It’s no secret that Facebook can track pretty much every detail about your personal life. But did you know that Happy Fish—a popular kids game based on the Android operating system—might be a worse privacy offender?
Happy Fish’s developer, HappyElements, programmed the game so that it can collect a trove of information about you (and your kids) through the app. The game knows your precise location, has access to your photos and can read your text messages. It can even tell which Wi-Fi network you’re using.
We’ll get to why the game does this in a minute—and what it does and doesn’t do with that information—but let’s just pause for a second.
This is a bit creepy, right?
Plenty of people think so. Just check out some of the reviews on hit games. Fruit Ninja, for instance, consistently weirds people out with the personal data it asks them to fork over. The permissions “are crazy,” writes one reviewer. “I will never install this until it is clear as to why the developer needs access to all your private content.”
We reached out to Jason Hong, a professor of computer science at Carnegie Mellon and founder of PrivacyGrade.org, a site that ranks apps by how well they respect your personal privacy. Hong is a leading researcher on app security. So we asked him: What do the most downloaded apps know about us, and what do they do with that information?
Hong helped us run an analysis of these apps– and you can see the results in the chart below. We chose to focus on Android apps for a couple of reasons. First, there are about a billion Android users, which gives them about 62 percent of the smartphone market, compared with Apple’s 33 percent. Second, Android, unlike Apple, makes it easy to run a robot to retrieve the permission data easily. But our findings are relevant for any mobile phone user—it’s a barometer of what app makers think they can get away with.
As you’ll see from our chart, running down the left side, we’ve listed 25 of some of the most popular apps in the Google Play store, including Skype, Facebook and WhatsApp. There are actually about 60 permissions that these apps can ask for—everything from making your phone vibrate to accessing your camera. (You can find a full list of all the potential permissions here.) For practical reasons, we asked Hong to highlight four permissions that he thought were potentially the most alarming. Across the top, we list those four: contacts, text messages, call log and microphone. All of these are pretty straightforward, but the microphone permission is especially eerie. Imagine all the audio around you being recorded by some app, without your knowledge.
To be clear, these apps don’t actually activate your microphone until you tell them to (e.g. you make a phone call on the Skype app), but in the future, that may change. Facebook freaked out users in May when it announced a new (optional) feature that would let the microphone listen in on your conversations.
Our chart ranks the apps (top to bottom) that ask for the most permissions. As you can see, AntiVirus Security, Viber and Facebook top the charts in terms of the number of permissions they request. But it’s not at all uncommon for apps to request the four pieces of personal data that we’re hightlighting. In fact, more than half of the 25 apps have access to your contacts, and about a third tap into your text messages, call log and microphone.
If you’re an Android user, this might make you a little uncomfortable. Most people probably don’t even pay attention to the permissions page that pops up before they download an app. It definitely asks you to accept the list of permissions the app is requesting, but it all happens extremely fast. It’s like checking the box on a “terms and conditions” page—easy and forgettable. Most people also probably don’t know that once they’ve download the app, the app will never again ask for permission for anything it’s accessing.
Of course, Happy Fish isn’t the only app that tracks loads of information about you. Hit games like Despicable Me and Drag Racing flunked Hong’s privacy tests. (Privacy Grade’s scoring is based on a model that measures the “gap between people’s expectations of an app’s behavior and the app’s actual behavior.” In other words, you expect Google maps to have access to your location data—but you don’t expect the same of a flashlight app.)
In fairness, it’s not like most app makers are creepily scanning through your address books and looking for nude photos in your camera roll. There are a few reasons why these apps ask for your personal data.
In some cases, they need it to provide you with certain functions of the app. The simplest example is a map app that asks for your location data—without it, the app isn’t really all that helpful. Same with a Skype app asking for access to make phone calls. Some permissions are a bit more nuanced, but there’s still a clear potential utility for the user. For instance, The Weather Channel app requires access to your device and Wi-Fi settings. Sounds creepy, but they do it in case they want to send your phone a severe weather warning.
But the second reason has nothing to do with pleasing you—it’s about serving up your information to advertisers. “These advertisers are trying to get more targeted information about you, so they can get more targeted ads,” Hong says. For instance, health and wellness apps send your fitness routines and menstrual cycles to advertisers. Foursquare, the check-in app, sells your GPS data so stores know where you’re shopping.
The last reason is the most irritating– and to some people’s minds, worrisome: The developers ask for access to your information simply because they can, and no one is there to tell them to stop. “Most developers aren’t evil,” Hong says, “but they often don’t know what to do with respect to privacy and security.” So they collect reams of data on users without any immediate purpose in mind.
After some high-profile stories about apps that spy on you (not to mention NSA surveillance), the Federal Trade Commission stepped in to offer guidelines to developers. But those guidelines are often ignored—or openly flouted. Over the last year or so, the FTC has made a sport out of cracking down on app makers who get a little too frisky with the types of data they collect.
In 2013, Path, the social networking site, was fined $800,000 for deceiving users by collecting phone numbers from its address book. In September, review site Yelp forked over $450,000 for collecting location data about its underage users. And just last week, the FTC sent a warning to a children’s app maker for a similar transgression: collecting precise location data about its users, many of whom are minors.
There’s probably not much that users can do about all this, short of shutting off their Android phone, storing it in a locked closet and going for a walk outside. But just like apps are getting to know you better, you may want to get to know them a little better, too.