Personal Data Sharing by Mobile Apps

Interesting research:

"Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps," by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney.

We tested 110 popular, free Android and iOS apps to look for apps that shared personal, behavioral, and location data with third parties.

73% of Android apps shared personal information such as email address with third parties, and 47% of iOS apps shared geo-coordinates and other location data with third parties.

93% of Android apps tested connected to a mysterious domain, safemovedm.com, likely due to a background process of the Android phone.

We show that a significant proportion of apps share data from user inputs such as personal information or search terms with third parties without Android or iOS requiring a notification to the user.

EDITED TO ADD: News article.

Posted on November 13, 2015 at 6:08 AM • 24 Comments

Comments

ChrisNovember 13, 2015 6:37 AM

XPrivacy for Android can feed apps with fake data, e.g. a fake serial number, a randomly filled address book, a location on the Easter Islands and much more.

ianfNovember 13, 2015 7:44 AM


@ Chris “XPrivacy for Android can feed apps with fake location on the Easter Island

What has Easter Island (singular) ever done to Android to warrant such camouflage deployment?

CallMeLateForSupperNovember 13, 2015 8:02 AM

I read and re-read the paper 3-4 times during this week. The biggest of my personal take-aways are these two:
Only 55 apps (I hate that word) of possibly tens of thousands
available - for each OS - were chosen for the study, so the paper's
conclusions are undoubtedly just the tip of the data leak iceberg.
The mystery domain that nearly all Android apps connect to - even
when no apps run - fairly screams to be investigated. What data is
passed, if any? The fact that Google have not answered questions about
the site nor the sonnections to it is also suspicious.

Also interesting that Google is the greater personal data sharer and Apple is the greater geolocation sharer.

jaysonNovember 13, 2015 8:42 AM

AFWall+ to stop them from phoning home. Also, using an adblocking /etc/hosts file like MoaAB. Although, I just noticed it doesn't contain safemovedm.com yet.

Default Privacy Guard is also helpful.

jonesNovember 13, 2015 9:04 AM

I wonder if they're also using this data to de-anonymize users across platforms though biometrics like keystroke dynamics (since live search boxes seem to actively process user input key-by-key)

http://link.springer.com/chapter/10.1007%2F978-3-642-35864-7_39

These mobile devices might be just as useful for "fingerprinting" as they are for actual content collection, since they are low-noise (other people rarely use your smart phone) high-throughput (always on, always on hand) and accurate (generally people put their real contacts into their phones).

CallMeLateForSupperNovember 13, 2015 9:37 AM

Have seen several articles lately questioning Android and iOS app vetting processes. A few miniutes ago I encountered yet another, at arstechnica:
http://arstechnica.com/security/2015/11/password-pilfering-app-exposes-weakness-in-ios-and-android-vetting-process/

The article focuses on one app, InstaAgent, which "tracked people who visited a user's Instagram account". The "tracking" is done for the benefit of the Instagram account holder; it is the purpose of the app. What got the app pulled from Google and Apple "stores" is its sending Instagram login credentials to a subdomain of the app developer, not just to Instagram.

Not to worry, writes one of the developers. "We apologize for our precious users because of we bother them." I was more confused after reading his/her explanations http://zunamedia.com/ than I was before.

The phone app thing is not ready for prime time.

keinerNovember 13, 2015 10:59 AM

In the weird logic of Mr Schneier, one could call these Apps democratic, sharing their knowledge with the masses...

Nice weekend!

Marcos El MaloNovember 13, 2015 12:35 PM

On my iOS devices I have geolocation turned deactivated in the general settings, and then turned on for a few apps. A handful of free apps ask for permission to turn on geolocation. I haven't kept track, but 47% seems about right. Some apps have valid reasons to ask, others do not (or not valid to me' at least). Google Maps wants my location, of course, but I prefer not to share it. Some shopping apps want it, probably to ascertain which storefront and language to use. Ad supported free apps probably want my location to serve up "geographically relevant" advertising.*

I haven't come across anything particularly nefarious, but I prefer to control who sees my location. Of course, what they do with that info (if I grant access) is out of my control, which is a cause for concern (although not, afaik, a matter of personal safety at this time).

That's my situation and experience, which while trivial is also in the range of the typical.

More generally, I see the issues as:

For those that are or might be targets of government and/or criminals

The general trend of companies and governments to collect data on the public that they don't need.

*I'd prefer advertising in English over Spanish, for example, even when I am in a Spanish speaking country. I'd prefer the U.S. storefront because I'm most likely shipping to a U.S. address and my billing address (and bank) are in the U.S.

AnuraNovember 13, 2015 1:00 PM

App stores show capitalism at it's worst - the barrier to entry is so low that you are met with a flood of shitty apps, all looking to cash in by selling you ads and selling your data. Compare with the repos of your favorite Linux distro - sure, a lot of the software is crap, but there aren't 50 shitty clones for every program, since they are all free and open source, and they are significantly less untrustworthy.

rgaffNovember 13, 2015 1:20 PM

@CallMeLateForSupper

From their terribly broken English, I suspect they may be saying they were collecting usernames/passwords to upload a picture to your account for advertising purposes, if you enabled that feature, instead of paying to have no advertisement.

As horrible as the practice may be from a security standpoint, collecting login credentials to third party sites to automate certain things and "help" you with them is not as uncommon as we might wish. But more legitimate places at least should do it with your full knowledge, not behind your back! :(

CallMeLateForSupperNovember 13, 2015 1:55 PM

@rgaff
..."more legitimate places at least should [collect login credentials] with your full knowledge, not behind your back"

Right. I would also point out that the confidential data should not be uploaded in the clear. The InstaAgent app doesn't even obfuscate it, much less encrypt it.

CallMeLateForSupperNovember 13, 2015 3:13 PM

The app subject is hot!

Just read this article (thanks, BoingBoing):
http://arstechnica.com/tech-policy/2015/11/beware-of-ads-that-use-inaudible-sound-to-link-your-phone-tv-tablet-and-pc/

Cross-device pairing by way of "[...] inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers."

"ultrasonic pitches are embedded into TV commercials or are played when a user encounters an ad displayed in a computer browser. While the sound can't be heard by the human ear, nearby tablets and smartphones can detect it. When they do, browser cookies can now pair a single user to multiple devices and keep track of what TV commercials the person sees, how long the person watches the ads, and whether the person acts on the ads by doing a Web search or buying a product."

According to the Center for Democracy and Technology, "As of April of 2015, SilverPush’s software is used by 67 apps and the company monitors 18 million smartphones."

Someone looking for a life should figure out how this works and develop a method for spoofing it.

albertNovember 13, 2015 3:21 PM

Re: safemovedm.com,

According to whois.icann.org,
"...
Name: Domain Privacy Service FBO Registrant.
Organization: Domain Privacy Service FBO Registrant.
Mailing Address: 10 Corporate Drive Suite 300, Burlington MA 01803 US
Phone: +1.6027165339
Ext:
Fax:
Fax Ext:
Email:safemovedm.com@domainprivacygroup.com
..."

Information on 10 Corporate Dr Ste 300 Burlington, MA 01803-4200: (from http://www.bizapedia.com/addresses/10-CORPORATE-DR-STE-300-BURLINGTON-MA-01803.html)

"...
There are 8 companies that have an address matching 10 Corporate Dr Ste 300 Burlington, MA 01803-4200.

The companies are Mydomain Inc, Bluehost Inc, A Small Orange LLC, Endurance International Group Holdings Inc, A Small Orange LLC, Endurance International Group West Inc, Endurance International Group West Inc, and Endurance International Group West Inc.
..."

Re: Endurance International Group Holdings Inc,
http://www.bloomberg.com/research/stocks/private/snapshot.asp?privcapId=112165
.
safemovedm.com,
http://dawhois.com/site/safemovedm.com.html
.
I didn't check the other 6 companies.
Comments?
. .. . .. _ _ _ ....

Clive RobinsonNovember 13, 2015 5:18 PM

@ CallMeLate...,

Cross-device pairing by way of "[...] inaudible, high-frequency sounds to surreptitiously track a person's online behavior across a range of devices, including phones, TVs, tablets, and computers."

Hmm, it would appear the simpleness of the --supposed-- BadBIOS communications system that was derided as at best a fanciful idea --even by many on this blog-- has now been put into service for "the all halowed marketing industry", even before everyday cyber criminals got around to using it...

albertNovember 14, 2015 12:47 PM

@Clive R, @CallMeLate,

It's unlikely that most consumer products can output frequencies above 20kHz. 'Ultrasonic' means above human hearing, so the term doesn't apply here.

The first step is to analyze the system to determine the exact frequencies used, the encoding, amplitude, etc. I'd guess they must be using 15Khz or above, otherwise younger folks would be annoyed and dogs and cats would stress out*. It's probably not a continuous signal, and it'll be buried in program material (there's no dead air in broadcast TV; it's continuous drivel, 24/7). On the receiving end, some rather sophisticated s/w might be necessary to recover the signal from the noise...I mean 'program material'. I don't think this'll be a big deal. Anyway, there's no mike or webcam on my computer,and i don't have a smartphone, and I record most TV shows so I can skip the commercials. What me worry?

It does show the extent to which the BSPs will go to monetize everything. Can someone find gainful employment for these 'people'?

..............
* folks don't realize how stressful high/ultrasonic sounds are to pets. Dogs can hear up to ~45kHz and cats up to ~64kHz (see http://www.lsu.edu/deafness/HearingRange.html) Switching power supplies power most products, and they can generate high audio frequencies.
. .. . .. _ _ _ ....

rgaffNovember 15, 2015 1:36 AM

@albert

If the signal is encoded into other noise, it doesn't have to be out of hearing range at all, it can be well camouflaged in "plain sight" (normal hearing range) so that more devices and cheap sound systems can support it.

Either way, they don't need a high bandwidth signal to simply pair devices.

fajensenNovember 16, 2015 2:42 AM

The "RADAR community" has over many years done a lot of work with coding-, communication- and extraction of "side band" information with RF signals. Many of those known and published techniques will work for Audio also, probably easier to do too since audio baseband processing is trivially cheap these days; one can play with the sound card, instead of some custom chippery sampling at 3-30 GHz.

Having worked with RADAR, I would assume that "they" can probably encode their "message" quite easily and unobtrusive in the normal sound-flow; the "advertising sound" is companded and therefore distorted to begin with.

albertNovember 16, 2015 10:35 AM

Guys,

Please don't tell me that they'll be using the piezo 'speaker' as a transducer for sound recording....

. .. . .. _ _ _ ....

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.