Tracking what mobile apps do with our data remains impenetrable. Of course, on Android, we are asked to enable permissions for apps, but those permissions are unavoidable, for example - a photo editing app will use your camera (obviously). Apple also has a similar policy in place that asks users for using accessing features. However, even these checkpoints are not enough for stopping apps from snooping on user data and monetising it.
Recently, an app named Meitu was on the receiving end of criticism for its unethical data transfer. The app's software was full of analytics and ad packages that asked various permissions on Android and iOS. All these permissions were not related to the working code of the app. Later, the app told the media that it included specific geolocation and app-checking code to comply with advertising network requirements in China. These permissions were for jailbroken devices that are used for conducting online frauds and are hard to track. Also, many advertisers demanded limited visibility of their ads in certain locations, which is why geolocation was needed for the app. Still, the fact remains that the app had not disclosed it to the users, which is highly deceptive.
Not just Meitu, most of the apps use extended permissions to track your device. And there are not many laws to protect that kind of intervention. In the US, the Federal Trade Commission can’t interfere in such matters unless the company comes under the violation of information privacy laws or it has misrepresented its work.
Now the question comes, what users can do to protect their privacy from apps? Well, there are two apps developed by Academics to offer you more control on your device. It provides a clear view of what apps are up to on your device. A report by the Fast Company throws light at the two options that can be used by the users to track data used by the apps on their device.
ReCon App for tracking apps
One of such apps is developed by a team led by Northwestern University’s Dave Choffnes, named ReCon. It is similar to a virtual private network (VPN) for personally identifiable data (PII in the field’s jargon). ReCon uses VPN tunnel to check all the data transferring between your phone and the internet.
During his research, Choffnes's team discovered various deceptive practices by apps. One such app, GrubHub was found to be unintentionally sending user passwords to Crashlytics, a Google-owned firm that lets developers report code failures. Choffnes informed GrubHub about the vulnerability, which led it to revise its code and also ask Crashlytics to delete all the data that was sent earlier.
Narseo Vallina-Rodriguez, a researcher at ICSI, says:
We have found applications and third-party services that are somehow using inside channels without user awareness. We’re seeing tons of things like some applications linking the MAC address of the Wi-Fi access point as a proxy for location
Choffnes and his team has also published an app report based on the early users of the ReCon app. In the report, it mentions the data used by the apps, whether a developer knows about it, or if the app's malfunctioning was fixed. ReCon has a web-based console, which allows users to block or revise the information. For example - users can block all the location data used by apps. The team is still working on offering custom control on blocking or altering the location data used by the apps, as many apps couldn't function without the GPS data.
The team behind ReCon takes care of user privacy; the software does not ask for passwords or try storing the information entered by the users. It lets users check if the password is being sent without encryption. The group wants to use distributed machine learning without asking personal information from users. It has also published a report on apps that use
The Haystack Project: Lumen Privacy Monitor for Android
Similar to the ReCon app, there is another app - the Haystack Project: Lumen Privacy Monitor. It is created in collaboration with International Computer Science Institute (ICSI) and the University of California, Berkeley, and other institutions. It is an Android app that seizes data at the source. Just like ReCon, Haystack’s Lumen Privacy Monitor app works as a VPN, which blocks data transfer internally instead of sending it to servers for analysis. Being under user control, the app lets users given permission to block https connections and study data transfer between apps and servers. It examines what Android apps do with your data. Currently, it is only available for Android users.
Both ReCon and Haystack Lumen are seeking funding to develop the projects and make them available for all the users. These apps are still at the developing stage, which means that they may not work as smoothly as other apps. You can give them a try and know about the data used by other apps on your phone.