Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Sunday March 29 2020, @10:58PM   Printer-friendly
from the what's-in-your-app-catalog? dept.

Arthur T Knackerbracket has found the following story:

More than 4,000 Google Play apps silently collect a list of all other installed apps in a data grab that allows developers and advertisers to build detailed profiles of users, a recently published research paper found.

The apps use an Android-provided programming interface that scans a phone for details about all other apps installed on the phone. The app details—which include names, dates they were first installed and most recently updated, and more than three-dozen other categories—are uploaded to remote servers without permission and no notification.

Android’s installed application methods, or IAMs, are application programming interfaces that allow apps to silently interact with other programs on a device. They use two methods to retrieve various kinds of information related to installed apps, neither of which is classified by Google as a sensitive API. The lack of such a designation allows the methods to be used in a way that’s invisible to users.

Not all apps that collect details on other installed apps do so for nefarious purposes. Developers surveyed by the researchers behind the new paper said the collection is the basis for launcher apps, which allow for the customization of the homescreen and provide shortcuts to open other apps. IAMs are also used by VPNs, backup software, notification managers, anti-malware, battery savers, and firewalls.

But the data grab can also be used by advertisers and developers to assemble a detailed profile of users, the researchers reported in their paper, titled Leave my Apps Alone! A Study on how Android Developers Access Installed Apps on User’s Device. They cited previous studies such as this one, which found that a single snapshot of apps installed on a device allowed researchers to predict the user’s gender with an accuracy of around 70 percent. Follow-on findings by the same researchers expanded the demographics that could be deduced to traits such as religion, relationship status, spoken languages, and countries of interest. A study by different researchers said user demographics also included age, race, and income. The research also found that a user’s gender could be predicted with an 82 percent accuracy rate.

“As other privacy-sensitive parts of the Android platform are protected by app permissions, forcing developers to explicitly notify users before attempting access to these parts, [it] begs the question on why IAMs are treated differently,” the researchers, from the University of L’Aquila in Italy, Vrije University in Amsterdam, and ETH in Zurich, wrote in the latest paper. “Indeed, the European Union General Data Protection Regulation (GDPR), generally regarded as the forefront in privacy regulations, considers ‘online identifiers provided by their devices, applications, tools, and protocols’ [...] as personal data, for all purposes and means.”

[...] As noted earlier, there are legitimate reasons for apps to collect details of other installed apps. But there’s also reason for concern. This latest research only reinforces the advice I’ve long given that Android apps should be installed sparingly and only when they provide a clear benefit. It also helps to favor fee-based apps over free ones, since the latter category is more likely to depend on advertisements for revenue. Open source apps are also shown to collect less app data, but they also require users to allow installations from third-party marketplaces.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2) by Runaway1956 on Monday March 30 2020, @12:02AM (3 children)

    by Runaway1956 (2926) Subscriber Badge on Monday March 30 2020, @12:02AM (#977064) Journal

    OK, so precious few people actually look at TOS, licenses, privacy disclosures, etc etc ad nauseum. And, even fewer people have any meaningful training, to understand all that nonsense. And, not everyone is as paranoid as a paranoid nerd.

    Still, no one even bothers to look anything up on the internet? No one is the least bit suspicious?

    On the way to work, I hear an ad on the radio for "Feinds - that's Friends without the R". It's the most downloaded game, blah blah blah, FREE! So, the game is free, but they're making enough money to run radio ads for it? Something smells suspicious here. Who wants to bet this game isn't a data mining tool? And, (according to the ad, anyway) it's the most downloaded game.

    NO ONE IS SUSPICOUS?!?!

    I'm sorry people, but if you've installed Fiends, you are deserving of being mined.

    • (Score: 2) by broggyr on Monday March 30 2020, @12:04AM

      by broggyr (3589) <broggyrNO@SPAMgmail.com> on Monday March 30 2020, @12:04AM (#977066)

      Microtransactions.

      --
      Taking things out of context since 1972.
    • (Score: 0) by Anonymous Coward on Monday March 30 2020, @01:26AM (1 child)

      by Anonymous Coward on Monday March 30 2020, @01:26AM (#977077)

      What if the app came pre-installed on the device and can't be removed without hacking?

      • (Score: 2) by Runaway1956 on Monday March 30 2020, @05:07AM

        by Runaway1956 (2926) Subscriber Badge on Monday March 30 2020, @05:07AM (#977114) Journal

        And, you paid for that phone, with the trash preinstalled. Some people can smell a sucker coming from a mile away.

  • (Score: 0) by Anonymous Coward on Monday March 30 2020, @12:02AM (5 children)

    by Anonymous Coward on Monday March 30 2020, @12:02AM (#977065)

    Weren't we told that app stores would be a benefit for the user by ensuring that the applications downloaded were safe?

    It seems that a week doesn't go by without another story of either wide-spread abuse by applications on official app stores, and/or some particularly egregious bad behavior by one or a few apps.

    Seems the only fix is to use the *nix package model. All applications in app stores are built by the owner of the app store after auditing the source.

    While, I don't know how to motivate Apple/Google to do a better job, at least it would be easier to do a more thorough job.

    • (Score: -1, Flamebait) by Anonymous Coward on Monday March 30 2020, @12:41AM

      by Anonymous Coward on Monday March 30 2020, @12:41AM (#977068)

      Did your mother drop you on your head when you were a baby, or was the damage genetic? The last thing you want on your phone is the *nix model because that leads to systemd.

    • (Score: 2) by NateMich on Monday March 30 2020, @01:16AM

      by NateMich (6662) on Monday March 30 2020, @01:16AM (#977073)

      Weren't we told that app stores would be a benefit for the user by ensuring that the applications downloaded were safe?

      Define safe.

      I mean, just because an app is collecting all sorts of information on you most people wouldn't care, and I guarantee you that Google or Apple wouldn't consider it dangerous.

    • (Score: 0) by Anonymous Coward on Monday March 30 2020, @02:17AM

      by Anonymous Coward on Monday March 30 2020, @02:17AM (#977085)

      Weren't we told that Windows is safe?
      Weren't we told that we were holding our iPhone wrong?

    • (Score: 2) by Pino P on Monday March 30 2020, @04:34PM (1 child)

      by Pino P (4721) on Monday March 30 2020, @04:34PM (#977272) Journal

      Seems the only fix is to use the *nix package model. All applications in app stores are built by the owner of the app store after auditing the source.

      The model you describe is that of the F-Droid repository. The F-Droid build system downloads each application from a public source code repository, builds it, and offers the binaries to the public.

      But the business model of several applications depends on deterring use of the works presented through an application without payment. Such deterrence is generally ineffective if end users have access to the source code, as the user can more easily modify the application to make prohibited copying easy. This is why you don't see, for example, Clash of Clans or Spotify or Netflix on F-Droid.

      So if a mobile platform were to switch to F-Droid's model, it would lose most video games, and it would lose applications to view subscription audio or video streaming services. The publishers of these applications would probably switch to the competing smartphone platform that still allows proprietary applications. And if both major smartphone platforms were to require all applications to be available in source code form, publishers of entertainment applications would instead target handheld video game consoles, instructing users to use a phone's mobile hotspot feature. And Nintendo currently holds a monopoly on handheld video game consoles with the Switch and Switch Lite.

      Is this the direction you had in mind? Or did I miss something?

      • (Score: 0) by Anonymous Coward on Monday March 30 2020, @10:30PM

        by Anonymous Coward on Monday March 30 2020, @10:30PM (#977393)

        Yes, this would be ideal, and my phone uses fdroid as its "app store" (same AC as you were responding to).

        But, I was being non-idealistic in my original comment. Even if Apple / Google are the only ones with access to the source, under an NDA, and Apple / Google did the builds, it would still be a much easier task to check for anti-features like spying.

        Would Google / Apple care about distributing spyware etc. if they could easily prevent it? I don't know. Google and Microsoft have very bad (earned) reputations, themselves when it comes to surreptitiously spying on their users. But, obfuscated code is easier to audit than obfuscated binaries.
         

  • (Score: 2) by Snotnose on Monday March 30 2020, @12:47AM (2 children)

    by Snotnose (1623) on Monday March 30 2020, @12:47AM (#977070)

    I was pissed some 6 months ago to find my flashlight app was collecting all sorts of info on me. I immediately deleted it, then my cat knocked that phone into my cup of tea.

    My new phone (which, to be honest, I liked my old LG Power X over my new Samsung A20) has the flashlight built into the settings bar. I've got all of 2 apps I installed: Poker Deluxe, and an FDroid tower defense game.

    Soon after getting this A20 someone said I could use the debugger to delete apps I didn't want, I immediately used it to delete Facebook off my phone. Deleted a couple others, don't remember what they were. But damn was I glad I'd developed a couple Android apps in the past and knew how to use the debugger.

    --
    Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
    • (Score: 0) by Anonymous Coward on Monday March 30 2020, @07:13AM (1 child)

      by Anonymous Coward on Monday March 30 2020, @07:13AM (#977128)

      You may wish to install Blokada from FDroid, you'd be surprised how many connections to questionable URLs it blocks. Mine has blocked over 60,000 since November though I do own a Xiaomi phone.

      • (Score: 4, Interesting) by Snotnose on Monday March 30 2020, @12:31PM

        by Snotnose (1623) on Monday March 30 2020, @12:31PM (#977176)

        I assume Blockada is a firewall type app. I installed something similar on my old phone and noticed my battery life went to hell. Uninstalled it, battery life went back to normal.

        But yeah, it was amazing how much crap my phone sends out to "someone".

        --
        Why shouldn't we judge a book by it's cover? It's got the author, title, and a summary of what the book's about.
(1)