Carnegie Mellon University
November 07, 2014

Do Your Smartphone Apps Invade Your Privacy? Carnegie Mellon Offers an Online Report Card Profiles More Than One Million Android Apps

By Byron Spice / 412-268-9068

HongPITTSBURGH—Smartphones wouldn't be so smart without their apps, yet many free apps pinpoint a user's location to deliver targeted ads or share contact lists with third parties without alerting the user. Which apps behave themselves and which don't? A new Carnegie Mellon University project,, can help sort them out.

The site assigns letter grades to more than one million free Android apps, ranging from an A+ for the puzzle game Lazors to a D for the Despicable Me: Minion Rush game. The grades are assigned automatically using a privacy model that the researchers developed based on the preference ratings of 725 users.

"These apps access information about a user that can be highly sensitive, such as location, contact lists and call logs, yet it often is difficult for the average user to understand how that information is being used or who it might be shared with," said Jason Hong, associate professor in the Human-Computer Interaction Institute, who is leading the research project in the Computer Human Interaction: Mobility Privacy Security (CHIMPS) Lab.

"Our privacy model measures the gap between people's expectations of an app's behavior and the app's actual behavior," he said. "Most people expect apps such as Google Maps to be able to access their location, but most are surprised and troubled to learn that a game accesses their location."

In many cases, location information might be sold to companies that use it to target advertising or to analyze consumer behavior.

The final grade is based in part on an automated analysis of how an app uses sensitive data — whether it is essential for the app operation or whether it is shared with advertisers and marketers. And part of the grade is based on survey information about how comfortable users are with information being used in those ways.

Google Play, the site where Android apps can be downloaded, requires developers to specify what resources, such as location or device ID, each app uses. But even if consumers review that information, few are equipped to understand when such access is reasonable and necessary and when it might compromise their privacy.

PrivacyGrade goes further by examining which third-party code libraries make use of the resources tapped by the app. For instance, if the app accesses location data, PrivacyGrade checks to see if it is used by a library such as Google Maps, suggesting it is simply being used for mapping, or if it is being used by an advertising library, an indication that it will be used for targeted ads.

PrivacyGrade doesn't include paid apps because they receive much of their income from sales and therefore are less likely to seek income by selling user data to third parties. The CHIMPS team is considering adding iOS, Windows Mobile and Blackberry apps to the site as funding permits.

In addition to Hong, the research team included Song Luan, a Ph.D. student in electrical and computer engineering; Jialiu Lin, a former Ph.D. student in computer science who is now a privacy engineer at Google; Mike Villena, research programmer; and former research assistant Richmond Wong.

This research is support by the National Science Foundation (CNS-1228813), the Army Research Office (DAAD19-02-1-0389 and W911NF-09-1-0273), NQ Mobile and a Google Faculty Research Award.

Follow the school on Twitter @SCSatCMU.


CMU's Jason Hong (pictured above), an associate professor in the university's Human-Computer Interaction Institute, is leading a project that assigns letter grades on privacy to more than one million free Android apps.