Researchers Detect Android Apps That Connect to User Tracking and Ad Sites

An anonymous reader writes: A group of European researchers has developed software that tracks the URLs to which cellphone apps connect. After downloading 2,000+ free apps from Google Play, they indexed all the sites those apps connected to, and compared them to a list of known advertising and user tracking sites. "In total, the apps connect to a mind-boggling 250,000 different URLs across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific. Vigneri and co give as an example "Music Volume Eq," an app designed to control volume, a task that does not require a connection to any external urls. And yet the app makes many connections. 'We find the app Music Volume EQ connects to almost 2,000 distinct URLs,' they say. [Another major offender] is an app called Eurosport Player which connects to 810 different user tracking sites." The researchers plan to publish their software for users to try out on Google Play soon.

Still no granular app permissions in Play Store

What, you thought that every app asking for access to your contacts, wifi status and network access were doing it because it was helpful?

No.

The user can see what permissions the app requires, and choose whether or not to install the app.

You need a special app with root permissions to set up your own blocks (which, of course, might break the app you are firewalling).

Re:The review, it does something... as does sandbo

[AuMatar]

1)Not necessarily. Something as simple as not enabling that code for a month after release would get it by reviews. They aren't reviewing source code, they're reviewing behaviors. Just like you don't speed when there's a cop right behind you you wouldn't connect when you're being watched

2)They ask for a lot of permissions because the permissions aren't fine grained enough, and because polsih requires it. For example I had an app that did sound effects when you tapped a key. The OEM requested that we turn off sounds when the user is in a call so they wouldn't play on the other end. This reasonable request required a new permission (CALL_STATE IIRC), which actually gave us much more info than we wanted (we got to find out when calls started, ended, and the connection number which we didn't need). But if you just looked at our permissions your reaction would be "why do you need to know who I'm calling"? We didn't there was just no way to request less info, we didn't even look at the number.

One of the big problems was that Google redesigned the play store to be less scary and show fewer permissions. One of those was that any app could request internet permission without it showing up. That was just wrong.

What we really need is the ability to turn on and off specific permissions by app. Perhaps with the ability to limit internet permission to certain IPs/URLs per app. That would solve most of the problem.

Re:Free as in ads for beer

[Aighearach]

And often even on F-Droid.

A lot of F-Droid apps ask for extra permissions. Instead of just trusting them, I download the source, reduce the permissions, and then run the app. If it is trying to use those extras permissions I took out, then it will crash when it tries. Almost all the apps (on f-droid) that claim not to actually use those permissions unless some feature is turned on will actually crash without them. Then I go in and comment out the sections of code that cause the app to crash. That way I don't need to audit their source, just debug the crashes.

It is a total PITA but it is the only way to get the tracking code out; even on "free" software.