Of those 110 applications, 31 send the IMEI off the device, 14 of which send it to analytics and advertising servers. Moreover, the IMEI number sometimes accompany other sensitive data such as contacts and phone number, making it easy for applications to link the user's information collected across applications running on the same device. The detailed analysis data can be found in our AppFence paper and the supplemental data page.
To mitigate the risks of misappropriation of the user's data by today's Android applications, the researchers of the study have developed a system, called AppFence, that implements two privacy controls that (1) convertly substitue shadow data in place of data that the user wants to keep private and (2) block network transmissions that contain data the user made available to the application for on-device use only. We demonstrate that our privacy controls can block unwanted explosure of sensitive data by 66% of the applications that we tested without causing any side effects. For the remaining 34%, we have characterized the types of functionality that require the exposure of sensitive data and the side effects that result if our privacy controls are in place, to provide users with some guidance for making an informed decision. The following picture shows a sketch of the AppFence interface showing how the AppFence system could change the current all-or-nothing permission architecture:
The contributors of the study are Peter Hornyack (University of Washington), Seungyeop Han (Univesrity of Washington), Jaeyeon Jung (Afilliate Faculty at University of Washington, who initiated this work while at the now-defunct Intel Labs Seattle), David Wetherall (Faculty at University of Washington) and Stuart Schechter (Microsoft Research). The details of the study can be found in our technical report This project is an outgrowth of the TaintDroid project.