Most of these are not "selling", they're providing normal 'connected' functionality. For example, any app that uses a name and password to access a server, they say is transmitting a password. Any app that you invoke "invite my friends", they say is transmitting your contacts.
Yes, for example, Angry Birds is doing these things. But it's by your request. The graphic doesn't show the data being "sold" or sent to marketers.
People collect location for a lot of reasons - localizing content, planning local advertising purchases, selling in-app advertising to agencies who want to buy access to a particular audience, etc. Sometimes developers just want to understand where their users are coming from out of curiosity.
Usually country and state fulfills the above purposes just fine. I've seen GPS coordinates sent off the device and then converted to country / state before the coordinates were discarded - that's how Pinch Media used to do it. Flurry typically just works with IP address, but when GPS is used, it does the rounding off on the device first so the only thing we're sent is already inaccurate.
Angry Birds only requests the following two permissions on Android-
-Network Communications
-System tools (prevent phone from sleeping)
This doesn't include even coarse location, much less a fine GPS position. Unless they're cracking your system, they can't get more than a guessed geolocation of the IP address you're at.
Nor can they access your contacts, read your personal details, steal your emails, read your phones identifier, etc.
Looking at the WSJ story, they don't even include Angry Birds under Android in their analysis. It is, I think, fascinating that there were so many stories on here about Android apps "stealing your data", yet the iPhone market remained opaque, with so many holding some unsupported notion that a high level curation guaranteed good app behavior.
In this case, despite the Android version being only ad supported, I have comfort that it can't possibly be doing what the iPhone app is doing.
I hope that this is in fact the case, and that the android angry birds isnt just gzipping my contacts db and pushing the whole lot out to an ad agency every time I load the program.
I doubt that it is, I think even the most aggressive and intrusive ad agency would see that the potential bad press that could come from this would outweigh any marketing benefits.
In actual fact, some contact data is sent out only when I use the "share with friends" function (which is never,) as you would expect? Right?
If I went to install Angry Birds on my Android phone and Android stated that it required access to my contacts lists, I would abort the install... Do you get any information like that when installing apps on the iPhone or do you have to trust that Apple makes a good decision for you? I'm not sure how the iPhone permissions stuff works, or if that level of granularity exists at all...?
The permissions stuff is tightly integrated into the android API, apps register everything they do with the OS as somewhat modular 'activities.' IIRC the permissions are enforced at this low level, each registered activity has a list of things it can do associated with it and by adding all these things together you get the permissions profile that you see at app install-time.
This Activities API is also what allows developers to so easily roundtrip to a third party app and back again from within their own app. The barcode scanner is a good example.
EDIT: another example is how Launcher Pro lets you make homescreen shortcuts that "deep link" to functionality that is sometimes several menu-levels down inside an application.
For those of you curious how to do the shortcuts mentioned in his edit, long press on a shortcut spot (empty space on the home screen, shortcut, or even one of the icons at the dock in the bottom), go to shortcuts, and then Activities. It's a pretty awesome feature, and I now have a nice link to my Google Reader account in my dock.
I get requests when an application wants to make use of my location in iOS. Android has permissions requests beyond this, but I'm fairly confident iOS has at least the one.
Ah yes, but that's not entirely accurate. You still get geo-located ads if you haven't given location permission. Apple's ads don't show a notification and since you don't know when your UUID is given out if another app has given your location ads all over can be targeted.
It's a pretty decent opt-out method, but it only works because something hardcoded in the iOS version of Safari sends the UDID as a X-Header in the HTTP request headers -- specifically to the oo.apple.com domain (and a handful of others, all owned by Apple.)
If any other company wants to offer a systemwide opt-out for its iOS software, it's a lot more difficult.
Well what's the need for that kind of information? It'll just confuse the users and Dear Leader Jobs would never expose his flock to any bad apps anyway.
> I hope that this is in fact the case, and that the android angry birds isnt just gzipping my contacts db and pushing the whole lot out to an ad agency every time I load the program.
Christ, for the startup times I get, this is a decent explanation. =\
You don't even need wireshark for that. When you install an app on Android, it displays the list of permissions that the application is requesting. One of the possible permissions is "Read Contacts". If you've installed an app that has "Read Contacts" permission, then ...err.. it can read your contacts db. If the app also has "Internet" permission, then yeah, it probably could zip up your contacts DB and push it out somewhere.
However, if the app doesn't have "Read Contacts" permission then there is no way for the app to access your contacts db, and so reason to worry about it sending your contacts db to someone.
Or course, most apps do request "Internet" permission, so I suppose those apps could be scraping up some info they do have info to and sending that out to a 3rd party. :-(
I don't want to know if my apps read my contact db, I want to know when and how much they read it. I do not trust them to tell me this. So, wireshark it is.
Also why would you ever criticize recreational protocol analysis? Especially on here.
Yes, for example, Angry Birds is doing these things. But it's by your request. The graphic doesn't show the data being "sold" or sent to marketers.