Tuesday, November 13, 2012

Analysis of What Information Angry Birds Collects

Some folks have been inquiring about what kind of personal information Angry Birds collects, and who it sends it to, due to a recent New York Times article that briefly discussed our work. I asked some students I work with (Jialiu Lin, Prateek Sachdeva, and Shah Amini) to probe Angry Birds using some static analysis tools, to figure out what specifically it is doing.


Here is the list of third party APIs that Angry Birds sends location data to:
- flurry (does a lot of analytics for apps; Troy Hunt has a good analysis of what data is being sent to flurry)
- inmobi (targeted mobile advertising)
- jumptap (targeted mobile advertising)
- millennialmedia (targeted mobile advertising)

Also the device ID information is sent to:
- burstly (does ads, ads optimization, and rewards)
- jumptap (see above)
- millennialmedia (see above)

Other 3rd-party APIs this app uses are:
- greystripe (mobile ad network)
- google ads

Now, I've argued in the past that most smartphone apps are spyware. The primary motivator for gathering all of this information is primarily monetization of apps, rather than maliciousness (though your definition of maliciousness may differ from mine). However, based on our research probing people's expectations of privacy with smartphone apps (PDF of our Ubicomp 2012 paper), we found that many of these uses of personal data were highly surprising to people. People have even uninstalled apps while I give my talk about what these apps do. 

Our general position is that we need better policies, visualizations, and tools to help people make better trust decisions about these apps. As such, our current work (done with Janne Lindqvist, Joy Zhang, and Norman Sadeh) is to build better tools to help people understand what's going on with these smartphone apps. One line of work is to crowdsource privacy policies, finding mismatches between expectations and reality (this is the Ubicomp 2012 paper above). Another line of work is to build better tools to help third parties quickly and efficiently probe apps, to understand their privacy and security-related behaviors (you can see a preview of Gort, our analysis tool, here).

Our project is supported by Google, the National Science Foundation, and the National Security Agency. The views and conclusions contained in this document are those of the authors and should not be 
interpreted as representing the official policies, either expressly or implied, of these organizations.

No comments: