• by Mark Walsh  @markfwal, November 1, 2012

A new study by Juniper Networks concludes that thousands of Android applications are collecting more information than they need, suggesting mobile users are exposing more data than they realize when downloading apps.

The analysis, which examines over 1.7 million apps in the Google Play market from March 2011 to September 2012, found that free apps are four times more likely to track location, and three times more likely to have permission to access user address books than paid apps.

Concerns about privacy in mobile apps first gained prominence through an investigation undertaken by The Wall Street Journal two years ago, finding that popular apps routinely collect and share personal data about users without their knowledge or consent.

That and subsequent reports, along with revelations that apps like Path and Hipster were collecting users' address books without informing them, have spurred a backlash, leading to increased government scrutiny and proposed legislation, such as the Mobile Device Privacy Act.

The Juniper study, conducted by its Mobile Threat Center, pointed out that there is a common assumption that free apps collecting information in order to serve ads from third-party ad networks.

“While this is true in some cases, Juniper examined 683,238 application manifests and found the percentage of apps with the top five ad networks is much less than the total number tracking location (24%),” stated a blog post by Dan Hoffman, the firm’s mobile security “evangelist.”

By comparison, mobile ad networks, including AdMob, Millennial Media, AirPush and AdWhirl, collectively accounted for less than 10%.

“This leads us to believe there are several apps collecting information for reasons less apparent than advertising,” wrote Hoffman. Especially concerning are apps requesting permissions like the ability to silently initiate outgoing calls, send SMS messages and use a device camera. These permissions can be used to eavesdrop on conversations or pass on photos or other communications to third parties, along with potentially incurring data fees.

Juniper found that racing games and casino and card apps were the mostly likely to overstep privacy bounds. For example, 94% all casino games have permission to make outbound calls but don’t explain why they would need this capability. And virtually all racing games have permission to send SMS messages and initiate calls, and half to use a phone’s camera.

The firm urged developers to at least more clearly communicate why a particular function, like location-tracking or reading contacts, is necessary for a specific app. “Even though a list of permissions is presented when installing an app, most people don’t understand what they are agreeing to or have the proper information needed to make educated decisions about which apps to trust,” according to Hoffman.

Most app users -- 57% -- decide either to remove particular apps, or to decide against installing them, according to a report released on Wednesday by the Pew Internet & American Life Center.