Data sharing is something that most of us take a lot more seriously these days. The fallout from the Cambridge Analytica scandal last year, which saw 50 million user profiles harvested on Facebook and used to influence political campaigns, pretty much ensured that. People who might previously have installed a free app even if it was requesting a long list of tenuously-linked data permissions have started to think twice.

Yet that might not make much difference: recent research by Privacy International found that 68 percent of the popular Android apps it investigated were sharing user data with Facebook. Not shocked by that? How about this: that figure applied to apps that were sharing this data when the user wasn’t actually logged into Facebook – and the data that was being shared involved users who didn’t even have a Facebook account.

Data policy - your data, your choice

“You decide how and whether it’s used.” Hmm.

In all, Privacy International investigated 34 Android apps with installations ranging from 10 to 500 million users. Using an open source software tool called mitmproxy, the researchers were able to analyse the data being transmitted from the app to Facebook through the Facebook software development kit (SDK) used by Android app developers. 61 percent of those apps automatically started transmitting data to Facebook as soon as the app was opened, regardless of whether the user was logged into a Facebook account or not. The analysis showed how harmless-sounding data such as when the app was opened, closed or being actively used, along with user device information, location data and the Google unique advertising ID can paint a “fine-grained and intimate picture of people’s activities, interests, behaviors and routines, some of which can reveal special category data, including information about people’s health or religion.”

What picture can overshared data paint?

Among the apps tested by Privacy International and which displayed this behavior were a Muslim prayer app called Qibla Connect, a period tracker called Period Tracker Clue, a job search app called Indeed and a kid’s app called My Talking Tom. If someone were to use all four apps then Facebook would be able to profile them as most likely a female Muslim with children who is looking for a new job.

The travel price comparison service KAYAK app was found to be sending detailed information about flight searches to Facebook including departure and arrival airports/cities, dates, number of tickets (including any children) and the class of ticket searched for. This information is, quite simply, advertising profile gold. Other apps tested by the researchers which immediately started transmitting data to Facebook included Duolingo, Shazam, Spotify and TripAdvisor.

Kayak permission screen

The consent screen users see when signing up for a Kayak account. Credit: Privacy International

“The problem with the use of such frameworks [as utilized by these apps] is it can inherently bring the access and transmission of metadata and sensitive information without user’s knowledge,” says Rod Soto, Director of Security Research at AI security specialist JASK. “For many years the tech industry has advocated that the use of metadata so obtained is a safe form to sanitise potentially sensitive information that can lead to singling out individuals: it is clear that it is not the case.”

This particular type of data oversharing could easily be prevented by app developers, as Facebook made an optional feature available to users of the Facebook SDK version 4.34 and later that enables automatically logged event collection to be delayed until user consent is granted. IT Pro reported how a Facebook spokesperson insisted “an app developer can either choose to use a pre-installed mechanism for obtaining an end user’s prior informed consent (as they could in the past) or use the SDK delay feature.” The Privacy International research suggests that developers aren’t taking a great deal of notice, given the majority of apps tested were still oversharing this way.

A systemic problem with Android apps?

It’s not just the Facebook revelations that are worrying; there is also evidence to suggest that data-oversharing is systemic as far as Android apps are concerned.

A Top10VPN study found that 85% of the 150 most popular free VPN apps on Google Play make excessive permission requests for data including real-time location, ability to record via a phone’s mic, and other intrusive requests that could significantly compromise users’ privacy.

University of Oxford researchers have warned that data harvesting is out of control on mobile apps in general. Their report, Third Party Tracking in the Mobile Ecosystem, was an empirical study of the prevalence of third-party trackers on some 959,000 Android apps available from the Google Play store. It determined that 88 percent of the free apps from the Google Play store shared data with companies owned by Google’s parent, Alphabet. While Google itself responded by saying the research had mischaracterized some ordinary functions of the apps such as crash reporting, the fact remains that the vast majority of free apps are rampantly sharing data on age, gender and location as well as what other apps are being used.

With online advertising revenues sitting at around $59 billion (£45 billion) per year in the United States alone, this is hardly surprising. As the researchers pointed out in that paper, the data profiles assembled from this data oversharing can be used for not only for credit scoring but ultimately in highly targeted advertising.

Given that the most recent incarnations of the Android operating system give users fairly detailed information about the data access permissions required by an app, when that app first requests it, is the problem really one of user education? Are users granting permission for their data to be overshared without actually understanding the implications?

The problem with permission

One issue could be the wall of permissions that many apps request, which people have to check through then agree to in order to use the apps – or they may experience “permissions fatigue” and simply agree.

“Due to the sheer number of requests for permission, users effectively grant all permissions to a new application regardless,” says Darren Williams, CEO and Founder of cybersecurity startup BlackFog.

VPN app requesting permissions

All that and your first born.

Permission fatigue isn’t the only user issue – apps downloaded away from official sources are also more likely to send on data unbeknownst to users. “Non-legitimate techniques can also install unauthorized code on Android devices using system-level privileges without asking for permission,” Williams explains. The unauthorized code installation problem is easily avoided by only downloading apps from the Google Play store, but this doesn’t solve the broader problem of that systemic oversharing by officially downloaded apps.

That is something that must be addressed by app developers themselves. Despite reaching out to many app developers while researching this article, in order to better understand about how they might minimize unwarranted data sharing, not a single one was prepared to comment either on or off the record. Worrying, but maybe not surprising.

All those free apps have to be monetized somehow, which means advertising – and the most lucrative advertising revenue comes from highly targeted campaigns. In the smartphone age, that old maxim of there’s no such thing as a free lunch still rings true, and your data is on the menu…