Google Play Store
Google Play Store (Credit: Screenshot by Lance Whitney)

Are your favorite Android apps secretly recording your conversations and your daily activity? There's good news and bad news, according to an extensive new study.

Since the rise of smart speakers and several high profile cases of them unexpectedly recording their owners, there's been rising concern about smartphones also recording conversations--especially since our phones are typically with us everywhere, and so pose greater risks.

A new study conducted by researchers at Northeastern University in Boston, Massachusetts, found no evidence of apps surreptitiously turning on the microphone and recording conversations. But, it did discover apps recording your screen and sharing that information with third-party companies without your knowledge or permission. The study tested 17,260 apps from Google Play and other Android app stores across 10 different Android phones.

SEE: Android security and privacy starter kit (a Download.com guide)

Many mobile apps can tap into the camera, microphone, and other sensors on our smartphones to track and record our activities. Such information is not only captured by the developers but is shared with advertisers and other third parties. As such, fears have arisen that our privacy is being violated as we don't know when our activities are being tracked or with whom such data is being shared.

"Our study reveals several alarming privacy risks in the Android app ecosystem, including apps that overprovision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent," researchers Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes said in the study.

"We also identify a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user and without requiring any permissions."

GoPuff, an on-demand food delivery service, was one app cited in the study and highlighted by Gizmodo as an example of the lack of transparency. The app was discovered recording user activities and sharing that data with mobile analytics firm Appsee, even though such actions were not revealed in GoPuff's privacy policy.

"Researchers from Northeastern brought to our attention the results of their study," GoPuff said in a statement sent to Download.com. "While our original privacy policy disclosed all PII (personally identifiable information) we collect and that we use PII to improve our website, after speaking with the researchers 4 weeks ago we acted to clarify our privacy policy to reference our use of Appsee. At that time, we further reviewed the utility of Appsee and as an added precaution, we proactively pulled the Appsee SDK from the latest Android and iOS builds."

Appsee CEO and co-founder Zahi Boussiba told Download.com, "Appsee's Terms of Service clearly state that our customers must disclose the use of a 3rd party technology, and our terms forbid customers from tracking any personal data with Appsee.

"The research tested dozens of apps that use Appsee, and only one of them (GoPuff) did not disclose this fact to their users, and it appears that GoPuff were capturing zipcode information with Appsee. In the same way app developers can send sensitive information to any 3rd party, Appsee cannot control the data we receive from our clients. In this case it appears that Appsee's technology was misused by the customer and that our Terms of Service were violated. Once this issue was brought to our attention we've immediately disabled tracking capabilities for the mentioned app and purged all the relevant data from our servers."

A Google spokesperson sent the following statement to Download.com: "We always appreciate the research community's hard work to help improve online privacy and security practices. After reviewing the researchers' findings, we determined that a part of AppSee's services may put some developers at risk of violating Play policy. We're working closely with them to help ensure developers appropriately communicate the SDK's functionality with their apps' end-users."

In terms of the audio capture issue, the Northeastern researchers couldn't conclusively say that the apps they analyzed were not capable of activating the microphone and secretly recording you, only that the study found no evidence of this happening. The tests were conducted in a controlled environment using automated programs that couldn't actually sign into the apps. In the real world, the results could differ.

FOLLOW Download.com on Twitter for all the latest app news.

Takeaways

  1. A study found that some Android apps were recording screen activity and sharing that data with third parties without the user's permission or knowledge.
  2. Conducted in a controlled environment, the study didn't find evidence of apps turning on the microphone and secretly recording users. But results may differ in the real world.

Also see

Lance Whitney is a freelance technology writer and trainer and a former IT professional. He's written for Time, CNET, PCMag, and several other publications. He's the author of two tech books - "Windows 8 Five Minutes at a Time" and "Teach Yourself VISUALLY LinkedIn."