Tuesday, 12 May 2015

Smartphone Apps Secretly Connecting to User Tracking and Ad Sites

So, you unbox your brand new phone.  You use it for a few weeks, you love it, the battery life is great and it runs smooth as silk.  Over the course of a few months you get a bit bored and you look for free apps, because everyone likes free stuff.  You pick and mix, get some cool games, some productivity apps for work and  you get helpful apps for your music collection.  Stuff is free and life is good.

Six months later you find your battery life is halved and the smokin
' speed you saw at first now shows some lag, the OS gets a bit flaky and you feel that your latest and greatest device is no longer up to date. You start to look at the latest models on release and look forward to an upgrade.


One thing that may be causing severe degradation of your smart phone performance is those wonderful free apps you are using.  Security researcher Luigi Vigneri from Eurecom has developed an automated system for detecting Android apps that secretly connect to ad and user tracking sites.

Vigneri began by downloading over 2,000 free apps from all 25 categories on the Google Play store.
He then launched each app on a Samsung Galaxy SIII running Android version 4.1.2 that was set up to channel all traffic through the team’s server. This recorded all the urls that each app attempted to contact.   They then compared the urls against a list of ad-related sites from a database called EasyList and a database of user tracking sites called EasyPrivacy, both lists were compiled for the open source AdBlock Plus project. Finally, they then compiled the number of matches on each list for every app.

The results
were interesting. In total, the apps connected to a staggering 250,000 different urls across almost 2,000 top level domains. And while most apps attempted to connect to just a handful of ad and tracking sites, some are much more prolific.

Vigneri give
s as an example “Music Volume Eq,” an app designed to control volume, a task that does not require a connection to any external urls. And yet Vigneri says “We find the app Music Volume EQ connects to almost 2,000 distinct URLs,”.  Many of the apps connect to ad-related sites and tracking sites while some connect to much more dubious sites that are associated with malware.

But here’s the problem
, as I see it. This frantic activity takes place without the user being aware of it and it eats resources. That’s something that most smartphone users would be highly annoyed to discover if they knew what was going on behind their back, so to speak.

The Music Volume EQ app is not alone in its excesses. The team say
s about 10 percent of the apps they tested connect to more than 500 different urls. And 9 out of 10 of the most frequently contacted ad-related domains are run by Google.

The user tracking sites that apps connect to are less pervasive. More than 70 percent of apps
did not connect to any user tracking sites. Those that do can be extravagant; some connect to more than 800 user tracking sites. What’s more many of these are created by organizations that Google has designated with “top developer status.” The worst offender is an app called Eurosport Player which connects to 810 different user tracking sites.

Today, Luigi Vigneri and pals from Eurecom in France have a solution. These guys have come up with an automated way to check the apps in Google Play and monitor the sites they connect to. Their results reveal the extraordinary scale of secret connections that many apps make without their owners being any the wiser.

They call their new app NoSuchApp or NSA for short in honour of a similarly named monitoring agency.  The team plan to make the app publicly available on Google Play in the near future.

So, if you find your phone lagging and eating your battery for lunch
, try resetting it to factory default and see if the shine comes back. 

And remember, those app guys that give you free stuff need to make a living, somebody is paying them either for your tracking data
, or your invisible URL connections. 

Most importantly, you end up paying the most, with loss of your privacy and of your smartphone battery life