Android privacy concerns rise over apps crossing the line


Tokyo-based IT company Milog is known for providing Android-based smartphone apps that let users share information about the apps installed on their phones and rank them by popularity. This small startup, established in 2009, has been supported by notable companies, including receiving a ¥310 million joint-investment from information and job-placement agency Recruit and Japan’s second largest Internet advertising agency Opt.

In July, they released a variety of apps under the name “App.tv,” which packages TV dramas by series into an Android app for each show. The apps are for free in exchange for information from the users’ phones. Milog also distribute “AppLog library,” which tracks users’ app information and pays third-party developers ¥1 per each install, if other the developers include “AppLog” in their own apps. This provides Milog with information on end users that can be sold to, for example, advertising companies that can create targeted ads based on what they know about the end user’s usage habits.

For this kind of business, it is essential that users explicitly agree to being tracked, and until recently this was the case. However, users have begun to report that they were not asked for their permission, or were asked with very vague text. Engineers, such as blogger Nobuo Sakiyama and a security/privacy-issue researcher, Hiromitsu Takagi, then analyzed internal communications of users’ phones and found that in fact “App.tv” had been sending information about which applications were used by people every hour even without approval.

Six weeks before the “App.tv” tracking controversy was revealed on Sakiyama’s blog (Oct.10), another Android app called “Karelog” sparked similar privacy concerns. The name of the app means “Boyfriend’s log” in Japanese and the app, released on Aug. 29, instructed users — most likely suspicious girlfriends — to install it on their boyfriend’s smartphone in secret. The app then sends the user all GPS information on the unsuspecting boyfriend’s location and on the phone calls he makes.

The app received wide media coverage, most of it negative. Due to the media backlash and the fact that is was identified as a spyware by security software firm McAfee, the “Karelog” app was soon withdrawn. However, the publisher plans to re-release it with the proviso that a tracker must ask the person being tracked for permission to install it on their phone.

All this has attracted the attention of the government too. On Sept.13, Tatsuo Kawabata, the Minister of Internal Affairs and Communications (MIC) said that it was investigating “Karelog.” And as has also been reported, the MIC is now investigating the Milog issue.

Developers have also reacted to the controversy and there are now quite a few applications specifically created to check and/or invalidate any tracking apps released on the apps market.

Recently, when I purchased a new Android phone I was asked if I wanted to buy anti-virus software for it. The shopclerk told me that they strongly recommended it, because they are hearing more and more problems related to malicious app installation.

Requiring every single app to be checked by such anti-virus when it is installed is exactly the same as what we have been doing on PCs for years. And it is not a good situation.

The “App.tv” and “Karelog” incidents show that the rather loosely managed Android world is full of security risks similar to computers running Microsoft Windows. The operating systems of Android’s direct rivals — Apple’s iOS and the old-but-still-popular Docomo i-Appli — have much more controlled environments, such as the strict approval process for Apple’s App Store, and therefore have less security issues — or at least fewer that have been revealed.

Up until recently, iPhones were only available with SoftBank Mobile in Japan. Because of this Android-based smartphones enjoyed good growth on the other two top carriers (KDDi and Docomo). But these malware incidents and the fact KDDi au’s now also distributes the new iPhone 4S could make a negative impact on the reputation of Android apps and on the adoption of Android phones in the future.

Akky Akimoto writes for Asiajin.com, an English blog on the Japanese Web scene. A Japanese version of this article is available on his blog at akimoto.jp. You can follow him @akky on Twitter.