Mobile apps are regularly leaking information to third parties, according to research from the Massachusetts Institute of Technology (MIT), Harvard, and Carnegie-Mellon.
The researchers tested 110 popular, free apps – half of them Android and half iOS – to find out which ones share personal, behavioral, and location data with third-party websites.
Make that very popular indeed: they looked at the top five most popular apps from the Google Play Store in the categories of Business, Games, Health & Fitness, and Travel & Local. Same thing for Apple’s App Store, where they tested the top five from Business, Games, Health & Fitness, and Navigation.
The list included mobile app staples such as Candy Crush, Facebook, Facebook Messenger, Facebook Pages, Skype, Fitbit, Amazon, eBay, Groupon, Instagram, Pinterest, Snapchat, MapQuest, Google Maps, YouTube and Yelp.
The researchers recorded the HTTP and HTTPS traffic that occurred while using the apps, keeping an eye out for transmissions that included personally identifiable information (PII), behavioral data such as search terms, and location data.
The researchers found that Android users in particular are getting drained, though Apple users’ devices aren’t exactly what you’d call hermetically sealed.
As they detail in their study – Who Knows What About Me? – 73% of Android apps shared personal information such as email address with third parties, and 47% of iOS apps shared geo-coordinates and other location data with third parties.
They also found that almost all – 51 out of 55 – of Android apps connect to a mysterious domain, safemovedm.com, the purpose of which they couldn’t figure out but is “likely due to a background process of the Android phone.”
Google isn’t saying what the site is or why the Android OS would connect to it.
The researchers’ thoughts:
The purpose of this domain connection is unclear at this time; however, its ubiquity is curious. When we used the phone without running any app, connections to this domain continued.
It may be a background connection being made by the Android operating system; thus we excluded it from the tables and figures in order to avoid mis-attributing this connection to the apps we tested. The relative emptiness of the information flows sent to safemovedm.com indicate the possibility of communication via other ports outside of HTTP not captured by mitmproxy.
The researchers also found that a significant proportion of apps share data from user inputs – such as personal information or search terms – with third parties, without Android or iOS requiring a notification to the user.
- The average Android app sends potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains.
- Android apps are more likely than iOS apps to share PII with a third party, such as name (73% of Android apps vs. 16% of iOS apps) and email address (73% vs. 16%).
- More iOS apps (47%) than Android apps (33%) share location data.
- 10% of Medical and Health & Fitness apps share medically related search terms and user inputs.
- The third-party domains that receive sensitive data from the most apps are Google.com (36% of apps), Googleapis.com (18%), Apple.com (17%), and Facebook.com (14%).
The analysis in the paper suggests that a large proportion of apps tested share sensitive information like location, names and email addresses with third parties with minimal consent.
Data shared without the knowledge or consent of mobile phone users could further fatten the already huge store of web browsing history collection proposed in the new UK draft legislation for data retention, he said:
With the recently announced draft Investigatory Powers Bill, many of these connections to third-party websites would be retained as internet connection records.
So, even if you have never visited these websites, they would be indistinguishable from your actual web-browsing activity.
This would allow the security services to make assumptions about browsing habits which are not correct.
Why should we care?
The researchers listed a host of reasons why users should care about their PII being shared without notification – reasons that Naked Security often offers up.
From the paper:
An app may share a unique [ID] related to a device such as a System ID, SIM card ID, IMEI, MEID, MAC address, UDID, etc. The ID can be used to track an individual. Second, an app can request user permission to access device functions and potentially personal or sensitive data, with the most popular requests being access to network communications, storage, phone calls, location, hardware controls, system tools, contact lists, and photos & videos.
Some apps practice over-privileging, where the app requests permissions to access more data and device functions than it needs for advertising and data collection. Third, any data collected by the app may be sent to a third party, such as an advertiser. Fourth, a user may have a hard time understanding permission screens and other privacy tools in a device’s operating system.
How do we thwart the data vampires?
For one thing, app stores and future mobile operating systems should follow the example of apps meant for use by children, the researchers suggested.
For example, in the US, the federal Children’s Online Privacy Protection Act (COPPA) is designed to control the amount of geolocation data, photos, videos, audio recordings, and persistent identifiers collected and shared by apps without parental consent.
As far as individuals go, there are tools to protect user privacy that work by sending false data to satisfy permission requests from apps: three examples are MockDroid, TISSA, and AppFence.
The researchers suggest that such tools might be modified to also send fake user data inputs as well when the recipient is a third-party domain, though that may compromise an app’s ability to target advertising or offer other functions that depend on accurate user data.