A new Free and Open-Source project called "Exodus" scans Android apps and already has found many advertising trackers:
"Researchers at Yale Privacy Lab and French nonprofit Exodus Privacy have documented the proliferation of tracking software on smartphones, finding that weather, flashlight, rideshare, and dating apps, among others, are infested with dozens of different types of trackers collecting vast amounts of information to better target advertising.
Exodus security researchers identified 44 trackers in more than 300 apps for Google's Android smartphone operating system. The apps, collectively, have been downloaded billions of times. Yale Privacy Lab, within the university's law school, is working to replicate the Exodus findings and has already released reports on 25 of the trackers.
Yale Privacy Lab researchers have only been able to analyze Android apps, but believe many of the trackers also exist on iOS, since companies often distribute for both platforms. To find trackers, the Exodus researchers built a custom auditing platform for Android apps, which searched through the apps for digital "signatures" distilled from known trackers. A signature might be a tell-tale set of keywords or string of bytes found in an app file, or a mathematically-derived "hash" summary of the file itself.
The findings underscore the pervasiveness of tracking despite a permissions system on Android that supposedly puts users in control of their own data. They also highlight how a large and varied set of firms are working to enable tracking."
The statement by Yale Privacy Lab summarizes the situation, and the story has seen coverage by Cory Doctorow and Le Monde. Private search engine Qwant has removed trackers in its app and Protonmail is under fire.
(Score: -1, Offtopic) by Anonymous Coward on Sunday November 26 2017, @08:06PM (5 children)
Privacy Badger https://www.eff.org/privacybadger [eff.org] includes this FAQ/answer:
Maybe there will be an Android version at some point?
(Score: 4, Informative) by frojack on Sunday November 26 2017, @08:52PM (4 children)
Not even remotely germane to the article at hand.
These trackers are not using browsers. They are phoning home directly. Weather, rideshare, and dating apps, social media, ANYTHING that is allowed to access the TCP stack, for what ever reason, probably has this crap built in.
Easy way to find your own likely culprits: Go reset the permissions of all apps, (or at least remove network access permissions). Then just open the ones you use, email, browsers, etc, and re-grant them access to the network. Over the next week you will be bombarded to allow network access to dozens of apps that you use occasional (perhaps unknowingly), all requesting network access. Each time you get nagged, ask yourself "Does this flashlight app have any valid reason to access the net?". If not junk it and get a different app.
At least that will narrow down your leakers to those you EXPECT to talk to the net. But It still won't let you know if the ones you expect to talk to the net are also sending tokens and trackers beyond what is necessary for performing their advertised purpose.
No, you are mistaken. I've always had this sig.
(Score: 1, Interesting) by Anonymous Coward on Sunday November 26 2017, @09:56PM (3 children)
OK, same AC, thanks for the lesson. I'll double-down on my ignorance!
If, as you say, any app that has access to the TCP stack can track, would it be possible to create something that sits between the TCP stack and all the apps, designed to grant (granular) access?
If so, the UI I'm imagining is similar to Privacy Badger -- it shows a list of attempts to track and gives the user individual control of which ones to allow. Basically putting a nice face on the manual process that you suggest.
(Score: 3, Informative) by EETech1 on Sunday November 26 2017, @10:30PM
https://github.com/M66B/XPrivacy [github.com]
(Score: 2) by chromas on Sunday November 26 2017, @10:43PM
You can try AdblockPlus [adblockplus.org]. It acts as a local proxy and can take the same filter lists the browser privacy extensions use.
(Score: 2) by bob_super on Wednesday November 29 2017, @07:41PM
NoRoot firewall [google.com] is the simplest (but not guaranteed comprehensive) answer I found on Android.
It creates a VPN to force all network traffic through itself, and asks you who you want to allow.
(Score: 0, Interesting) by Anonymous Coward on Sunday November 26 2017, @08:09PM (8 children)
They might not be tracking you, but they do have to censor search results to comply with their laws. Tracking is not our only issue. The entire internet is too centralized. We need to make it more ad hoc and P2P. This will clear up a lot of problems regarding censorship, access, and tracking.
As an aside, can't tracking be simply sniffed out of network traffic? And is there an available firewall that can block an app's internet connection entirely?
(Score: 4, Insightful) by frojack on Sunday November 26 2017, @08:38PM (5 children)
How will that solve anything? A tracker built into an android app is already just as likely to phone home to a static IP as it is to a DNS name.
And the home address of the mothership is as likely to be the same address that services the app's primary purpose (such as a weather site).
So the app hangs a token on the weather data request, and along with your current position, the token encodes phone number, device id, name, and every thing else the app can get its hands on.
How does changing how the internet works fix that? It encourages that in spades.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday November 26 2017, @08:52PM (4 children)
Well, that's what the firewall and a good sniffer is supposed to fix. Ad hoc and P2P will still help to mitigate censorship and access issues. Private connections can still be established. Nobody will be able to shut down your VPN, because we would have various alternatives to the local ISP (island hop to somebody else's), or at least provide enough separation to make tracking impractical.
(Score: 2) by frojack on Sunday November 26 2017, @08:55PM (2 children)
None of that stuff is the issue under discussion. You want to design a workable alternative to tcp/ip be my guest. Post back in 20 years with your first working beta.
No, you are mistaken. I've always had this sig.
(Score: 0) by Anonymous Coward on Sunday November 26 2017, @10:03PM
You want to block tracking? You have to start somewhere. Or maybe you prefer to cling to the prize you have inside the monkey trap? Be my guest... I was under the impression you wanted to make things better..
(Score: 0) by Anonymous Coward on Monday November 27 2017, @02:57AM
I've read good things about IPoCP
(Score: 3, Informative) by Arik on Monday November 27 2017, @04:40AM
If laughter is the best medicine, who are the best doctors?
(Score: 4, Interesting) by stretch611 on Sunday November 26 2017, @11:29PM
More ad hoc and P2P will help censorship on the surface, but make tracking worse. And the better tracking gets the worse censorship can be without being able to remove tracking.
As for being based in Europe, that only helps lip service. I'll admit, companies are probably worse in the US due to lax laws and enforcement actions, but it is naive to think businesses in Europe are always honest and comply with the law. (Think Volkswagon)
Whats to stop a European company from setting up a server in a hosted environment here in the US? Then if they get caught they just say they only track US citizens not Europeans. This will be even easier to do and harder to find out with more ad hoc and P2P.
Businesses are out there and they want your data; if not for themselves, to sell to someone else. It doesn't matter which country. Many don't care if it is legal or not. Even if caught, chances are that fines will be a slap on the wrist compared to the profit they make. The real small companies can just pack up shop and set up a new business before they can be held accountable.
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 2) by urza9814 on Tuesday November 28 2017, @04:15PM
I use AFWall+, available from the F-Droid repos.
https://f-droid.org/en/packages/dev.ukanth.ufirewall/ [f-droid.org]
(Score: 5, Insightful) by Pslytely Psycho on Sunday November 26 2017, @09:52PM (3 children)
I'm actually surprised that they found so few. Every fucking app wants permission to access everything even when said app doesn't have a reason to.
Alex Jones lawyer inspires new TV series: CSI Moron Division.
(Score: 1, Insightful) by Anonymous Coward on Sunday November 26 2017, @10:59PM (1 child)
Part of it is because many of these apps are just strung together by code monkeys who grab the framework du jour, add a sprinkle of whatever libraries do what they want their app to do, fix any shortcomings via questions to stackexchange and shove the result out the app store door. They have no idea what else any of those libraries or frameworks do.
(Score: 3, Insightful) by seandiggity on Monday November 27 2017, @12:58AM
This is a crucial part of the problem. We'd rather not blame the devs, however, since this is an industry that encourages sloppy practices which have grave implications for privacy and security... in software, the fish often rots from the head.
(Score: 3, Informative) by seandiggity on Sunday November 26 2017, @11:41PM
This project is still very much at the beginning stages, and 44 is definitely the tip of the iceberg. The business relationships of these tracker companies are complex and interwoven, with lots of interop and data sharing. So, there will be many more in the list as the work continues.
Additionally, the tracker code is often siloed and spun off as distinct products, or there are multiple trackers with different names inside one software package (the euphemism for "package" is usually "SDK"), or multiple products shipped as different SDKs from the same source. So, deciding how to categorize them becomes tricky... if we wanted to "pad the stats" we could, but it's wise to be conservative about the numbers and consider, say, SafeGraph+OpenLocate a single "tracker". Unless, of course, there's a compelling argument for separating the two in our list.
(Score: 3, Interesting) by frojack on Sunday November 26 2017, @10:12PM
Private search engine Qwant wants you to create an account and sign in, and to protect your search habits, incorporates a Chromium browser into itself.
One wonders if that was the best choice.
Many people insist that even a de-googled Chromium browser still has plenty of phone home features under the surface. The code base is just too huge to find them all.
And even they admit some trackers had snuck into their code.
It would seem to me that general purpose tools based on browsers are at a distinct disadvantage in keeping trackers out.
This article isn't even about browsers, but rather, regular run of the mill apps - something Quant is not. Not by a long shot.
No, you are mistaken. I've always had this sig.
(Score: 5, Interesting) by seandiggity on Sunday November 26 2017, @11:28PM (9 children)
Yale Privacy Lab, here to answer your questions :)
I'm a longtime SoylentNews user (since the beginning) but am mostly a lurker these days.
(Score: 2) by stretch611 on Sunday November 26 2017, @11:43PM (1 child)
Is there a significant difference between free and paid apps?
And is there any evidence that apps with a strong privacy policy (like not promising to track) disregard what they state?
BTW: nice sig :)
Now with 5 covid vaccine shots/boosters altering my DNA :P
(Score: 5, Informative) by seandiggity on Monday November 27 2017, @12:18AM
We haven't scanned any paid apps with Exodus yet, something we'll try to make clear in the future. Exodus uses a CLI client called gplaycli (available in Debian and here https://github.com/matlink/gplaycli [github.com] ) to grab the apps, and you could grab APKs you paid for with a Google Play account, as long as you authenticate correctly with gplaycli. There is plenty to chew on with free apps, but it may be worthwhile to look at high-profile paid apps. As long as we have an APK package (and of course have received it legitimately), it can be analyzed. The devs at Exodus Privacy have really done great work, and are actually putting together video tutorials on how anyone can do this type of analysis manually. So, stay tuned and maybe you can scan some of your paid apps for us :)
Disclaimer: I Am Not A Lawyer. What is legally considered consent in this area can be very broad, and EULAs are often written specifically to be catch-alls and protect the owners/developers/distributors from litigation. It's quite likely users have "consented" to this type of tracking (data collection, storage, and transmission).
Where privacy policies are concerned, we've seen them range from "shockingly honest" to "incredibly vague". There are often complex and tedious ways to opt-out of tracking, or some subset of the tracking. In many cases, that doesn't "stick" (users would have to keep opting out, say, upon update or reinstall). In a few cases, the privacy policy basically says "the only way to opt out is to not use our app". We're still at the beginning of this project, and hope to do some serious legal analysis, since we are at Yale Law School after all. For now, we've briefly summarized privacy policies in the 25 profiles we've done: https://github.com/YalePrivacyLab/tracker-profiles/ [github.com]
If they haven't been coined before, we'd like to call the problems here "opt-missing" and "opt-vague". Of course, we like to look at privacy (or rather, lack of it) as an ecosystem problem, not just a transactional concern.
(Score: 2) by inertnet on Monday November 27 2017, @12:01AM (2 children)
Did you check F-Droid as well? If yes, what are the results for F-Droid?
(Score: 4, Informative) by seandiggity on Monday November 27 2017, @12:44AM (1 child)
Short version: Almost all of the trackers are proprietary/non-free and therefore won't be in F-Droid. We need to do some analysis and digging to see if there are FOSS-y trackers finding their way over to F-Droid.
Long version:
The vast majority of these trackers are shipped as proprietary or partially-proprietary code, with third-party repositories/dependencies added to the app's build config via an IDE like Android Studio or Eclipse. At build time, binary blobs are often added to the app's APK package. So, F-Droid builds (at least with default repos) will not have the vast majority of these trackers simply by the requirement of Free and Open-Source Software. We've been recommending F-Droid in press for that reason. Devs who ship to both Google Play and F-Droid may have these tracker SDKs (and other "features" like advertising) in the Google Play version, but will (always?) strip them out for the F-Droid version of the APK.
That said, there are some FOSS trackers, and F-Droid does list tracking "anti-features" [f-droid.org]. We haven't compared our work with what they consider trackers, yet, and our definition of what is privacy-respecting and what isn't may also differ (unlikely, but who knows).
(Score: 3, Interesting) by seandiggity on Monday November 27 2017, @01:26AM
There is also a shorter answer which is "No but we will" :P
(Score: 1) by terrab0t on Monday November 27 2017, @05:02AM (3 children)
We have add‐ons like Privacy Badger to block these trackers in our web browsers. Is there anything like that for Android?
If not, it this project the first step in making software like that?
(Score: 3, Informative) by seandiggity on Monday November 27 2017, @05:37AM
Yes, this could be the first step in software like that. It all depends on interest.
There have been a couple of attempts at Android apps that will scan your device for these trackers. Of those, Addons Detector [addonsdetector.com] stands out, and is still updated. What makes Exodus unique is primarily the Web-based UI, which also is a repository for reports on previous scans. Rather than just scanning your device locally, Exodus will scan the APK shipped to everyone via Google Play and share the report.
We'll post a video at Yale Privacy Lab in the next few days which shows off functionality that is really exciting: Exodus will eventually allow *anyone with a Web browser* to scan a Google Play app and display the report. So, we hope that the public will have a place to audit their apps and let the world know about the results.
There are some technical/logistical issues with this at the moment, but Exodus Privacy is a pretty amazing group of devs and they should be able to overcome the current issues with enough help... we're hoping to see public submission of apps for scanning by the end of 2017/early 2018. They need support [eu.org]!
Our primary role in all this is amplifying their voice and utilizing the scanning software for research, as well as providing our insights into the tracker business practices upstream to the Exodus devs.
If we end up with an "Exodus Badger" at the end of the day, that would be awesome, but just bringing these trackers to light has already had a very positive effect.
(Score: 0) by Anonymous Coward on Monday November 27 2017, @12:13PM (1 child)
There are a couple of suggestions at the end of the "eff" thread...which started with the first post to this topic.
(Score: 2) by seandiggity on Monday November 27 2017, @02:22PM
Yep, XPrivacy is great but it does require root and installing the Xposed framework, which a lot of people won't be able to do. Adblock Plus doesn't require root, but I can't vouch for it. I'd recommend Blokada and DNS66 via F-Droid.
What I was referring to wasn't necessarily mitigation steps but scanning of your apps for inclusion of these tracker SDKs... if you know an app has trackers in it, you can uninstall it (if your device lets you).
(Score: 0) by Anonymous Coward on Monday November 27 2017, @07:14AM (2 children)
Yes that will likely be one use but once the data is collected there is no end of opportunity how it will be used. A lot of people will be very surprised and very sorry in a few decades, just like how the Snowden revelations proved how almost everything the "paranoid tinfoil hat crew" said was true.
(Score: 0) by Anonymous Coward on Monday November 27 2017, @03:16PM
not necessarily. whoever can control the majority wins. wrong or right, good or bad.
so, MOST of the smart phone wielding population is tracked, tagged and indexed. they are the majority.
the people handling all this information are presumably not evil people and will probably "just" use it to make more money.
there's no indication, that it will be used by them like a "data drone" firing "virtual hellfire rockets" at "data ghost" terrorists -aka- paranoid privacy minders.
the most "ev1l" scenario is maybe that the constant sharing, consuming of the mind-share and the constant up-and-down voting will
"train" the collective to salivate when the bell rings; thus inflicting a collective A.I. of sorts that runs on the wet-ware (brain) of the users...?
(Score: 2) by seandiggity on Monday November 27 2017, @04:38PM
Right. A "few decades" is probably being generous. Putting aside data breaches etc., it is also highly unlikely that Five Eyes and other 3-letter agencies are unaware of this industry inside of the app stores — which is huge, extremely pervasive, crosses devices, and bridges meatspace with cyberspace.