TaintDroid

Everyone should take their personal data seriously, and the people behind TaintDroid are about to help us all with that.  It's a joint project between Intel, Penn State University, and Duke University that monitors the private data that third party applications request from your Android phone, using a scientific technique called "dynamic taint analysis".  In a nutshell, TaintDroid will monitor applications and alert you when one tries to send personal identifiable data from your device.  It won't tell you that this is good or bad, just what is being sent and where it's being sent to.  You can then use the information and make that determination for yourself -- it's all nice and neutral in a very clinical way.

While Android does tell you what sort of permissions an application will have access to, many users ignore those warnings or simply don't understand them.  That's where a service like TaintDroid could be very, very handy.  They have a very nice FAQ and video demo of TaintDroid in action at their project page, which you can find at the source link.  Thank goodness Android is a platform open to this sort of application, rather than not approving it to protect developers, then preventing most to install it since it's not "endorsed" by someone in California.  Be sure to check it out, and as soon as it's made available for the average Joe (hey that's us!) we'll let you know.  [AppAnalysis]

 
There are 25 comments

Paladin says:

I want a firewall application. I want to control what goes to where.
I want the ability to block information if I so choose. Can I have that? 8o)

myriad46 says:

Good app name, because "Perineum Droid" just doesn't roll off the tongue.

bkj216 says:

I was just about to say the exact opposite. I think TaintDroid is a terrible name

icebike says:

The word "taint" has a long history in the unix/linux world with reference to corrupting the kernel by inserting untrusted code into it, but the expansion of meaning to include unwanted spying and data theft is understandable.

myriad46 says:

Distrustful insertion...yeah, that's the same taint I was talking about.

hahahaha... :-)

shammer64 says:

Maybe I'm being juvenile here, but is that not one of the funniest app names ever? Do I really need an app to monitor my taint? As if my twice hourly scratching is not enough. 8^)

bkj216 says:

Exactly what I was thinking. When I see TaintDroid I think "Fart App" first, "Security Analysis" never.

icebike says:

Try taking a shower more than once a month.

icebike says:

I wonder if this will require root ti install. After all, if one app can watch the transmissions of another app, you have to be able to hook the stack to some degree, and that should not be possible for a user application.

It would be worth rooting for if necessary.

App developers engaged in this practice would be well advised to rush bug fix releases out to cover their tracks, because I can see lots of class action lawsuits coming when Joe user discovers that silly game actually sent his email contacts to spammers or advertisers.

When I see a game that wants to read my phone contacts or call log thats a Red Flag right there. I've uninstalled things that did this with no obvious reason.

I can't wait for this to become available, and I can't wait to watch the firestorm of protest when it becomes widely know which apps are the abusers.

Maybe AC should start a hall of shame page in the forums.

Ktulu says:

"Update for those interested in installing TaintDroid: Tracking how apps use sensitive information required integrating our software into the Android platform at a low level. As a result, it was not possible to implement TaintDroid as a stand-alone app. Instead, TaintDroid is a custom-built firmware, similar to a number of popular community-supported Android ROMS. In the coming days we will open-source our code through a publicly-accessible repository. Thank you for your interest in TaintDroid!" --- appanalysis.org

icebike says:

Zackly as I thought. Thanks for that.

Not practicable for your average user. So that means we need a testing service to run this thing and publish results for all to see.

This would be great for AC to add as a service, since they can expense the phones, and the web space and have a lot of techno-gurus on call.

aergern says:

So with the Droid X's eFuse it will never run on the DX .. guess all those malicious Weather applications will only be available on the DX. *laugh*

youareme7 says:

Seriously, I'm so done tipping you guys; I sent that story to you yesterday morning...

icebike says:

They ignore tips. Just start a thread in the forums. They jump when they realize they are getting scooped by their own forums.

Don't do that!! In this case, the story was prepared a few days ago from the press release we received. Make no mistake -- WE LOVE YOUR TIPS, read through every single one of them, and try to credit everyone when they help out.

Commenter's that are also Android news-hounds kick @ss in our book :)

kamileon says:

I hate teaser articles like this. Hey look at this great new app we found. It will let you do whatever you want on your devise. Its the greatest app to ever come out. Oh but its not available yet to the public....sorry.

Jonneh says:

I'm a 21 year old male and when I see the word "taint" all I think of is something that isn't pure and/or innocent, like a tainted soul, etc.

I don't know how old you other people are or what gender you are, but if a 21 year old male thinks of the normal usage of the word first before ever thinking about the other, really stupid meaning, that says a lot about you. Well, not even that...but if you have to actually leave a comment about it..now THAT says a lot about you.

Okay you can start rating me down now. :)

Tifoso says:

Where can I find this taint?

U2XM202 says:

Pssst, he wrote taint and anal-ysis. ((4th grade chuckle))

nsxla#CB says:

The apps in question The Weather Channel, Cestos, Solitaire, Movies, Babble, Manga Browser, Bump, Wertago, Antivirus, ABC - Animals, Traffic Jam, Hearts, Blackjack, Horoscope, 3001 Wisdom Quotes Lite, Yellow Pages, Dastelefonbuch, Astrid, BBC News Live Stream, Ringtones, Layer, Knocking, Barcode Scanner, Coupons, Trapster, Spongebob Slide, ProBasketBall, MySpace, ixMAT, and Evernote.

I uninstalled Barcode scanner, the only app from the list i had installed =]

srowen says:

As an author of Barcode Scanner, I feel compelled to point out that this paper quite incorrectly reported that Barcode Scanner has permission to access location and access "phone state" which means access to the unique phone ID. An author has apologized and published an updated version of the paper. Without these permissions, Barcode Scanner cannot exhibit the privacy-violating behaviors they cite.

Unfortunately, many (including 'U2XM202') are indiscriminately assuming all named apps have a privacy issue. The paper makes clear it simply chose 30 popular apps which request at least location, camera, audio or phone state permission -- it does not imply all have some privacy issue. By not "naming names", however, it has left the impression that all 30 apps are "guilty".

Users have always been able to see the full source of Barcode Scanner at http://code.google.com/p/zxing and are invited to confirm it does none of the dastardly things that some apps they served do.

I would like the authors to rectify this by specifying which apps were found to have these behaviors. As it stands, some users are unnecessarily suspecting apps like Barcode Scanner, while not knowing who the real violators are.

I purposely decided to try to stay neutral, and name no names. Companies and people that focus on mobile security usually have a slight bias, it makes sense -- they need to forward their ideas. All I want to do with this story is make everyone aware that tools are in the works they can use to make their own decisions.

I'd LOVE it if you'd shoot me a line
jerry.hildenbrand[AT]androidcentral.com
to discuss this a little bit deeper, and give your side of the issue equal time.

darktanone says:

Instead of picking on Apple, you should also inform your readers that 2/3s of the apps tested were sending out private and sensitive information without the users knowledge. This information included the users phone number and location among others. It found that information was being sent even when an app wasn't running or displaying an advertisement and sending the info every 30 seconds. It may or may not mean anything, but just be aware that Google's "Openess " marketing leaves you open to these threats. When a site that you trust only gives you half the story, and sugar coats it, that's also a threat.

2/3 of hand picked apps, including ones known to send this exact information as reported by another Android security company, almost like they were trying to find issues :) That's the other half of that story.

On a Nexus One, using an OS version at least 3 iterations old. Why test applications running on a build with known, and fixed bugs?

Trust me, I held back and just reported it as news and didn't interject my opinion. My line about other mobile OS's being too closed for any sort of application of this nature is echoed by the developers, in their words, at the source link.

When I have an agenda, you'll know it :)