Which Mobile Apps Are Worst Privacy Offenders?

Hand grading school work with an A.
Photo: Getty Images

You may want to think twice about playing Angry Birds on your Android device.

All mobile applications need to generate money somehow—and for the ones free to download and use, revenue is almost entirely collected through advertisements. Many free apps share contact lists with third parties or use a user’s location to deliver targeted ads.

Most users have no clue, which led to the genesis of PrivacyGrade.org, a project spearheaded by the Carnegie Mellon University’s Computer Human Interaction: Mobility Privacy Security (CHIMPS) Lab. The site grades Android apps on a scale of A+ to D based on a model that gauges how much private information an app mines from a user’s device—and how closely that’s in line with a user’s expectations. The model was developed using the preference ratings of 725 different users on 837 free Android app.

“These apps access information about a user that can be highly sensitive, such as location, contact lists and call logs, yet it often is difficult for the average user to understand how that information is being used or who it might be shared with,” said project leader Jason Hong in a news release. “Our privacy model measures the gap between people's expectations of an app's behavior and the app's actual behavior.

PrivacyGrade lists the permissions used by the app, provides a simple description of what that permission entails, and why the app is requesting that permission. For example, the image-sharing app Snapchat uses a “take pictures and videos” permission, which means it uses camera or flashlight on the phone. PrivacyGrade has determined that “It appears this app uses this data for internal use within the app's functionality.”

However, the site gives Snapchat a “B” rating. Under two permissions—determining the user’s precise location (based on GPS or network information), and reading phone status and identity (meaning the app can read information like call logs, phone signal, carrier, device ID, and phone number)—PrivacyGrade states “It appears this app uses this data to identify users for market/customer analysis.”

A cursory glance at the site shows “A” grades for most widely-used applications, including nearly all Google appsFacebookTwitterInstagramWhatsApp MessengerYouTube, etc. “D”-rated apps are more likely to be mobile games and more entertainment-based apps, such as Fruit Ninja Free or the Despicable Me game.

The site also shows information on third party libraries that implement a feature for an app not directly designed by the app’s developer. Admob, Google’s advertising library for Android that’s designed to create targeted ads, is found on 407,181 apps—the most of any third party library.

The researchers declined to grade paid apps since they would be much less likely to be seeking more revenue from ads by selling user data to third parties. 

So far, PrivacyGrade only looks at Android apps, but the CHIMPS lab is considering adding iOS, Windows Mobile, and Blackberry apps, as long as funding is available.


Tech Talk

IEEE Spectrum’s general technology blog, featuring news, analysis, and opinions about engineering, consumer electronics, and technology and society, from the editorial staff and freelance contributors.

Newsletter Sign Up

Sign up for the Tech Alert newsletter and receive ground-breaking technology and science news from IEEE Spectrum every Thursday.