Researchers Detect Android Apps That Connect to User Tracking and Ad Sites

An anonymous reader writes: A group of European researchers has developed software that tracks the URLs to which cellphone apps connect. After downloading 2,000+ free apps from Google Play, they indexed all the sites those apps connected to, and compared them to a list of known advertising and user tracking sites. "In total, the apps connect to a mind-boggling 250,000 different URLs across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific. Vigneri and co give as an example "Music Volume Eq," an app designed to control volume, a task that does not require a connection to any external urls. And yet the app makes many connections. 'We find the app Music Volume EQ connects to almost 2,000 distinct URLs,' they say. [Another major offender] is an app called Eurosport Player which connects to 810 different user tracking sites." The researchers plan to publish their software for users to try out on Google Play soon.

Nothing new

[jbernardo]

We should know by now what are the costs of "free". That is why I use a hosts file for ad and tracking block.

I only wonder why they only tested android apps, and left out IOS apps. Without this comparison, the first paragraphs of the article, blaming the tracking and ads on the openness of Android, is little more than wistful thinking.

Have you looked at website internals lately?

Dozens of external domains are not unusual anymore. Many web sites are unusable and unreadable without at least access to one CDN domain. Many also rely on script libraries on third party hosts. It's fucked up.

Re:Have you looked at website internals lately?

[TWX]

I just don't get the third-party script libraries thing. Seems like an AWFUL idea for anything beyond a read-only bulletin board for a club or group to post their agenda and interests on such that it's not directly affiliated with Facebook or another 'social networking' site.

If you're running a business using a site, or are using forums or other interactive, feedback-driven system, trusting your libraries and passing data to third parties seems like a terrible idea. Bad enough for your own server to be penetrated and your libraries or scripts messed with, but much worse now that those with malicious intent have one-stop shopping to screw over loads of users and sites.

Stop being evil Google!

[DougPaulson]

This would never happen if they choose the Microsoft industry standard Windows Store :)

This is why we need free-as-in-freedom apps

[ciaran2014]

This argument is very easy to understand, so it's a great starting point.

The first targets for a campaign for free software apps should be educational institutions and public services.

GNU.org has a good list of proprietary software packages with spyware:

https://www.gnu.org/philosophy...

Still no granular app permissions in Play Store

What, you thought that every app asking for access to your contacts, wifi status and network access were doing it because it was helpful?

Re:Still no granular app permissions in Play Store

[TWX]

It took far longer than it should have to find a flashlight app to just toggle the flash on and off that didn't require access to more than the camera. For those that care the app I use is called "LED Light".

Re:Still no granular app permissions in Play Store

[viperidaenz]

There's an app for that?
I use the built in functionality of Android. It's right there in the Lollipop notification thing.

No.

The user can see what permissions the app requires, and choose whether or not to install the app.

You need a special app with root permissions to set up your own blocks (which, of course, might break the app you are firewalling).

Re:TANSTAAFL

[WaffleMonster]

As Heinlein famously put it in his The Moon is a Harsh Mistress (and he was just echoing the sentiment), There Ain't No Such Thing As A Free Lunch -- or in this case, a free app.

If they're not charging you, then you (or your time, your attention, or your information) are the product they're charging somebody else for. Or as Heinlein would have put it, even at a charitable soup kitchen you're going to have to listen to a sermon.

I don't think cost explains or excuses this phenomenon. There is always a motive for doing anything but traditionally much of it was side projects, hobbies, getting famous, filling resumes, PR and making money off pay version upgrades... the primary goal was never making money by fucking people over until the rise of the app store.

There must be countless hundreds of unique pieces of "free" software I use all the time on my desktop.. none of it is engaged in this bullshit.

The culprit in my view are perverted market pressures brought about by existence of app stores.

There is no useful quality filter.. You don't go to Walmart and walk out with a "free" or $3 PS4 title. When everything is free people who want to publish real software get fucked over by everyone expecting free or $1.50 while their product appears as just another piece of flotsam in a vast ocean of mostly useless crap.

Couple this with undeserved global exposure all apps automatically get regardless of whether they deserve it or not and feedback loops that make profiting from advertising and spying networks easy for app vendors and you get the current cesspool of mediocrity and hostility.

Re:The review, it does something... as does sandbo

[AuMatar]

1)Not necessarily. Something as simple as not enabling that code for a month after release would get it by reviews. They aren't reviewing source code, they're reviewing behaviors. Just like you don't speed when there's a cop right behind you you wouldn't connect when you're being watched

2)They ask for a lot of permissions because the permissions aren't fine grained enough, and because polsih requires it. For example I had an app that did sound effects when you tapped a key. The OEM requested that we turn off sounds when the user is in a call so they wouldn't play on the other end. This reasonable request required a new permission (CALL_STATE IIRC), which actually gave us much more info than we wanted (we got to find out when calls started, ended, and the connection number which we didn't need). But if you just looked at our permissions your reaction would be "why do you need to know who I'm calling"? We didn't there was just no way to request less info, we didn't even look at the number.

One of the big problems was that Google redesigned the play store to be less scary and show fewer permissions. One of those was that any app could request internet permission without it showing up. That was just wrong.

What we really need is the ability to turn on and off specific permissions by app. Perhaps with the ability to limit internet permission to certain IPs/URLs per app. That would solve most of the problem.

Re:Free as in ads for beer

[Aighearach]

And often even on F-Droid.

A lot of F-Droid apps ask for extra permissions. Instead of just trusting them, I download the source, reduce the permissions, and then run the app. If it is trying to use those extras permissions I took out, then it will crash when it tries. Almost all the apps (on f-droid) that claim not to actually use those permissions unless some feature is turned on will actually crash without them. Then I go in and comment out the sections of code that cause the app to crash. That way I don't need to audit their source, just debug the crashes.

It is a total PITA but it is the only way to get the tracking code out; even on "free" software.

Re: Why?

[viperidaenz]

The people who devote their time and skills, free of charge, to port CyanogenMod to specific hardware.

Re:The review, it does something... as does sandbo

[SuperKendall]

1) The app has to declare if it's going to be doing background processing, and you have to give a reason why they will accept. So not just any app can do that.

What we really need is the ability to turn on and off specific permissions by app. Perhaps with the ability to limit internet permission to certain IPs/URLs per app. That would solve most of the problem.

I thought Google added that ability in an early 4.0 or 5.0 version of Android, but then backed it out... Sadly I think because too many apps react badly when permissions are withdrawn it expects to run. The whole model creates a bad precedent I think where you assume you'll have all the app permissions you requested and so if any are withdrawn individually (which advanced users can do) the app is prone to break even though it could carry on just fine if it had been coded to detect that one permission was disabled. Google is going to have to bite that bullet at some point.

Re:Hosts file

[pkinetics]

assuming you can obtain a list of all the sites that are being called

Re:Why?

[ComputersKai]

AppOps allowed you to control some permissions, but it got remove/disabled in later Android versions. XPrivacy, which also allows some finer permission control, still functions well, and it has the ability to pass fake data to applications that request it. If you have CM it will probably have the PrivacyGuard tool built in, which also can restrict app access to data, like contacts and other personal stuff.

AdAway

[hack++slash]

Since installing AdAway on my Android devices it has eliminated most of the banner adverts in apps. I wonder how the researchers results would stack up after installing AdAway.

Re:Free as in ads for beer

[mrchaotica]

Do you report the results to F-Droid, and/or upload your "clean" version of the program? It'd be nice if you did, and I get the impression that the F-Droid repository maintainers care about stuff like that (so they'd welcome your contribution).