SoylentNews is people
SoylentNews
A new Free and Open-Source project called "Exodus" scans Android apps and already has found many advertising trackers:
"Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.
Exodus security researchers identified 44 trackers in more than 300 apps for Google's Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university's law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.
Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital "signatures" distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived "hash" summary of the file itself.
The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking."
The statement by Yale Privacy Lab summarizes the situation, and the story has seen coverage by Cory Doctorow and Le Monde. Private search engine Qwant has removed trackers in its app and Protonmail is under fire.
(Score: 5, Interesting) by seandiggity on Sunday November 26 2017, @11:28PM (9 children)
Yale Privacy Lab, here to answer your questions :)
I'm a longtime SoylentNews user (since the beginning) but am mostly a lurker these days.
(Score: 2) by stretch611 on Sunday November 26 2017, @11:43PM (1 child)
Is there a significant difference between free and paid apps?
And is there any evidence that apps with a strong privacy policy (like not promising to track) disregard what they state?
BTW: nice sig :)
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 5, Informative) by seandiggity on Monday November 27 2017, @12:18AM
We haven't scanned any paid apps with Exodus yet, something we'll try to make clear in the future. Exodus uses a CLI client called gplaycli (available in Debian and here https://github.com/matlink/gplaycli [github.com] ) to grab the apps, and you could grab APKs you paid for with a Google Play account, as long as you authenticate correctly with gplaycli. There is plenty to chew on with free apps, but it may be worthwhile to look at high-profile paid apps. As long as we have an APK package (and of course have received it legitimately), it can be analyzed. The devs at Exodus Privacy have really done great work, and are actually putting together video tutorials on how anyone can do this type of analysis manually. So, stay tuned and maybe you can scan some of your paid apps for us :)
Disclaimer: I Am Not A Lawyer. What is legally considered consent in this area can be very broad, and EULAs are often written specifically to be catch-alls and protect the owners/developers/distributors from litigation. It's quite likely users have "consented" to this type of tracking (data collection, storage, and transmission).
Where privacy policies are concerned, we've seen them range from "shockingly honest" to "incredibly vague". There are often complex and tedious ways to opt-out of tracking, or some subset of the tracking. In many cases, that doesn't "stick" (users would have to keep opting out, say, upon update or reinstall). In a few cases, the privacy policy basically says "the only way to opt out is to not use our app". We're still at the beginning of this project, and hope to do some serious legal analysis, since we are at Yale Law School after all. For now, we've briefly summarized privacy policies in the 25 profiles we've done: https://github.com/YalePrivacyLab/tracker-profiles/ [github.com]
If they haven't been coined before, we'd like to call the problems here "opt-missing" and "opt-vague". Of course, we like to look at privacy (or rather, lack of it) as an ecosystem problem, not just a transactional concern.
(Score: 2) by inertnet on Monday November 27 2017, @12:01AM (2 children)
Did you check F-Droid as well? If yes, what are the results for F-Droid?
(Score: 4, Informative) by seandiggity on Monday November 27 2017, @12:44AM (1 child)
Short version: Almost all of the trackers are proprietary/non-free and therefore won't be in F-Droid. We need to do some analysis and digging to see if there are FOSS-y trackers finding their way over to F-Droid.
Long version:
The vast majority of these trackers are shipped as proprietary or partially-proprietary code, with third-party repositories/dependencies added to the app's build config via an IDE like Android Studio or Eclipse. At build time, binary blobs are often added to the app's APK package. So, F-Droid builds (at least with default repos) will not have the vast majority of these trackers simply by the requirement of Free and Open-Source Software. We've been recommending F-Droid in press for that reason. Devs who ship to both Google Play and F-Droid may have these tracker SDKs (and other "features" like advertising) in the Google Play version, but will (always?) strip them out for the F-Droid version of the APK.
That said, there are some FOSS trackers, and F-Droid does list tracking "anti-features" [f-droid.org]. We haven't compared our work with what they consider trackers, yet, and our definition of what is privacy-respecting and what isn't may also differ (unlikely, but who knows).
(Score: 3, Interesting) by seandiggity on Monday November 27 2017, @01:26AM
There is also a shorter answer which is "No but we will" :P
(Score: 1) by terrab0t on Monday November 27 2017, @05:02AM (3 children)
We have add‐ons like Privacy Badger to block these trackers in our web browsers. Is there anything like that for Android?
If not, it this project the first step in making software like that?
(Score: 3, Informative) by seandiggity on Monday November 27 2017, @05:37AM
Yes, this could be the first step in software like that. It all depends on interest.
There have been a couple of attempts at Android apps that will scan your device for these trackers. Of those, Addons Detector [addonsdetector.com] stands out, and is still updated. What makes Exodus unique is primarily the Web-based UI, which also is a repository for reports on previous scans. Rather than just scanning your device locally, Exodus will scan the APK shipped to everyone via Google Play and share the report.
We'll post a video at Yale Privacy Lab in the next few days which shows off functionality that is really exciting: Exodus will eventually allow *anyone with a Web browser* to scan a Google Play app and display the report. So, we hope that the public will have a place to audit their apps and let the world know about the results.
There are some technical/logistical issues with this at the moment, but Exodus Privacy is a pretty amazing group of devs and they should be able to overcome the current issues with enough help... we're hoping to see public submission of apps for scanning by the end of 2017/early 2018. They need support [eu.org]!
Our primary role in all this is amplifying their voice and utilizing the scanning software for research, as well as providing our insights into the tracker business practices upstream to the Exodus devs.
If we end up with an "Exodus Badger" at the end of the day, that would be awesome, but just bringing these trackers to light has already had a very positive effect.
(Score: 0) by Anonymous Coward on Monday November 27 2017, @12:13PM (1 child)
There are a couple of suggestions at the end of the "eff" thread...which started with the first post to this topic.
(Score: 2) by seandiggity on Monday November 27 2017, @02:22PM
Yep, XPrivacy is great but it does require root and installing the Xposed framework, which a lot of people won't be able to do. Adblock Plus doesn't require root, but I can't vouch for it. I'd recommend Blokada and DNS66 via F-Droid.
What I was referring to wasn't necessarily mitigation steps but scanning of your apps for inclusion of these tracker SDKs... if you know an app has trackers in it, you can uninstall it (if your device lets you).