Mobile apps are regularly leaking information to third parties, according to research from the Massachusetts Institute of Technology (MIT), Harvard, and Carnegie-Mellon.
The researchers tested 110 popular, free apps – half of them Android and half iOS – to find out which ones share personal, behavioral, and location data with third-party websites.
Make that very popular indeed: they looked at the top five most popular apps from the Google Play Store in the categories of Business, Games, Health & Fitness, and Travel & Local. Same thing for Apple’s App Store, where they tested the top five from Business, Games, Health & Fitness, and Navigation.
The list included mobile app staples such as Candy Crush, Facebook, Facebook Messenger, Facebook Pages, Skype, Fitbit, Amazon, eBay, Groupon, Instagram, Pinterest, Snapchat, MapQuest, Google Maps, YouTube and Yelp.
The researchers recorded the HTTP and HTTPS traffic that occurred while using the apps, keeping an eye out for transmissions that included personally identifiable information (PII), behavioral data such as search terms, and location data.
The researchers found that Android users in particular are getting drained, though Apple users’ devices aren’t exactly what you’d call hermetically sealed.
As they detail in their study – Who Knows What About Me? – 73% of Android apps shared personal information such as email address with third parties, and 47% of iOS apps shared geo-coordinates and other location data with third parties.
They also found that almost all – 51 out of 55 – of Android apps connect to a mysterious domain, safemovedm.com, the purpose of which they couldn’t figure out but is “likely due to a background process of the Android phone.”
Google isn’t saying what the site is or why the Android OS would connect to it.
The researchers’ thoughts:
The purpose of this domain connection is unclear at this time; however, its ubiquity is curious. When we used the phone without running any app, connections to this domain continued.
It may be a background connection being made by the Android operating system; thus we excluded it from the tables and figures in order to avoid mis-attributing this connection to the apps we tested. The relative emptiness of the information flows sent to safemovedm.com indicate the possibility of communication via other ports outside of HTTP not captured by mitmproxy.
The researchers also found that a significant proportion of apps share data from user inputs – such as personal information or search terms – with third parties, without Android or iOS requiring a notification to the user.
More results:
- The average Android app sends potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains.
- Android apps are more likely than iOS apps to share PII with a third party, such as name (73% of Android apps vs. 16% of iOS apps) and email address (73% vs. 16%).
- More iOS apps (47%) than Android apps (33%) share location data.
- 10% of Medical and Health & Fitness apps share medically related search terms and user inputs.
- The third-party domains that receive sensitive data from the most apps are Google.com (36% of apps), Googleapis.com (18%), Apple.com (17%), and Facebook.com (14%).
Christopher Weatherhead, a technologist at Privacy International, told the BBC that the report “highlights the many ways that the devices we use can betray us”:
The analysis in the paper suggests that a large proportion of apps tested share sensitive information like location, names and email addresses with third parties with minimal consent.
Data shared without the knowledge or consent of mobile phone users could further fatten the already huge store of web browsing history collection proposed in the new UK draft legislation for data retention, he said:
With the recently announced draft Investigatory Powers Bill, many of these connections to third-party websites would be retained as internet connection records.
So, even if you have never visited these websites, they would be indistinguishable from your actual web-browsing activity.
This would allow the security services to make assumptions about browsing habits which are not correct.
Why should we care?
The researchers listed a host of reasons why users should care about their PII being shared without notification – reasons that Naked Security often offers up.
From the paper:
An app may share a unique [ID] related to a device such as a System ID, SIM card ID, IMEI, MEID, MAC address, UDID, etc. The ID can be used to track an individual. Second, an app can request user permission to access device functions and potentially personal or sensitive data, with the most popular requests being access to network communications, storage, phone calls, location, hardware controls, system tools, contact lists, and photos & videos.
Some apps practice over-privileging, where the app requests permissions to access more data and device functions than it needs for advertising and data collection. Third, any data collected by the app may be sent to a third party, such as an advertiser. Fourth, a user may have a hard time understanding permission screens and other privacy tools in a device’s operating system.
How do we thwart the data vampires?
For one thing, app stores and future mobile operating systems should follow the example of apps meant for use by children, the researchers suggested.
For example, in the US, the federal Children’s Online Privacy Protection Act (COPPA) is designed to control the amount of geolocation data, photos, videos, audio recordings, and persistent identifiers collected and shared by apps without parental consent.
As far as individuals go, there are tools to protect user privacy that work by sending false data to satisfy permission requests from apps: three examples are MockDroid, TISSA, and AppFence.
The researchers suggest that such tools might be modified to also send fake user data inputs as well when the recipient is a third-party domain, though that may compromise an app’s ability to target advertising or offer other functions that depend on accurate user data.
Image of data flowing from mobile phone courtesy of Shutterstock.com
Pingu
iOS and Android are both Operating Systems that arguably have vampirism as one of their key objectives.
Ubuntu touch is beginning to look more and more attractive. I know of only three Ubuntu handsets. Hopefully there will be more. Ideally instructions of replacing iOS and Android with Ubuntu will also become available.
jandoggen
Mobile phones are not leaky. I argue that even apps are not leaky, but the entire infrastructure is. Look how long it took to come to a model where permissions are asked when needed, with the requirement that the app keeps functioning when the user denies permission (Google took a long time catching up with Apple for that). This is only the first step in *forcing* the app makers to behave. The end user is not going to do that – just look at the billions of people mindlessly clicking agree. The fact that I and maybe several (ten) thousand other people nag greedy app authors is not going to make dent.
Pingu
Is it the “entire infrastructure”?
PHONE shortened form of telephone
noun 1. an apparatus, system, or process for transmission of sound or speech to a distant point, especially by an electric device.
Is the entire phone infrastructure leaky or is it all the stuff we try to add on to it – and isn’t that a function of the operating system and the “free” apps that run under that operating system?
Is the phone functionality (and say the phone book functionality) actually faulty?
Kelson
I wonder if safemovedm is used for a connection test of some sort. It could check whether a wi-fi network actually has internet access, for instance, or check response times.
That’s (potentially) innocuous enough that you’d expect Google to just answer the question. Then again, it could be something pre-installed by Samsung (the article says they used a Galaxy S3) or the carrier. I couldn’t find a mention of the carrier in the article, though I did see that they turned off mobile data and used wi-fi only.
Paul Ducklin
Specific URLs might have been useful….I am guessing a bit here, but like you I am assuming this relates to some kind of captive portal detector, much like Apple’s use of captive DOT apple DOT com SLASH hotspot-detect DOT html.
The idea is that when you connect to a Wi-Fi network, some sort of connection manager (presumably some part of the OS, not any individual app) tries a known URL with known content …and if something else comes back, it assumes there’s a Terms and Conditions page, or some sort of connection portal, that requires your attention.
That’s a guess based on:
hla DOT safemovedm DOT com SLASH homepage DOT html
hla2 DOT safemovedm DOT com SLASH homepage DOT html
(Would be nice if whois safemovedm.com didn’t return a “privacy protected” DNS registration.)
As you say, it might be specific to the device vendor or the carrier.
Laurence Marks
Good guess, Duck. As a former road warrior for decades, it took me a while to learn to _always_ start the browser first, even if I was going to do everything else over the VPN.
I was very pleased to see that Android automated the action for me, unlike OS/2 or various versions of Windows.
Paul Ducklin
Using a standard URL – like the one Apple uses in OS X and iOS – is somewhat handy because it doesn’t give that much away via DNS or HTTP while you’re getting through the Wi-fi signup in the first place.
I’m still extremely leery of Windows Phone’s “feature” of trying to accept the T&Cs for you as well…
Ken
This cat has been out of the bag for a while now. Apps should be required to inform us what information they’re collecting and with whom their sharing it. They usually kinda sorta do. That’s as good as it’s going to get. With the billions of people downloading and installing anything that they can with little to no concern at all about what they’re giving up, the warnings that are being given are just window dressing.
You could scream on every news site about PII being sent out from users’ phones without their knowledge, and they wouldn’t care enough to stop downloading like kids in a free candy store–they’d look up from downloading just long enough to read a snippet of the story, then they’d put their head down again a resume downloading.
Maybe I’m just a tad cynical.
Wait, maybe there’s an app for that. BRB…