writing software for smartphones, users must be vigilant about monitoring what permissions they're granting when they download new programs. Just 8200 or so of the applications that Bit9 studied came from what it described as highly trusted developers.
Mobile-app privacy has also attracted the attention of law enforcement.
In California, the only US state to require privacy policies for mobile applications as well as websites, Attorney General Kamala Harris has warned companies such as United Continental, Delta Air Lines and OpenTable that they are in violation of state law for failing to conspicuously post privacy policies for their mobile applications, Bloomberg reported on October 30.
The companies have 30 days to make the policies readily accessible or face fines of as much as $US2500 for each download of applications that violate the law, which is known as the California Online Privacy Protection Act.