Another day, another survey. Who Knows What About Me? A Survey of Behind the Scenes Personal Data Sharing to Third Parties by Mobile Apps, is a collaborative effort by Jinyan Zang, Krysta Dummit, James Graves, Paul Lisker, and Latanya Sweeney, that shows us just how much of our data is shared by popular iOS and Android apps.
A flashback of that long unreadable privacy policy comes to mind. Most of us don’t read them, but in case you were wondering if this is legal, (un-)fortunately it is. What’s worrying however, is the amount of data that is being shared and the fact that most applications don’t notify you when your data is being shared. This means that personal information, location data or search items are being shared on a regular basis with third parties. Older surveys have shown that users most likely won’t install an app if they know from the start the amount of personal data that they will be required to share.
The team involved in the survey tested 110 of the most popular free iOS and Android apps (55 from each) to see just how much personal data is being shared. The results were staggering. The survey shows that 73% of Android apps shared personal information such as email address with third parties, and 47% of iOS apps shared geo-coordinates and other location data with third parties.
All the tested apps were chosen from the Google Play Store and Apple App Store, the most popular app stores around.
“For each app, we used a man-in-the-middle proxy to record HTTP and HTTPS traffic that occurred while using the app and looked for transmissions that include personally identifiable information (PII), behavior data such as search terms, and location data, including geo-coordinates,” wrote the authors. “An app that collects these data types may not need to notify the user in current permissions systems.”
Sensitive user information sharing has become a concern even for governments. We generally have to assume that most of the shared information is vulnerable. If unique information starts getting in the mix (such as ID info for instance), then a breach in the app’s security system could have terrible effects on the users. Possibly the most concerning case of data sharing discovered by this survey, involved an app from Drugs.com that shared user health information.
Survey testing methods
The authors of the survey explained how they managed to make the testing methods relevant.
Step 1: Selecting the apps
As mentioned before, the apps were selected from the most popular app stores available: 55 apps from the Google Play Store, and another 55 apps from the Apple App Store, tested on an iPhone 5 and a Samsung Galaxy S3. The main reason behind the decision to test apps from these stores was related to the number of apps they provide – almost 4 times the number of apps that the Amazon Appstore has available, their closest competitor. Google Play Store is a non-curated store – meaning that any developer can submit and publish an app, while the Apple App Store has reviews and a registration process – thus somewhat content curated. Having both options in the survey also helped the researchers figure out if there was any difference in the transmission of personal information.
Step 2: Using the apps
With the most permissible options activated, the researchers began testing the apps. In order to make the results relevant, the usage was as typical as possible, with a duration of about 10-20 minutes, long enough for the personal information to be shared.
“The time spent on each app varied and depended on the nature of the app. We set all permissions to the most permissible—i.e., we allowed all requests for sharing geolocation and agreed to any other permission requests. However, we generally did not permit push notifications, which allow an app to send data in the background when not in use, such as when a different app was being tested. We wanted to avoid contaminating the data capture during each app’s testing with push notifications that would cause background activity from unrelated apps to bleed through”, the researchers explained.
Step 3: Recording app communications
Using mitmproxy – a free software, and the man-in-the-middle approach, the surveyors managed to monitor all the recorded communications between the phone on which the app was tested and the Internet. Mitmproxy displayed all the Internet traffic linked to the phone.
“Encrypted communications on HTTPS were visible as clear text in this set-up, because the mitmproxy computer records the keys necessary to decipher encrypted communications. Mitmproxy recorded two pieces of information for each flow or instance of HTTP or HTTPS traffic to and from the phone: (1) the full site address and (2) clear text, if available, metadata about an image, javascript, or other files transmitted. For each app, we assumed the flows that occur during app testing are likely due to that app’s activity,” said the researchers.
Step 4: Analyzing the recorded app communication data
To simplify the work, the recorded data was analyzed using a Python script. This script goes over the whole captured data, and identifies personal data related info.
Results
The researchers found that the average Android app sends potentially sensitive data to 3.1 third-party domains, and the average iOS app connects to 2.6 third-party domains. Android apps are more likely than iOS apps to share with a third party personally identifying information such as name (73% of Android apps vs. 16% of iOS apps) and email address (73% vs. 16%).
The team’s full analysis of the results: “For location data, including geo-coordinates, more iOS apps (47%) than Android apps (33%) share that data with a third party. In terms of potentially sensitive behavioral data, the survey shows that 3 out of the 30 Medical and Health & Fitness category apps in the sample share medically-related search terms and user inputs with a third party. Finally, the third-party domains that receive sensitive data from the most apps are Google.com (36% of apps), Googleapis.com (18%), Apple.com (17%), and Facebook.com (14%). 93% of Android apps tested connected to a mysterious domain, safemovedm.com, likely due to a background process of the Android phone. The results show that many mobile apps share potentially sensitive user data with third parties, and that they do not need visible permission requests to access the data. Future mobile operating systems and app stores should consider designs that more prominently describe to users potentially sensitive user data sharing by apps.”
What is the recommended solution for the moment? Share as little personal data as possible and use fake data when you can.
