Smartphone applications sell crazy and their market is growing by the day. There are official app stores like Apple App Store and the Android Market, and there are also outsider stores that peddle numerous jailbreaks. There are hundreds of thousands of mobile apps that come free of cost.

Mobile apps can leach immeasurable amounts of data from personal smartphones and sell them to advertising platforms. The news about data pilfering apps is nothing new, but there is now fresh evidence that large quantum of data are passed on from smartphones to advertisers by some apps.

... your personal information is being transmitted to advertising agencies in mass quantities. As more and more “free” applications attempt to monetize their offerings, we will likely see more of your personal information being shuttled out to marketing and advertising data aggregation firms, Tyler Shields, a researcher at security testing firm Veracode, wrote in a blog post.

The Veracode team set out to find out the extend of data breach that mobile applications are capable of committing after the Wall Street Journal reported that the Federal prosecutors are looking into smartphone application manufacturers for illegally gathering personal information.

The Journal said, according to the allegations, mobile applications are gathering data such as GPS location, device identifiers, gender, and even user age without proper notice or authorization from the end user.

Veracode team picked out the Pandora application for Android platform to analyze the scope of data pilfering. And they made some startling findings. Here's what Shields wrote in a blog post: The Pandora for Android application appears to be integrated with a number of advertising libraries. Specifically we found FIVE (yes that’s FIVE!) advertisement libraries compiled into the application: AdMarvel, AdMob, comScore (SecureStudies), Google.Ads, and Medialets.

And then they analyzed each of the modules to determine the type of data they access. They found that AdMob accesses the GPS location, application package name, and application version information. Also, they found that the SecureStudies library accesses the android_id and directly sends a hash of the data to Also, Medialets library accesses the device’s GPS location, bearing, altitude, android_id, connection status, network information, device brand, model, release revision, and current IP address.

In isolation some of this data is uninteresting, but when compiled into a single unifying picture, it can provide significant insight into a person’s life, wrote Shields.

Consider for a moment that your current location is being tracked while you are at your home, office, or significant other’s house. Couple that with your gender and age and then with your geolocated IP address. When all that is placed into a single basket, it’s pretty easy to determine who someone is, what they do for a living, who they associate with, and any number of other traits about them. I don’t know about you, but that feels a little Orwellian to me.