Over a Third of iOS, Android Apps Snoop on Your Location

More than a third of Android apps, and nearly half of iOS apps, can track and record your location, according to a new report from anti-virus software company Bitdefender.

Those are just two of the findings in the Romania-based company's latest report, entitled Mobile Operating System Wars – Android vs. iOS.

MORE: 13 Security and Privacy Tips for the Truly Paranoid

The report documents several common features found in both iOS and Android apps that track users' locations, access their contacts and interact with social media sites.

Often, these features don't play a central role in the app's core function, so users who don't read the fine print may not be aware of what their apps are doing.

Bitdefender's report agrees with the consensus among security professionals that iOS is the safer platform. However, it also argues that, in terms of overall privacy, the two are more similar than might be expected.

"While Android is much less restrictive with the way users and developers interact with the system, most of the collected data is similar for both Android and iOS…However, iOS sets some strong guidelines as to what can be collected by advertisers and would disallow collecting the user's phone number or unique hardware identifier," Bogdan Botezatu, Bitdefender's Senior E-Threat Analyst, told Tom's Guide.

Bitdefender's report also found that 7.7 percent of Android apps and 19 percent of iOS apps accessed users' contact lists.

Why would apps want such data? Simply put, everyone on your contact list is a potential new customer.

The app makers might use contact-list data to prompt you to invite other people to use their service. Or they may have requested permission to access it because they're planning on adding social networking features in a later update. Sometimes app developers collect information such as contact-list data simply because they can.

The report found that 14.6 percent of Android apps leak device IDs, which can link app and Web activity to a specific device.

By comparison, very few iOS apps collect device IDs; Apple made it more difficult for developers to do so after the 2012 data breach of Florida-based iOS app developer Blue Toad, in which hackers made off with nearly 1 million user IDs that the studio's apps had collected. 

Finally, Bitdefender found that 8.85 percent of Android apps collect users' phone numbers. This is extremely valuable — and extremely dangerous — information because it usually links directly to a person's name.

Developers, advertisers or anyone else with access to the data can use this information to build comprehensive profiles of individual people by syncing data collected through multiple different sources. 

App developers usually collect this kind of data for advertising purposes. Most apps, even the free ones, exist to make their creators money in some way.

Advertising works differently on mobile platforms than on the Web, though.

"Mobile adware is totally different" from Web-based advertising," the Bitdefender report says. "Adware tightly integrates with the device — it does not run inside the browser, isolated from other applications.

"On mobiles, advertising frameworks can learn your communications habits, friends, friends' contacts, location and — more frequently — all of the above at the same time," the report says. "This turns them into the modern equivalent of spyware built into the device you're using the most throughout the day."

MORE: Best Smartphones 2014

How would you know whether apps snoop on your location, contact list, device ID and phone number? You have to pay attention to the permissions, which Android and iOS handle in different ways.

On Android, the user has to agree to all an app's requested permissions before downloading the app from the Google Play store. On iOS, apps request permissions upon first launch, which gives users the ability to grant or deny permissions one by one instead of being presented with Android's all-or-nothing choice.

Bitdefender gathered part of the data for this report using its mobile app Clueful, which ranks how well other apps installed on users' devices protect privacy, based on features each application accesses and the privileges it requires, and how it handles the data it transmits via the Internet. The study included 314,474 free Android apps and 207,843 free iOS apps.

Bitdefender concludes by warning that even the most innocuous-seeming apps, especially free ones, make money by taking advantage of your personal information to send you targeted advertising.

"The free application ecosystem is actually free for the user, but is heavily monetized by the developer," the Bitdefender report concludes. "The application becomes free only after the user has paid for it with his or her privacy."

Email jscharr@techmedianetwork.com or follow her @JillScharr and Google+.  Follow us @TomsGuide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.