The information that mobile apps collect and share about users is an area of concern and confusion. A new, free consumer app for Android devices at least addresses the matter of confusion.
Bitdefender’s Clueful for Android is a tool that claims to monitor and analyze Android apps and clue-in users about which ones can do things like read email messages without permission, spam you in your phone’s notification bar, access photos, send unencrypted passwords over the Internet, upload calendar information and more.
“Your smartphone is probably the most personal device you own, containing private messages, sensitive banking information, personal photos and other data that can leave you vulnerable if handled carelessly,” Catalin Cosoi, Bitdefender’s chief security strategist, said in a May 21 statement.
“Meanwhile, the world of apps is still like the Wild West—poorly regulated, chaotic and open to exploitation by unsavory characters.”
Clueful checks each app against a constantly updated cloud database and checks new apps when they’re downloaded. It then flags each one as green, yellow or red and shares details about each app’s activities. It might tell you, for example, “This app has permission to intercept text (or multimedia) messages that you receive,” or “This app can read your browsing history.”
An app might be flagged as yellow for sharing a user’s location information, or red for leaking a user’s email address or phone number.
The app also gives your phone a “privacy score,” with a goal of a squeaky-clean 100.
A phone I tried the app on received a “fair” score of 50 out of 100, with no app representing a high risk but 17 apps listed as a moderate risk. I was surprised to learn, among other things, that a Chase banking app reads my contacts and an English-to-Mandarin Translate app can read my text messages.
Clueful also points out—alongside a green dot, to suggest the behavior isn’t dangerous—whether an app connects to the Internet, Facebook, Twitter and other sites. It also makes clear whether information it’s sharing with you is based on general information it knows about the app or on the exact version your device is running.
If knowledge is power, Clueful offers a bit of power in what Bitdefender’s Cosoi rightly calls “an often dangerous milieu.”
The Federal Trade Commission has found such power to be wanting. In December, it released a report on a study that looked at the 400 most popular children’s applications in Google Play and the Apple App Store and found that the majority were collecting information and disclosing the practice in their agreements.
“Most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection and who would obtain access to the data,” said the report.
“Even more troubling,” it added, “the results showed that many of the apps shared certain information—such as device ID, geo-location or phone number—with third parties, without disclosing that fact to parents.”
Android apps have also been found to have poor Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols, which encrypt information between Websites and users. In a German study released last October, 8 percent of the apps included in the study were found to be vulnerable to man-in-the-middle (MITM) attacks.
The study additionally found that a majority of users weren’t unaware or didn’t notice security warnings. The study called for more education for users and simpler tools for developers.