A US research study found that “two-thirds” of 30 apps selected from the most popular titles on the Android Market “used sensitive data suspiciously,” transmitting data including location, device IMEI and, in some cases, the phone number and SIM card serial number (ICC-ID), for purposes not explicitly clear to the end user.

The probe investigated 30 titles from 358 in the Android Market which require Internet access along with permission to access location, camera or audio data. While the apps involved were not named, the survey looked at high-profile titles available in the US, including The Weather Channel app, Layar, BBC News Live Stream and Yellow Pages.

In a number of cases, location data was sent to advertising servers and app analytics firms, without explicit user access. While some apps shared location data when ads were being displayed, others did so when this was not happening, and “in some cases, we observed location information being shared as frequently as every 30 seconds.”

The data transmitted surreptitiously uses permissions granted by the device owner on app installation, which is necessary for the app to function as intended in normal use. The Register notes: “knowing what an app is capable of is different to knowing what it actually does.” The report differentiates from when apps make clear in the user licence agreement that data will be used for specific purposes (for example, to provide location-base advertising), and when this takes place without direct user consent.

In order to conduct the tests, an app called TaintDroid was installed on handsets to monitor the activities of handsets. It is able to monitor both legitimate and illicit data transfers, cross-referencing user data access by apps with data transmissions by the software. The app is said to “incur only 14 percent performance overhead on a CPU-bound micro-benchmark, and impose negligible overhead on interactive third-party applications.” The intention is to make TaintDroid available open-source in the future.

The report said that Android was selected as it meets a number of criteria, including: “because it has many features in common with other popular smartphone platforms, and because it is open-source, which was necessary for us to build our TaintDroid monitoring tool.” Although other device OS’ were not investigated, “further studies investigating other platforms are warranted, however.”

The work was conducted by Intel Labs, Duke University, and The Pennsylvania State University. Financial support was also provided by the US National Science Foundation.