Researchers from Intel, Penn State, and Duke teamed up to study just how secure the apps in the Android market are. Specifically, they wanted to see what private data was collected by apps, and what the apps then did with said data. The results: 15 out of 30 "popular" applications sent geographic data, 7 sent unique hardware information, and a few sent info such as phone number and SIM serial to developers. Scary stuff indeed.
This isn't the first time we've heard that Android apps are insecure - in late July, Lookout released similar findings. However, Taintdroid takes things a bit further - albeit, from a smaller sample. Whereas Lookout's App Genome Project analyzed 300,000 applications from the Apple App Store and Android Market, Taintdroid is (thus far) Android only, and only analyzes the apps installed on the device. That said, it provides detailed information on what happens - more concrete than the nebulous results Lookout shared.
As the video below shows, the Taintdroid app sits in the background and monitors data flow. During the demo, a simple wallpaper app is opened but no actions are taken within the app. Upon returning to the home screen, there is a notification from Taintdroid: the phone number, IMEI number, and SIM card ID were all sent to a third party. They then reopen the app and open the "Favorites" tab. Once again, they return to the homescreen and find Taintdroid notifying them that their IMEI was sent once again.
Taintdroid has yet to be publicly released, but the team plans on doing so at some point down the road.