2017 IEEE International Conference on Consumer Electronics (ICCE)

Privacy Concerns on Android Devices

Asma KHATOON1, 2, Student Member, IEEE, Peter CORCORAN1, Fellow, IEEE
1
C3 Imaging Center, College of Engineering & Informatics NUI Galway, Galway, Ireland
2
FotoNation, Galway, Ireland
{a.khatoon1, peter.corcoran}@ nuigalway.ie

Abstract— Smartphones have become conduits for our connection, bluetooth, local storage, user data (pictures, e-mail,
most personal information and data. When one wants to install an contacts), etc. Application developers need permission to access
app on their device, they have to allow the apps to access their these APIs through the AndroidManifest.xml file. In turn different
camera, internet, location etc. This can lead to privacy issues and types of apps use these resources in different ways. The key
affect the user privacy. For example, granting privileges to location
leads to tracking the user through their phone. In this paper, privacy
question here is how the 'resource permissions' and the way in
issues of android system are discussed. A number of conventional which these are used can impact on our 'privacy'. How can a user
and some more unusual challenges to our individual privacy are understand from looking at a set of permissions how this will
identified and discussed. impact on their 'privacy'? The answer is that they can't because
most people don't even understand what privacy means.
Index Terms—android devices, privacy issues, social media, apps. Basically Android applications have no permissions associated
by default. For example, if an application needs permission to
I. INTRODUCTION access internet, it needs to mention in its AndroidManifest.xml file
Privacy and security are considered as the same concept. There like;
exists a confusion between these two terms. Though privacy and
<uses-permission android:name="android.permission.INTERNET" />
security are closely related with each other, they have different
meanings. Privacy is the ability to take decision that what In this paper, privacy issues of Android applications are
information about someone goes where; security determines the discussed and how these applications exploits the end user’s
ability to be confident that those decisions are respected. In simple privacy are presented. It will also give an overview of the different
words, we can say privacy is only concerned with how the data is types of privacy.
to be collected and used. Security deals with the protection of that
personal data from encroachers. II. APPLICATION PRIVACY
Smartphone is an easy to carry portable electronic device that For mobile devices, Android provides an open source
has features of both mobile phone and a computer. It has made application environment and platform. Most of the android
interpersonal communication easier in different ways [1]. When it applications are written in Java but they can also be written in their
comes to applications for smartphones, these are continuously native code. The android core operating system is based on the
expanding, from Internet browsing to e-mailing, to gaming, to Linux kernel. The Linux kernel provides Android with many
banking, to shopping, and managing travel arrangements – security features which ensures security for the smartphone which
airfares, car rental, etc. In combination with new network services includes user-based permissions model, Process isolation,
these smartphone apps are replacing traditional taxi services, Extensible mechanism for secure IPC and the ability to remove
short-let accommodation and even your local gym with more unnecessary and potentially insecure parts of the kernel. Android
flexible and available ‘network sourced’ alternatives. People are application building blocks consist of AndroidManifest.xml,
generally not aware of the consequences of installing these activities, services and broadcast receiver.
applications and they usually skip reading the terms and conditions
An average person spends a lot of time on their smartphone.
the user have to agree to for the usage of these applications.
This includes checking social media notifications, communicating
A user doesn’t know what can be done with their data after through communication apps, web browsing, playing music, etc.
having those permissions accepted during the installation of apps. The average user doesn’t know how these apps are impacting on
TRUSTe and Harris interactive conducted study [2] about top 340 their privacy.
Android apps a found that only 19% have included links to privacy
Smartphone holds lots of personal information which includes
policies.
images, videos, contacts, bank account details, location, age and
Android provides Linux Kernel security on its operating gender. This information can do a lot of damage to the user if it
system level and when it comes to APIs, every app has to request goes in the wrong hands. A cybercriminal may want to steal your
permissions to access different resources on the phone. Examples money by snooping into your smartphone through malware. Then
are the camera, microphone, GPS, Network connection, phone there are advertisers who are in search of people who can buy their

978-1-5090-5544-9/17/$31.00 ©2017 IEEE

 2017 IEEE International Conference on Consumer Electronics (ICCE)

product and services. Advertisers pay app developers to get access TABLE II
PERMISSIONS VS APPS
to the user’s data. They provide the code for the app-developers to
build into app. This code not only shows the ad when the app opens Important Permissions Number of apps requesting
permission
but also can send personal information to the advertiser. Calendar 2
In this section a survey is done in which we take a look at Camera 18
different types of apps available at Google app store and number Contacts 37
of permissions requested. Google categorizes its apps into 18 main Location 34
sub-categories which are Comics, Communication, Entertainment, Microphone 14
Finance, Health, Lifestyle, Multimedia, News and Weather, Phone 27
Shopping, Social, Sports, Travel, Demo, and Software libraries. SMS 9
Storage 66
We are going to have a look at the five most popular and top rated
Wi-Fi Connection 30
app of main categories and observe the frequency of permission Photos/Media/Files 54
requested by each category.
As seen from table II frequency of apps requesting sensitive
TABLE I
GOOGLE PLAY STORE CATEGORY AND APPS
permission [3] like storage, contacts and camera are very high. The
Google Play Store Category Apps selected
main concern is how these apps are programmed to use these
Comics Marvel Comics, DC Comics, sensitive permissions. For example, permission of camera can be
Astonishing Comics, Comicat, misused in many ways. Currently there are apps available in the
Rage Comics App store which can take pictures and videos of the user without
Communications WhatsApp, Skype, IMO,Viber, the consent of user and then send them to a remote server. With
Kik
high resolution cameras provided with smartphones, this puts the
Demo Survival craft, Edge demo, World
of Goo, Spanish Class, n-Track privacy of the user in great jeopardy because this data can be
Entertainment Netflix, Tubi TV, Talking Tom processed to get biometric information such as Iris, finger prints
Cat 2,Dubsmash,Youtube data.[4].A recent privacy flaw in a popular messaging app has put
Finance Yahoo Finance, Finance Manager, million of its user at risk [5].
My Finances, Financial
Calculator, CNN Money Business 80
60
Apps

and Finance
40
Health S Health, Google fit-fitness 20
tracking, Total Health Care, Yoga 0
and Health tips, Pedometer
Libraries JW library, Gospel library,
Overdrive, Libraries for
developers, Scribd- A world of
books
Lifestyle Lifestyle, Fabulous-Motivate me, Permissions
My Horoscope, Shibboleth
Lifestyle, Steinbach Lifestyle Figure 1: Permissions Vs Apps
Multimedia VLC Player, MX Player, FLV
Player, Lopez Multimedia, Kodi
News BBC,Fox,CNN,NBC,Yahoo Android apps such as Google Analytics, Google Fonts and
Shopping Amazon, eBay, Wanelo, Google APIs enable google to determine a user’s route. This is
AliExpress, Wish Shopping made done by tracking the IP address of the device through successive
fun websites .In addition there are apps which turn the smartphone into
Social Facebook, Twitter, Instagram, a surveillance device [6]. These types of Apps have the ability to
Badoo, linkedin
Travel World Travel Guide, World
send live video feed to remote http servers. One particular example
Explorer-Travel Guide, of this type of app is FollowMe. Another example of online
Cheapflights – Flight Search, tracking is by using flash cookies. These cookies track the
Airbnb, Skyscannner behavior of user by storing information about the user’s online
browsing activities. Device fingerprinting is another method
The purpose is to study the type of control being given by which is can be used to track your smartphone, tablet or laptop.
android OS and the practical implication which may result from Nowadays a lot of communication written or oral is done
this authorization. through smartphones [7]. In 2013 Google was accused by
In table II we listed the most sensitive permissions with regard Microsoft of scanning the email contents of the users to deliver
to user privacy and try to analyse the frequency with which they targeted ads. In 2014 Edward Snowden accused US government
are being requested by our selected group of apps.

978-1-5090-5544-9/17/$31.00 ©2017 IEEE

 2017 IEEE International Conference on Consumer Electronics (ICCE)

searching email contents, tracking smartphones through a highly includes corporates, advertisers, and stalkers. Companies that are
powerful decryption software BULLRUN. running these social network are also collecting personal
Personal choices and experiences are being monitored when information to predict the latest trends and mood of their
the user accesses online services. One particular example is the customers. In 2011 social networking website Facebook was
behavioural marketing or tracking done by advertisers. Many accused of collecting contact list of its users through it smartphone
mobile websites and apps work with advertisers to manage and app [10].In march 2012 over 18 companies were sued that
targets ads. This is done so that ad networks have an idea which unlawfully collected user’s information. Among them were social
ad has most views. Another good example is YouTube and networking giants such as Facebook and Twitter [11].
Spotify. Both companies are known to use advance algorithms to In 2009, a survey conducted by AT&T Labs and Worcester
track a user’s choice for videos and music and they then use this Polytechnic Institute shows that the unique identifying code which
information to display the videos or music the user probably likes. is assigned to users by social media sites can be matched with the
Another main concern is in the use of mobile and fitness apps. behavior tracked by cookies. It means that advertisers can build
These fitness apps collect a lot of personal information such as users profile and observe their daily life activities by gathering
gender, age, weight, height, dieting information and exercise these information from social networking websites.
habits. No health regulation exists till now which protects a user’s There is research study conducted by Krishnamurthy and Wills
medical data. If this data goes public then there is nothing much a which shows that it is possible for third-parties to link personally
user can do. identifiable information (PII), which is leaked via online social
The smartphone isn’t the sole culprit in this story. The data has networking websites (OSNs), with user actions [12].
to go ‘somewhere’ in order to create ‘value’. Cloud is a key enabler
for connected consumer devices [8]. It empowers them through the V. PRIVACY AND LEGISLATION
commoditization of services from storage and content According to Troy H. of the Juniper Global Threat Center,
management, to personal communications and social media. Most many software developers collect information from device
smartphone services don’t happen exclusively on the device but through installing apps and then they store those information on
involve online components ‘out there’ on the Cloud. third-party servers to build device profiles or ad profiles so they
The survey indicates that architecture of android OS needs a can deliver application contents [13]. It’s worth to note here that
critical evaluation and overhauling. More stringent security how all these free applications collect the device data and use to
measures are needed to be placed in android OS and there should build ad profile by transmitting the data to third parties.
be strict criteria regarding the permissions granted by android to
apps. There should be some inbuilt procedure in the cellphone VI. PRIVACY AND GOVERNMENT
which has the ability to decide if a particular permission is The National Security Agency and Britain’s GCHQ are the
necessary for the app or not and if app is misusing the set of world’s most powerful intelligence services. These agencies used
permissions granted. mobile data to track their target person around the globe. Those
who makes these surveillance system are offering government
III. PRIVACY OF LOCATION officials to track the movement to almost every person, who
This form of privacy isn’t about tracking your location; it was carries cell phone. The technology works by exploiting all mobile
introduced to cover the increasing use of surveillance/monitoring company networks. It is the requirement of these surveillance
technologies in urban environments [9]. systems to keep record about their customer’s location and other
This surveillance can be in the form of audio, video or location personal data to deliver their services. They collect people
surveillance. Currently there are many apps offered by google play information to have record to map their travels over days or longer
store that can turn a cellphone into a surveillance device. One such and build their profile for company marketing.
example is Alfred app which can turn the android OS into a CCTV These surveillance system enables the technology to track the
alternative, home security camera, IP camera, IP cam, IPcam, person’s location by just typing their phone number into a
security cam. Similarly, there are apps available in store which can computer portal and then through this portal they can collect
easily locate individual location. One such example is Friend information from the location database maintained by the cellular
Locator. networks. In this way, they track person’s locations through the
cell tower [14]. It is still not known which government has got
IV. PRIVACY ISSUES REGARDING SOCIAL MEDIA these kind of tracking system. It is illegal in most countries to keep
Online social networks such as Facebook, LinkedIn and twitter track of people data without their consent.
helps us to connect with each other, share our ideas and make new
contacts. With the integration of social media into android device, VII. PRECAUTIONS FOR SAFE APP USE
it has become very easy for the user to post his day to day activities To avoid exploitation of your privacy, when you are
on the internet. This may invade user privacy. Different groups of downloading apps just make sure that you are using legitimate
people are interested in information given on social media which sources for downloading apps such as Google Play store. So the

978-1-5090-5544-9/17/$31.00 ©2017 IEEE

 2017 IEEE International Conference on Consumer Electronics (ICCE)

malware could not steal your private information on your device. [2] www.pcmag.com/article2/0,2817,2384363,00.asp
Before downloading any app from the app store, first read the [3] https://developer.android.com/guide/topics/security/permissions.ht
reviews about app which are already given by different users and ml
make sure that the app developer is legitimate. Also read privacy [4] A. Kelec, D. Vukovic, “ Privacy Threats on Android Devices: Big
policy and first understand them that what kind of permissions that Brother is watching you”, 23rd Telecommunications forum
app is asking for. TELFOR 2015, November 24-26, 2015.
If you are concerned about how much personal data is [5] https://www.aclu.org/blog/keeping-government-out-your-
gathered by the app and that some specific app is asking for too smartphone
much permission that could affect your privacy just uninstall the [6] Christoph Stach,” How to Assure Privacy on Android Phones and
app to protect your data [15]. Devices?,” 14th IEEE International Conference on Mobile Data
Management 2013.
VIII. CONCLUSIONS [7] W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri,” A Study of
In this paper, we have discussed privacy issues on android Android Application Security”, Systems and Internet Infrastructure
devices. Anything you store on your smartphone is at risk of being Security Laboratory.
compromised. Users are now offered tools and controls to manage [8] P. Corcoran, “The Internet of Things: Why now, and what? s next?,”
and adjust their privacy settings. These developments are driven Consum. Electron. Mag. IEEE, 2016 [Online]. Available:
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=7353271.
partly by legislation, partly by an increasing user awareness of
[Accessed: 30-Dec-2015]
privacy, but to a large degree by the self-interest of services
[9] R. L. Finn, D. Wright, and M. Friedewald, “Seven types of privacy,”
providers. Apps can read users information, when the user try to
in European Data Protection: Coming of Age, 2013, pp. 3–32.
install app, he agrees with all the terms and conditions, which the
[10] Facebook’s phonebook fiasco, IT WORLD (Aug. 11, 2011), at
app required for installation and then without the user knowledge,
http://www.itworld.com/it managementstrategy/192399/facebooks-
that specific app can have all the information of the person. We phonebookfiasco (describing the Facebook syncing feature).
have also took some apps from the google play store and did their
[11] Chloe Albanesius, 18 Firms Sued Over App Privacy, Including
mapping with the permissions they need to access for installing Apple, Twitter, Facebook, PCMAG.COM (Mar. 15, 2012), at
using Android. http://www.pcmag.com/article2/0,2817,2401625,00.asp.
ACKNOWLEDGMENT [12] B. Krishnamurthy, C. Wills, “On the Leakage of Personally
Identifiable Information Via Online Social Networks” AT&T Labs
This research is supported by the Employment Based – Research Florham Park, NJ USA.
Postgraduate Program of the Irish Research Council (IRC) and [13] http://www.computerworld.com/article/2509878/data-
partially funded under the SFI Strategic Partnership Program by privacy/smartphone-apps--is-your-privacy-protected-.html
Science Foundation Ireland (SFI) and FotoNation Ltd. Project ID: [14] https://www.washingtonpost.com/business/technology/for-sale-
13/SPP/I2868 on Next Generation Imaging for Smartphone and systems-that-can-secretly-track-where-cellphone-users-go-around-
Embedded Platforms." the-globe/2014/08/24/f0700e8a-f003-11e3-bf76-
447a5df6411f_story.html
REFERENCES [15] http://www.telegraph.co.uk/technology/internetsecurity/11850817/
[1] Sufatrio, D. Tan, T. Chua and V. Thing, “Securing Android: A WhatsApp-security-breach-lets-hackers-target-web-app-users.html
Survey, Taxonomy and Challenges” Institute for Infocomm
Research, Singapore, ACM Comput. Surv. 47, 4, Article 58 May
2015.

978-1-5090-5544-9/17/$31.00 ©2017 IEEE