Differences in App Security/Privacy Based on Country

Depending on where you are when you download your Android apps, it might collect more or less data about you.

The apps we downloaded from Google Play also showed differences based on country in their security and privacy capabilities. One hundred twenty-seven apps varied in what the apps were allowed to access on users’ mobile phones, 49 of which had additional permissions deemed “dangerous” by Google. Apps in Bahrain, Tunisia and Canada requested the most additional dangerous permissions.

Three VPN apps enable clear text communication in some countries, which allows unauthorized access to users’ communications. One hundred and eighteen apps varied in the number of ad trackers included in an app in some countries, with the categories Games, Entertainment and Social, with Iran and Ukraine having the most increases in the number of ad trackers compared to the baseline number common to all countries.

One hundred and three apps have differences based on country in their privacy policies. Users in countries not covered by data protection regulations, such as GDPR in the EU and the California Consumer Privacy Act in the U.S., are at higher privacy risk. For instance, 71 apps available from Google Play have clauses to comply with GDPR only in the EU and CCPA only in the U.S. Twenty-eight apps that use dangerous permissions make no mention of it, despite Google’s policy requiring them to do so.

Research paper: “A Large-scale Investigation into Geodifferences in Mobile Apps“:

Abstract: Recent studies on the web ecosystem have been raising alarms on the increasing geodifferences in access to Internet content and services due to Internet censorship and geoblocking. However, geodifferences in the mobile app ecosystem have received limited attention, even though apps are central to how mobile users communicate and consume Internet content. We present the first large-scale measurement study of geodifferences in the mobile app ecosystem. We design a semi-automatic, parallel measurement testbed that we use to collect 5,684 popular apps from Google Play in 26 countries. In all, we collected 117,233 apk files and 112,607 privacy policies for those apps. Our results show high amounts of geoblocking with 3,672 apps geoblocked in at least one of our countries. While our data corroborates anecdotal evidence of takedowns due to government requests, unlike common perception, we find that blocking by developers is significantly higher than takedowns in all our countries, and has the most influence on geoblocking in the mobile app ecosystem. We also find instances of developers releasing different app versions to different countries, some with weaker security settings or privacy disclosures that expose users to higher security and privacy risks. We provide recommendations for app market proprietors to address the issues discovered.

EDITED TO ADD (10/14): Project website.

Posted on September 29, 2022 at 6:14 AM6 Comments

Comments

Andrew September 29, 2022 6:48 AM

Frankly, this is why I personally use iOS, and a big reason why we don’t use Android devices at work. I have no faith in the Play store to properly vet apps.

Clive Robinson September 29, 2022 7:32 AM

@ Andrew, ALL,

“I have no faith in the Play store to properly vet apps.”

I have no faith in the security promised by any of the “walled gardens”, because a moments thought will give rise to the realisation it is impossible to achieve by organisations that can not secure even their own products.

When you realise the promise of security is an empty one you can then see that there is from the users perspective no need for a “walled garden”.

Which begs the question of,

“What benifit a walled garden gives and to whom and how?”

I think the answers most would surmise are,

1, None to the users so owners.
2, Which are Big US Corps.
3, By rental income and entry control.

The last point has been shown by all the big corps, they decide who can play, and how much they have to pay. This takes us back to 1960’s “Big Iron” market models, that the PC eventually destroyed.

So the question is what will destroy the walled garden model this time around?

Ted September 29, 2022 10:22 PM

I wish I was able to figure out how to view the more granular project data on my phone.

Project website: https://www.geodiff.app/

It’s funny though. I don’t know if I feel as alarmed by the data in the paper as I did by reading the article.

For example, it sounds menacing to think there might be different permissions for an app based on country. However, it’s hard for me to ascertain the basis, or the effects, of the differences. From the paper:

We found 127 apps that exhibit geodifferences in permissions requested. On average, the most frequently requested extra permissions are READ_EXTERNAL_STORAGE and READ_PHONE_STATE, both Dangerous, and RECEIVE_BOOT_COMPLETED, which is Normal.

I believe they tested about 5,385 apps on Google Play out of a total of 2 million.

All-in-all, though, it’s really impressive how the researchers were able to collect this data – for example by using VPNs, scrapers, etc. Anyone who may want to analyze this space in the future would definitely appreciate their ground-breaking ingenuity and meticulousness.

SpaceLifeForm September 30, 2022 2:47 AM

They get your ip address when you connect to download.

Just click here to download and install this app, we signed it. Trust us.

You can not sideload apps on iPhone.

Apple says no sideloading, that it is for your protection. You could get malware. So, you can only use their pre-approved and signed malware.

Same problem exists with Windows Update. You never know what you get.

Yes, you can maybe trust that the software binary came from the site that you think it is coming from because it is signed. Therefore they want you to think you should trust them. There are two main problems. First, you have to trust the vendor to not be malicious. That is a stretch. Second, because of the machinations possible on the internet, you have no good guarantee that where you think you are downloading the binary from is in fact, the actual vendor.

The best way is via open source.

Quantry October 5, 2022 12:56 PM

Since you know in advance you are a victim, the moment you take your iPhone or android out of your faraday bag, no matter what country or neighborhood yer from, I again obnoxiously repeat:

Time to advance ideas like those from these people:

‘https://www.ssi.gouv.fr/en/publication/should-quantum-key-distribution-be-used-for-secure-communications/

and “utilize VPN, SSH and HTTP Proxy technology”, so these people claim
‘https://psiphon.ca/

Clive Robinson October 5, 2022 2:52 PM

@ Quantry, ALL,

Re Quantum Key Distribution (QKD)

“Time to advance ideas like those from these people”

Move them forward certainly but QKD is a very very long way technically from being “close to Prime Time”.

I know this sounds odd, but QKD has the same problem “monorail” and thus “mag-lev” trains had. That is you were confined to a track and points for switching were never more than a pipe-dream on the ability to solve it.

The security of QKD relies quite a bit on the physical properties of the communications channel. This is not to much of a problem with a single monofiliment. But the minute you try switching a photon from one filement to another much of your security guarenties are not there any longer.

The other problem is still that all communications channels have losses or “signal antenuation with distance”. In most cases this is not a problem you just turn up the energy going into the channel. You can not do this with QKD and still have the security guarenties, so range is limited.

There is however research into amplifing single photons by transposing their state (think teleportation). If this pays off then both the switching and range limit issues will be eased.

The thing is that it appears “to be all quiet on the western front” with a lot of the research.

Generally there can be two reasons for this,

1, The field is not good for your career.
2, Things are getting close to real money earning time, thus has become “industrial secrets”.

Which it is, if even either I can not say, as I’ve not had reason to keep up with things this past three years. So I’ve not been actively digging for information.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.