Study Finds That a Large Number of Popular Android Apps Secretly Cast the Screen To Third Parties, But They Don't Listen To Conversations

Kasmir Hill, reporting for Gizmodo: It's the smartphone conspiracy theory that just won't go away: Many, many people are convinced that their phones are listening to their conversations to target them with ads. [...] Some computer science academics at Northeastern University had heard enough people talking about this technological myth that they decided to do a rigorous study to tackle it. For the last year, Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes ran an experiment involving more than 17,000 of the most popular apps on Android to find out whether any of them were secretly using the phone's mic to capture audio. The apps included those belonging to Facebook, as well as over 8,000 apps that send information to Facebook. Sorry, conspiracy theorists: They found no evidence of an app unexpectedly activating the microphone or sending audio out when not prompted to do so. Like good scientists, they refuse to say that their study definitively proves that your phone isn't secretly listening to you, but they didn't find a single instance of it happening. Instead, they discovered a different disturbing practice: apps recording a phone's screen and sending that information out to third parties.

And this is a good thing?

[alvinrod]

Good news residents, thieves aren't coming to plunder your document safes. Instead, they're only going to rummage through your jewelry boxes.

May as well have led with a bit on no conclusive evidence that the apps were trying to give you cancer.

Re:

[sergiorf]

I liked the sarcasm.

Re:

[Oswald McWeany]

That seems worse than whatever stupid shit I might say near my phone.

Indeed! So, if I chose the "show password" to make sure I'm writing it correct- it can screenshot my password and send it to a third party? If I open PayPal it can screenshot what I've spent and send it to a third party?

Are these apps only screenshotting within themselves- or potentially everything you do. This could be extremely serious.

Re:

[Anonymous Coward]

Stupid post is stupid.

All android apps can REQUEST the permission to record your screen. Hell, there's good reason for it in some cases: See "CalcyIV" for Pokemon Go (which reads the pokemon's stats and provides more detailed info), or even Google's own Now / Assistant which screenshots and gives information about what you're looking at.

Unless it's preinstalled on your phone (and even if it is, it might still need to request it), there's going to be this huge "[APP] requests to record everything on your s

Re: Screenshots?

[Anonymous Coward]

FunFact: Not every version of Android has a that permissions system. Some of them, especially older ones, grant all permissions by default when you install the app.

Re:

[Oswald McWeany]

Stupid post is stupid.

All android apps can REQUEST the permission to record your screen. Hell, there's good reason for it in some cases: See "CalcyIV" for Pokemon Go (which reads the pokemon's stats and provides more detailed info), or even Google's own Now / Assistant which screenshots and gives information about what you're looking at.

Unless it's preinstalled on your phone (and even if it is, it might still need to request it), there's going to be this huge "[APP] requests to record everything on your screen" prompt. Then, every time it records your screen, an icon appears in your status bar by the Wifi/3G/clock and I believe a notification appears.

In Oreo, you're probably going to be reminded at least once that the app recently used it. It just notiffied me that Soundhound used my mic the other day, and that was with me actively using the app.

Additionally, apps can block (https://android.stackexchange.com/questions/133022/disable-screenshot-security) screenshot/casts.

You literally have to ignore 3-4 warnings / notifications *AND* your banking apps / password requests have to be programmed badly (it's literally one line of code) for your information to be recorded.

I've never once been asked by an app to record my screen. Nor have I ever seen any icon that looks like a "recording screen" icon. I hope that means I just don't have anything installed that records... but I'm not convinced.

Re:

[AHuxley]

No human is looking at the words and images collected. A computer looks over each word and image. That data set is then worked on for ads.
As no human is looking its legal.

Re:

[alvinrod]

I'll assume it's a shortening of "broadcast" and that they mean that images of the screen are being sent to these third parties.

Re:

[corezz]

PodCAST
BroadCAST
TeleCAST
WebCAST
VidCAST
SportsCAST
WeatherCAST
OutKast :P

Any of those ring a bell? Well, casting the screen is another way of saying ScreenCAST.

Class dismissed.

Re:

[karbonforms]

SurfCAST

Re:

[dcw3]

sarCASTic
CASTing couch
CASTrated

Re:

[Farmer Tim]

This proves trusting an install wizard is a bad idea.

Re:

[AHuxley]

A live mic in a room thats collecting user data for a lot of brands. Dont worry no human is listening. A computer system gets every word spoken into a type of data. A type of data is not a human listening in real time so its legal.

I suspect...

[thegreatbob]

... that the following may be true:

People are far more forgetful of the actions they've taken online and how they could be used by data/ad companies.

People aren't entirely likely to notice ads without having some reason (e.g. just having talked about it)

Data/ad companies are far better about targeting their results than they were in the past.

People love a good conspiracy. I know I do.

Re:

[Luthair]

People aren't entirely likely to notice ads without having some reason (e.g. just having talked about it)

Pretty much this, people are wired to look for coincidences. Another possibility is that people you know are talking about similar topics via Facebook and FB's advertising considers the social network.

Re:

[SumDog]

I think it's more than that. The algorithms Facebook and Google use are pretty damn powerful. Google analytics and Facebook like widgets are everywhere. One of two things are happening:

1) The algorithms they train are so good, they can predict what you're going to desire and place an ad for it before you know it yourself. You think your phone is listening to you, but it's simply an analysis of all your other data. What you say with your friends about a thing you desire is just something it can predict.

2) Ad

Re:

[Oswald McWeany]

1) The algorithms they train are so good, they can predict what you're going to desire and place an ad for it before you know it yourself.

For some bizarre reason I keep getting ads for women's clothing. Does this mean I'm going to desire a sex change in the future? Google knows it now- but I haven't figured it out for myself yet.

Re:

[javaman235]

That's the weird thing about it, the ads are so bad so often, but then you have the stuff that gives you mind reading/spying on my conversations feeling, and it's uncanny. It makes you think: what if they're actually REALLY good at manipulating us? What if the woman's clothes ads they're showing the guy are to modify his behavior around a woman at work who buys those clothes so she'll buy more? I mean you have to wonder. ANY analytics would show I'm a pickup/Jeep guy, but I constantly get ads for urban uppe

Re:

[Sique]

Actually, the algorithms are pretty dumb. Just recently, I was discussing wooden panels for redecoration with someone, and now I see exactly the wooden panels I was looking for online to check for prices, in the ads. So either my profile with the analytics machines is quite thin so every thing I do online totally changes it, or the analytics machine is just throwing more of the same on me until I look for something else.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Hentes]

Or data companies share far more of your personal info with each other than they admit.

Ads under FIrefox?

[whoever57]

On my Android, quite frequently, Firefox asks for permission to use the microphone. I deny it every time.

But why is it doing this? Is it malicious ads that are trying to record me?

Re:

[beowulfcluster]

An app that frequently asks for permission to use the mic despite being denied every time would not live long on my phone.

Re:Ads under FIrefox?

[apoc.famine]

You don't have an android then, do you?

Because Google Play needs access to everything or it pops up complaints all of the time if you limit it. On a pretty regular basis I get a notice that Google Play is having issues because I haven't allowed it to use my phone, access my contacts, and whatever else stupid shit it wants access to. Instead of failing gracefully it's a constant nag, and they've been ignoring bug reports on this "feature" for 3-4 years now.

Re:

[Anonymous Coward]

Yeah, that's called nagware -- and it was supposed to have died in the fucking 90s. Unfortunately, Google didn't get the memo, and if you don't opt-in to all of their tracking shit on their 'track-everything-you-do' OS, you get hounded every. fucking. time. you. load. something.

Android is shit.

Re: Ads under FIrefox?

[Reverend Green]

I strongly prefer the Android user interface over iOS. But Google has kinda jumped the shark. They're just pure evil now. And their software quality is declining fast - almost like they fired all their talented engineers.

I have hated Apple for a long time. I don't like their shitty software, I don't like their ugly design, I don't like their gay marketing image. But Google has gotten so bad that my next phone may be an iPhone. Sad.

Dark Pattern design

[Anonymous Coward]

Because Google Play needs access to everything or it pops up complaints all of the time if you limit it. On a pretty regular basis I get a notice that Google Play is having issues because I haven't allowed it to use my phone, access my contacts, and whatever else stupid shit it wants access to. Instead of failing gracefully it's a constant nag, and they've been ignoring bug reports on this "feature" for 3-4 years now.

You just described Dark Pattern design at work (darkpatterns.org for more info). The idea is that you get annoyed and as a result give the apps full rights without thinking the consequences. If it was possible to deny permanently certain rights without the annoyance of constant reminders very few users would grant the apps free access to data on the phone.

You pay for the "free" apps by giving up your privacy. What you described is an intentional feature and will not be listed as a bug.

Re:

[javaman235]

I've had adservers ask for that permission to use mic from ads embedded in page, but I haven't seen that for a long time.

Re:

[Actually, I do RTFA]

It could be malicious ads, or pages that just ask for permissions without thinking, or a dozen other reasons. If you go into your settings (maybe the advanced one by visiting the URL about:config) you should be able to set it to "always no" (Or "never ask" or similar)

Re:

[AHuxley]

Dont use a computer with a live mic. Connect a mic when its needed for the app thats trusted.

Ads across multiple devices

[Dan East]

I believe one thing that is happening is targeting ads based on the client IP address. If the IP address is that in the range of a typical ISP, then there is a very good chance that all of the devices with that IP address are in the same household, and targeting ads across devices would be profitable. About a week ago my girlfriend and I were talking about my old camper, and the work we did towards restoring it. She googled "vintage campers" on her cell phone, and on my laptop I had googled for my exact

Re:

[JLavezzo]

Seems less likely a question of IP address range than Facebook cookies linking activity across devices.

Re:

[Atomic Fro]

I have the same thing happen to me a lot, only with Amazon instead of Facebook. For a recent example, I do the cooking in the household and enjoy doing so. I believe I was letting youtube run on its own in the background, and eventually it played some video on how to do sous-vide at home. I didn't know what sous-vide was so I did a some research on the technique on my iphone while it was running.

That was the full extent of it, a video played on my workstation, some wikipedia research on my iphone.

Despite us

Re:

[LordWabbit2]

I doubt it's via IP address, there is so much NATting going on that it would be less than useful. However since you googled on your PC while logged into your google account, do you really think it surprising that when you used your phone, which is also logged into your google account, that something linked the two? I wanted to look up the price of a wood chipper while watching a movie, after that all the ads on my PC changed to wood chippers. I spent some time visiting family, and they have a teenage son

Voice recording ...

[PPH]

... or interception have specific coverage under recording and wiretapping laws. Grabbing a copy of your screen, not so much.

Re:

[AHuxley]

The NSA, GCHQ and the ads get around that by saying no real human is listening in real time.
No human listening in so thats not really "wiretapping". A computer collects all the images, looks for all words used, sounds, spoken works and creates a data set.
No human can listen into a dataset so thats still legal.

The way out is not to have a live mic in the room.
To not use a smartphone with ad supported apps.
Never trust a free big brand OS. Never trust a browser that offers more supports to ads than

Re:

[PPH]

no real human is listening in real time.

Doesn't matter. Wiretapping laws have applied to recording conversations since the days of wire recorders [wikipedia.org]. Makes no difference if a human listens now or at some time in the future.

Re:

[AHuxley]

That would make domestic collection all over the USA illegal. Some color of law must exists to make it all legal.
No human will listen in the future. Thats the way around the laws. The data set is the word spoken converted into text. The text transcript is searched and thats not illegal as no humans listened.
Other data sets get the same transforming real time collection.
OCR the screen image for words. Keep the maths of every face in the image for recognition. Maths that can be turned back into

WSJ Says Yes

[Zorro]

https://www.wsj.com/articles/t... [wsj.com]

The WSJ reports:

Google said a year ago it would stop its computers from scanning the inboxes of Gmail users for information to personalize advertisements, saying it wanted users to âoeremain confident that Google will keep privacy and security paramount.â

But the internet giant continues to let hundreds of outside software developers scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated trav

Bollocks

[Carrot007]

> 17,000 of the most popular apps

"popular" more like.

Apps fucking idiots install also a possiblity.

This is what people asked for anyway. With free apps they get what they pay for.

Re:

[AHuxley]

The brands that make the phone offer the live mic support too. No extra special user interaction needed to enjoy that live mic collection.

haha

[DMJC]

Just another reason for the librem by purism. Can't wait to have a phone with adblock. No more garbage web experience on my phone!

Re:

[Anonymous Coward]

You can already have this. Wipe your phone and install LineageOS ( https://www.lineageos.org/ [lineageos.org]) so that your device is free of all the nasty stock Google shit. Additional software can be found from F-Droid (https://f-droid.org/ [f-droid.org]). There's nowhere near as much as you'd get in the "normal" Google store, but that's one of the prices you pay for safety.

Combine Firefox Mobile (https://f-droid.org/en/packages/org.mozilla.fennec_fdroid/ [f-droid.org]) with either uBlock Origin (https://addons.mozilla.org/en-US/firefox/addon/ublock [mozilla.org]

Re:

[preflex]

1. The hardware specs aren't competitive with iPhone X and Pixel 2. They are already nearly obsolete and the phone isn't even out yet.

My Nexus 4 is still chugging along reasonably well running SailfishOS. The Librem 5 should be a good upgrade for me.

2. Lack of apps. Yes, they have their own store, but that means nothing.

Install plasma-mobile and apt-get install whatever you want from the ubuntu repos. I don't know much about PureOS, I presume it will have a decent package manager, just like any modern distro.

In 2018, HUGE amounts of business and social situations require downloading third-party smart phone apps, and that means using the iOS App Store or Google Play.

Then fuck 'em. If they're requiring me to install application to provide a service which could reasonably be done through a web page, then they're obviously up to no good, and I wouldn't want to do bus

the conversation we have with the...

[RhettLivingston]

internet in general is the most complex, detailed conversation in most internet users' lives today. It is definitely being "listened to" and contains far more information than most realize - not just information pertaining to conversations you had but also your thoughts and opinions if they invoked a question in your mind that caused you to make a query. Simple information like what if any reviews you looked at while purchasing a product can speak volumes about the way you think.

Without legislation to ban a

Re:

[AHuxley]

Governments like thats for their security services and police.
Buying every users voice patterns in bulk.
The math of every image with a face a user is looking at.
Every word gets OCR and every link collected on.
Voice and sound is just another data set to collect on and sell.
Only the user can ensure they don't have a webcam, a live mic, an OS and apps that collect.
User installed security software to block mic use is not going to last long as OS get more secure for their ads and mic collection.

Someone correct me if I'm wrong

[Michael Vastola]

but I thought you needed the "Apps that can appear on top" permission to record what a user is doing in other apps. Without it, the only thing that can be recorded is the developer's own app. This makes the privacy implications much smaller for most apps, since the developer will always have access to know what it is showing you (along with what you tap/type/press) as that is inherent in its ability to be interactive. That's not to say privacy couldn't be improved. In particular, "Apps that can appear on t

It's really telling that the quality of comments..

[Anonymous Coward]

at Gizmodo is so much higher than here. This comment included.

Weak methodolgy?

[Jamlad]

From what I read skimming through the paper they used software to analyze software.

I'd initially hoped they'd done it on the hardware level; monitoring the mic voltage and tapped the ADC channels.

I'm not surprised that shitty app devs are monetizing their users' data for a few extra cents. My particular concern is alphabet soup agencies and a creeping Staasi state doing it on some sort of fundamental level that bypasses permissions (and morality). Yes, I like my windows to have curtains, my mail to have

Others Disagree

[dcw3]

It's not a conspiracy theory when articles like this refute your study.
https://www.nytimes.com/2017/1... [nytimes.com]