Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Privacy Advertising Android Google

Researchers Detect Android Apps That Connect to User Tracking and Ad Sites 74

An anonymous reader writes: A group of European researchers has developed software that tracks the URLs to which cellphone apps connect. After downloading 2,000+ free apps from Google Play, they indexed all the sites those apps connected to, and compared them to a list of known advertising and user tracking sites. "In total, the apps connect to a mind-boggling 250,000 different URLs across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific. Vigneri and co give as an example "Music Volume Eq," an app designed to control volume, a task that does not require a connection to any external urls. And yet the app makes many connections. 'We find the app Music Volume EQ connects to almost 2,000 distinct URLs,' they say. [Another major offender] is an app called Eurosport Player which connects to 810 different user tracking sites." The researchers plan to publish their software for users to try out on Google Play soon.
This discussion has been archived. No new comments can be posted.

Researchers Detect Android Apps That Connect to User Tracking and Ad Sites

Comments Filter:
  • Nothing new (Score:5, Insightful)

    by jbernardo ( 1014507 ) on Monday May 04, 2015 @05:04PM (#49616419)

    We should know by now what are the costs of "free". That is why I use a hosts file for ad and tracking block.

    I only wonder why they only tested android apps, and left out IOS apps. Without this comparison, the first paragraphs of the article, blaming the tracking and ads on the openness of Android, is little more than wistful thinking.

    • I agree it would have been really illuminating to do the same test for a large range of free iOS apps.

      However I think that you wouldn't see the most egregious of tracking stuff going on in iOS, for two reasons:

      1) iOS reviews would I think alarm on something connecting to 810 different tracking sites. Definitely f you were trying to do anything like that in the background.

      2) There's simply not as much data to gather. Most Android apps ask for all possible permissions, because why not? You're probably not

      • by AuMatar ( 183847 ) on Monday May 04, 2015 @07:04PM (#49617247)

        1)Not necessarily. Something as simple as not enabling that code for a month after release would get it by reviews. They aren't reviewing source code, they're reviewing behaviors. Just like you don't speed when there's a cop right behind you you wouldn't connect when you're being watched

        2)They ask for a lot of permissions because the permissions aren't fine grained enough, and because polsih requires it. For example I had an app that did sound effects when you tapped a key. The OEM requested that we turn off sounds when the user is in a call so they wouldn't play on the other end. This reasonable request required a new permission (CALL_STATE IIRC), which actually gave us much more info than we wanted (we got to find out when calls started, ended, and the connection number which we didn't need). But if you just looked at our permissions your reaction would be "why do you need to know who I'm calling"? We didn't there was just no way to request less info, we didn't even look at the number.

        One of the big problems was that Google redesigned the play store to be less scary and show fewer permissions. One of those was that any app could request internet permission without it showing up. That was just wrong.

        What we really need is the ability to turn on and off specific permissions by app. Perhaps with the ability to limit internet permission to certain IPs/URLs per app. That would solve most of the problem.

        • 1) The app has to declare if it's going to be doing background processing, and you have to give a reason why they will accept. So not just any app can do that.

          What we really need is the ability to turn on and off specific permissions by app. Perhaps with the ability to limit internet permission to certain IPs/URLs per app. That would solve most of the problem.

          I thought Google added that ability in an early 4.0 or 5.0 version of Android, but then backed it out... Sadly I think because too many apps react b

          • by AuMatar ( 183847 )

            I think internally they have such a tool and use it in testing all the time. I don't predict them exposing it any time soon. It was released by accident, but pulled very quickly. And their changes to permissions on the Play Store go the opposite way.

        • by Lennie ( 16154 )

          I would rather see most apps just use intents:

          http://developer.android.com/g... [android.com]

          Need an image because you are the QR-code app ? Ask the image 'app'. The user can pick to choose the camera app and make a picture if he/she wants or grab an image from the image gallery app.

          Need a contact ? Ask the contact 'app'.

          Now most apps don't need any permissions any more. And the user knows what data the app gets because the user chooses the data and the app the data came from.

        • by gauauu ( 649169 )

          What we really need is the ability to turn on and off specific permissions by app. Perhaps with the ability to limit internet permission to certain IPs/URLs per app. That would solve most of the problem.

          This is the #1 reason why I install cyanogenmod on every phone I use. It lets you deny/approve individual permissions per app.

      • Android Apps don't ask for permissions, they list demands. Once you've installed the App, you're just forced to just live with all their demands, uninstall, or root your phone. iPhones, on the other hand, allow you to grant and revoke permissions on the fly.

        I realize that here on slashdot, rooting your phone may not seem like a big deal, but it's a pain and violates my agreement with my carrier--not something I'm willing to do.

    • by Anonymous Coward

      Jailbreak an iPhone, load and run Firewall IP. Download most apps from the App Store... and watch as the app connects to many, many sites before the app does a single thing.

      The only difference in iOS is that there are no tools to catch a specific app in action.

    • by MouseR ( 3264 )

      Actually, Apple does try to catch those apps that sign out. In the process, they will miss the more cunning ones. And they make false positives.

      One of my free iOS Apps, a RPN stack-based scripting language, came with some sample scripts you could in-click install (aka, move from App bundle into the sandboxed Documents). The App also had a button linking directly to a Wiki explaining the language and had copies of the scripts.

      Somehow Apple evaluated that my App downloaded the sample scripts from my wiki down

    • by antdude ( 79039 )

      How do you add a hosts into non-jail broken iOS? I still haven't found a good free non-proxy web browser ad blocker. I found one, but it was a trial.

    • by tlhIngan ( 30335 )

      I only wonder why they only tested android apps, and left out IOS apps. Without this comparison, the first paragraphs of the article, blaming the tracking and ads on the openness of Android, is little more than wistful thinking.

      Well, if the apps are just ports of each other, then it's exactly the same.

      However, if you want to make money, the business models on iOS and Android differ. On iOS, selling a paid app is a really good way to make money - iOS users will pay for apps.

      But on Android, paid apps are put

    • by reikae ( 80981 )

      There are many, many wonderful desktop applications for all operating systems that are free (as in beer) and don't track the user or display advertisements. So it's not immediately obvious that "free" programs come with strings attached. I wonder why it's so different on mobile platforms; is it just easier to do tracking and ads there?

    • We should know by now what are the costs of "free". That is why I use a hosts file for ad and tracking block.

      I only wonder why they only tested android apps, and left out IOS apps. Without this comparison, the first paragraphs of the article, blaming the tracking and ads on the openness of Android, is little more than wistful thinking.

      I am as big an Apple enthusiast (not fanboi) as they come; but I was wondering the same thing; if, for nothing else, bragging rights for iOS.

      But seriously, though, the study is rather useless without comparative data.

  • by Anonymous Coward on Monday May 04, 2015 @05:05PM (#49616433)

    Dozens of external domains are not unusual anymore. Many web sites are unusable and unreadable without at least access to one CDN domain. Many also rely on script libraries on third party hosts. It's fucked up.

    • by TWX ( 665546 ) on Monday May 04, 2015 @06:00PM (#49616863)
      I just don't get the third-party script libraries thing. Seems like an AWFUL idea for anything beyond a read-only bulletin board for a club or group to post their agenda and interests on such that it's not directly affiliated with Facebook or another 'social networking' site.

      If you're running a business using a site, or are using forums or other interactive, feedback-driven system, trusting your libraries and passing data to third parties seems like a terrible idea. Bad enough for your own server to be penetrated and your libraries or scripts messed with, but much worse now that those with malicious intent have one-stop shopping to screw over loads of users and sites.
      • Worse - if you're using Adobe SiteCatalyst analytics (and probably others), you need* to create a domain below yours for the tracking to go to (basically, create a CNAME to their server somewhere in your domain). That means Adobe get to see all the cookies you set in the root of your domain (and I'll bet you don't set all your cookies to just your website or webapp). If you're not very careful, that's just about everything you know about your visitors also going to Adobe.

        Ghostery/Adblock or similar are the

  • by DougPaulson ( 4034537 ) on Monday May 04, 2015 @05:09PM (#49616463)
    This would never happen if they choose the Microsoft industry standard Windows Store :)
  • by ciaran2014 ( 3815793 ) on Monday May 04, 2015 @05:15PM (#49616513) Homepage

    This argument is very easy to understand, so it's a great starting point.

    The first targets for a campaign for free software apps should be educational institutions and public services.

    GNU.org has a good list of proprietary software packages with spyware:

    https://www.gnu.org/philosophy... [gnu.org]

  • by Anonymous Coward on Monday May 04, 2015 @05:18PM (#49616547)

    What, you thought that every app asking for access to your contacts, wifi status and network access were doing it because it was helpful?

    • by TWX ( 665546 )
      It took far longer than it should have to find a flashlight app to just toggle the flash on and off that didn't require access to more than the camera. For those that care the app I use is called "LED Light".
      • There's an app for that?
        I use the built in functionality of Android. It's right there in the Lollipop notification thing.

        • by TWX ( 665546 )
          Back when I initially wanted one there was no single click solution to quickly turn on the light. That may have changed in the intervening years.
  • Why? (Score:1, Interesting)

    by koan ( 80826 )

    Doesn't Android allow the user to set permissions?

    • No. (Score:4, Informative)

      by Anonymous Coward on Monday May 04, 2015 @05:27PM (#49616627)

      The user can see what permissions the app requires, and choose whether or not to install the app.

      You need a special app with root permissions to set up your own blocks (which, of course, might break the app you are firewalling).

    • by Dwedit ( 232252 )

      There is App Ops, built into the OS in a hidden menu, but that has one of the worst user interfaces I've ever seen. It's pretty much unusable.

    • AppOps allowed you to control some permissions, but it got remove/disabled in later Android versions. XPrivacy, which also allows some finer permission control, still functions well, and it has the ability to pass fake data to applications that request it. If you have CM it will probably have the PrivacyGuard tool built in, which also can restrict app access to data, like contacts and other personal stuff.
  • I never really understand why folks are surprised by this kind of thing. There's nothing fundamentally different between a Windows box attached to the internet in the late 90s and a cell phone except that a heck of a lot more people have cell phones and they're easier to connect to a remote site. Both systems are perfectly happy to let you install random software you found god knows where that does god knows what. All that's really changed is the admission bar has lowered.

    They should be ecstatic that al

  • Root phone, install hosts file, problem solved. Well, solved if you can root.

  • yum install tcpdump
  • by Anonymous Coward

    And hence the reason customers want OnePlusOne and Cyanogenmod, because it includes a privacy tool that lets you remove the permissions from apps like 'Music Volume EQ"

    http://www.androidcentral.com/cyanogenmod-updating-privacy-guard-20-new-features-coming-cm102

    A similar tool was pre-released by Google in v4.3, then removed claiming it broke applications. I suspect the reality was, that if you could remove privacy invading things from apps, then lawsuits would make it work also for Google Apps and that was a

  • For me is that no matter how well I take care of information if someone sticks it into their Android and runs one of these apps there goes that phone number.

    In fact shortly after my buddy bought a Nexus 7 (he installs EVERYTHING on it...) I started getting txt offers from Chinese retailers and my number blew up with various other issues.

    Nothing for years then this...

    Now I can't prove it was his device and his bad habit of installing anything, but the timing works.

  • by hack slash ( 1064002 ) on Tuesday May 05, 2015 @03:06AM (#49618987)
    Since installing AdAway [sufficientlysecure.org] on my Android devices it has eliminated most of the banner adverts in apps. I wonder how the researchers results would stack up after installing AdAway.
  • So, how many connections will their new app do?
    Can we use the app to monitor the same app?
  • I've been forced to start removing apps from my phone.

    I have an older Android phone, and don't have (or want) a data plan.

    A while ago, when I got voicemail and the the notification for it, I'd get a text message from my ISP saying that something on my phone was trying to connect to the internet.

    Basically some app I had had decided that it needed to notify someone when I got a phone message, but it failed because I didn't have a data plan.

    Then I started removing apps and testing, and eventually got it pared

To be is to program.

Working...