Posted in Security

Study: Mobile apps can snatch your data before asking for permission

Researchers at Oxford University have analyzed a large number of applications developed for Android and iPhone mobile phones. There are many studies that have examined what the mobile operating systems (Android or Apple iOS) do with user data, but apps are another thing completely. Apps can be developed practically by anyone and they have access to data. The results of the study were extremely depressing from privacy point of view.

The Oxford University study discovered many techniques that apps can exploit to collect user data. Snatching user data with and without user’s permission is so commonplace that everyone who downloads free apps on their phones can safely assume that their personal data will be transmitted to big tech and ad tech companies’ databases.

  • 87.3% of free Android apps that were analyzed had the capability to transmit user data to Google.
  • 69.6% of free Apple iPhone apps had the functionality to send user data to Apple.
  • In addition to sending data to Google and Apple, majority of free applications have data collection features that forward data to Facebook and ad tech companies.

The original argument that drove the Oxford researchers to study phone apps was the common belief that the iPhone is safer and more secure than other phones. It is not true, the study concluded. In any case, the results indicate how brutally phone owners’ privacy is neglected.

The total number of apps that researchers tested was 24,000. 12,000 free Android apps and the same amount of free iPhone apps were selected for the study. Three test programs were created to analyze mobile apps:

  • A program searched the executable program for requests to access, for instance, location or contacts, and it also searched for modules that were known to collect user data.
  • Another program analyzed network traffic generated by an app running on a phone. It detected the actual data the app took out of a phone, and where the data was sent.
  • The third method was to discover the businesses that had created the apps, their home bases, and dependencies to ad tech companies.

Oxford University researchers concluded that they possibly had discovered extensive violations of EU, UK, and U.S. laws. The main problem areas are:

  1. User data is collected without permission.
  2. Apps targeted at children are collecting data without parents’ consent.
  3. Data collection modules embedded in applications were configured to take as much data as possible.
  4. Personal data was sent to countries without regulation that protects consumers.
  5. Apps are lacking transparency: they tend to do what they want without telling phone owners what is going on.

One of the conclusions was that the security of an Android phone is not better than an iPhone phone and vice versa. The study focused on applications, and their behavior, not on operating systems.

oxford university: phone app privacy
Oxford University study: common access requests by apps.

When an app tries to access, for instance, GPS location or microphone on a phone, permission is required from the user. Two most common permission requests are camera and GPS, and after that microphone and calendar. Right here the owner of the phone should stop for a moment and think. Why does this app needs access to my GPS location? (For instance) It is just a simple note taking app, after all.

An unfortunate but common technique to neglect user opinion (and possibly break the law in some countries) is to send user data instantly when the app is launched, and ask user permission after that.

  • 81.44% of Android apps sent user data without waiting for user response.
  • 68.46% of iPhone apps transfer personal data before asking the user if it is allowed.

Where do apps transfer user data they have managed to collect? 93.3% of data collecting Android apps connected with a server in the U.S. 83.5% of iPhone data collectors transferred data to the U.S. China was the second most popular destination for data: 9.5% of data collecting iPhone apps and 4.8% Android apps connected to China.

The greediest data collecting corporations are Alphabet (Google), Apple and Facebook.

mobile app data collectors by country and company, oxford university
Oxford University study: companies that frequently collect user data from phone apps (at the center of the diagram), and on the right countries where companies are based.

The study featured applications that were published or updated during 2018-2020.

What can a phone owner do to prevent collection of personal data?

There are many tasks phone owners can do to protect their data. Some of them are easy to do, others require a considerable effort or tech expertise. Here are a few tasks listed from easy to advanced.

  1. When you are searching for a new app in App Store or Play Store, don’t download it before you have checked the access permissions it requires. If access permissions don’t have anything to do with the functionality of the app, find another one.
  2. Use a browser always when you can instead of an app. Often cloud and social media services want you to download the app (to collect your data) but in many cases the service is accessible in browser. Adjust your browser settings for privacy. Even better protection can be achieved with browser isolation.
  3. After the risks of free apps have been minimized, the next step is to consider the operating system. Google created Android, and sucks data all day and all night data from phones. Apple does the same for iPhones. Increasingly popular option is to switch to a special version of Android that has been stripped from Google software. For instance, eOS, LineageOS, GrapheneOS are that kind of operating systems. They can run the same Android apps as other phones.

Leave a Reply

Your email address will not be published. Required fields are marked *