Stories
Slash Boxes
Comments

SoylentNews is people

7 in 10 Smartphone Apps Share Your Data with Third-Party Services

posted by martyb on Tuesday June 13 2017, @09:10AM   Printer-friendly
from the commoditizing-your-complement dept.

Fnord666 writes:

Our mobile phones can reveal a lot about ourselves: where we live and work; who our family, friends and acquaintances are; how (and even what) we communicate with them; and our personal habits. With all the information stored on them, it isn't surprising that mobile device users take steps to protect their privacy, like using PINs or passcodes to unlock their phones.

The research that we and our colleagues are doing identifies and explores a significant threat that most people miss: More than 70 percent of smartphone apps are reporting personal data to third-party tracking companies like Google Analytics, the Facebook Graph API or Crashlytics.

When people install a new Android or iOS app, it asks the user's permission before accessing personal information. Generally speaking, this is positive. And some of the information these apps are collecting are necessary for them to work properly: A map app wouldn't be nearly as useful if it couldn't use GPS data to get a location.

But once an app has permission to collect that information, it can share your data with anyone the app's developer wants to – letting third-party companies track where you are, how fast you're moving and what you're doing.

An app doesn't just collect data to use on the phone itself. Mapping apps, for example, send your location to a server run by the app's developer to calculate directions from where you are to a desired destination.

The app can send data elsewhere, too. As with websites, many mobile apps are written by combining various functions, precoded by other developers and companies, in what are called third-party libraries. These libraries help developers track user engagement, connect with social media and earn money by displaying ads and other features, without having to write them from scratch.

However, in addition to their valuable help, most libraries also collect sensitive data and send it to their online servers – or to another company altogether. Successful library authors may be able to develop detailed digital profiles of users. For example, a person might give one app permission to know their location, and another app access to their contacts. These are initially separate permissions, one to each app. But if both apps used the same third-party library and shared different pieces of information, the library's developer could link the pieces together.

Users would never know, because apps aren't required to tell users what software libraries they use. And only very few apps make public their policies on user privacy; if they do, it's usually in long legal documents a regular person won't read, much less understand.

Source: The Conversation

Related:
Corporate Surveillance in Everyday Life

Original Submission

 
This discussion has been archived. No new comments can be posted.
7 in 10 Smartphone Apps Share Your Data with Third-Party Services | Log In/Create an Account | Top | 40 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by corey on Wednesday June 14 2017, @02:50AM (4 children)

    by corey (2202) on Wednesday June 14 2017, @02:50AM (#525230)
    I run a 'transparent' squid proxy on a server box with 2 Ethernet NICs, with firewall. So my squid access.log lists out every HTTP request from devices on my internal network (Wifi+wired). As a side note, I use squidGuard to block undesirable domains, ads, trackers, etc - which works a treat. This comes up on my blocked log when I open SkyOrb Free on my Windows phone:

    2017-05-02 19:25:39 [19904] Request(default/custom-blacklist/-) http://s.adduplex.com/Se [adduplex.com] rve2/GetAd?hostAppId=4267&installationId=b87f6d0f54414dd5a91756c45397f41a&controlVersion= 2.7.0.9&isTest=False&deviceManufacturer=NOKIA&deviceName=RM-937_apac_australia_new_zealan d_933&deviceFirmwareVersion=02540.00019.14484.37007&deviceHardwareVersion=5.0.0.1&osPlatf orm=WinCE&osVersion=10.0.14393.0&devPlatform=XAML&deviceId=&userId=&culture=en-AU&uiCultu re=en-GB&mobileOperator=YES+OPTUS&connectionType=&scaleFactor=100&nocache=515377484 10.0. 0.16/10.0.0.16 - GET REDIRECT

    That's a single HTTP request. You can see my unique installation ID in there, and pretty much everything else about my phone. On a side note, I captured what my new Sony X800D TV does when I turn it on and change channels:

    TCP_MISS/503 4156 GET http://cdn.meta.ndmdhs.com/13/GenreMappings_V1/list [ndmdhs.com] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/503 373 HEAD http://www.sony.net/ [sony.net] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/200 460 GET http://xml.opera.com/json/update/sdk/? [opera.com] - ORIGINAL_DST/82.145.215.42 application/json TCP_MISS/503 373 HEAD http://www.sony.net/ [sony.net] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/304 472 GET http://autostart.abc.freeviewplus.net.au/index.html [freeviewplus.net.au] - ORIGINAL_DST/23.8.91.127 application/vnd.hbbtv.xhtml+xml TCP_MISS/503 4342 GET http://statse.webtrendslive.com/dcs222ue8ph29v3f2h26jdj79_9b2l/wtid.js? [webtrendslive.com] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/503 373 HEAD http://www.sony.net/ [sony.net] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/200 8xx POST http://api-global.netflix.com/msl/nrdjs/2.3.0 [netflix.com] - ORIGINAL_DST/52.10.238.211 application/x-msl+json TCP_MISS/503 373 HEAD http://www.sony.net/ [sony.net] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/503 373 HEAD http://www.sony.net/ [sony.net] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/200 4143 POST http://api-global.netflix.com/msl/nrdjs/2.3.0 [netflix.com] - ORIGINAL_DST/52.10.238.211 application/x-msl+json TCP_MISS/503 4156 GET http://cdn.meta.ndmdhs.com/CAL_APPID_TV16/EnclaveConfiguration/list [ndmdhs.com] - HIER_DIRECT/127.0.0.1 text/html TCP_MISS/304 368 GET http://sbshbbtv.freeviewplus.net.au/js/lib/freeview-OzTAM-UUID.js [freeviewplus.net.au] - ORIGINAL_DST/150.101.152.218 text/javascript TCP_MISS/304 362 GET http://sbshbbtv.freeviewplus.net.au/images/autostart/launch_btn_freeview.png [freeviewplus.net.au] - ORIGINAL_DST/150.101.152.218 image/png TCP_MISS/304 360 GET http://sbshbbtv.freeviewplus.net.au/images/separator.png [freeviewplus.net.au] - ORIGINAL_DST/150.101.152.218 image/png TCP_MISS/503 4360 GET http://sbsaustralia.112.2o7.net/b/ss/sbs-prod-new/1/H.26.2/s67783717776183? [2o7.net] - HIER_DIRECT/1270.0.1 text/html TCP_REFRESH_UNMODIFIED/304 535 GET http://sevenhbbtv.freeviewplus.net.au/index.html [freeviewplus.net.au] - ORIGINAL_DST/54.230.245.162 -

    All this traffic just because I turned my TV on and changed channels. I bolded the channel specific subdomains. So freeviewplus knows whenever I change channels on my TV. Awesome. You can also see Netflix, Opera and a whole lot of Sony requests in there. So I blocked the TV IP with pf. All good now.

    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Total Score:   3  

  • (Score: 0) by Anonymous Coward on Wednesday June 14 2017, @11:14AM

    by Anonymous Coward on Wednesday June 14 2017, @11:14AM (#525371)

    Holy crap. This is motivation for sticking a linux box between the network and the world. How can they just dump all of that private information into the internet?

  • (Score: 0) by Anonymous Coward on Wednesday June 14 2017, @11:19AM

    by Anonymous Coward on Wednesday June 14 2017, @11:19AM (#525372)

    Capture the request, modify it, send it on, poison their well?
    create a web browser plugin to spoof these http calls to fill their database with bs?

  • (Score: 0) by Anonymous Coward on Thursday June 15 2017, @12:18PM (1 child)

    by Anonymous Coward on Thursday June 15 2017, @12:18PM (#525961)

    +1 to you, posting AC as I modded.

    Even on non rooted phones I find a lot of call home bullshit in NoRoot Firewall. It's good for blocking advertising domains, call home requests as well as random calls to social networks that have nothing to do with me or the application in use. A firewall in portable devices are needed for when you are using a foreign network which you may not entirely trust.

    Just recently I used the Samsung Smart Switch to copy from one phone to another and the little bitch loves to call home to a cloud service as soon as it is installed whether you use the application or not. I just denied all except 192.168.*.*:* for the direct copy via WiFi (my local network is not in that range at all) and it worked perfectly without any other need for outside interaction.

    • (Score: 1) by corey on Thursday June 15 2017, @09:36PM

      by corey (2202) on Thursday June 15 2017, @09:36PM (#526223)

      Yeah you have no idea what its doing until you look at the traffic. I run FreeBSD so I'm using pf, which is really easy to log blocked connections. Any apps that are free in the mainstream stores have ads, this is where a lot of info goes. If you use multiple apps then the same marketing company knows what apps you're using.

      My squid access.log captures only get http requests, https goes through uninterrupted and unlogged... Would be interesting to get these too. I once did squid https intercepting but got sick of the invalid certificate warnings.