Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 200 Android Apps Are Currently Using Ultrasonic Beacons To Track Users (bleepingcomputer.com)

Posted by msmash on from the privacy-woes dept.

Catalin Cimpanu, writing for BleepingComputer: A team of researchers from the Brunswick Technical University in Germany has discovered an alarming number of Android apps (234, to be exact) that employ ultrasonic tracking beacons to track users and their nearby environment. Their research paper focused on the technology of ultrasound cross-device tracking (uXDT) that became very popular in the last three years. uXDT is the practice of advertisers hiding ultrasounds in their ads. When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y" and links their two previous advertising profiles together, creating a broader picture of the user's interests, device portfolio, home, and even family members.

7 of 192 comments (clear)

  1. Which Apps??? by Rob+Riggs · · Score: 5, Insightful

    Completely useless, alarmist, unactionable article. Name names, dammit.

    --
    the growth in cynicism and rebellion has not been without cause
  2. It's more sinister than that by Baron_Yam · · Score: 5, Interesting

    >When the ad plays on a TV or radio, or some ad code runs on a mobile or computer, it emits ultrasounds that are picked up by the microphone of nearby laptops, desktops, tablets or smartphones. SDKs embedded in apps installed on those devices relay the beacon back to the online advertiser, who then knows that the user of TV "x" is also the owner of smartphone "Y"

    Imagine you're on your phone and browsing the web. You load one of those ads, and your phone now broadcasts your advertiser-assigned unique ID via ultrasound. OK. Who says it has to be another device YOU own that picks it up?

    How difficult would it be to drop listening devices in high traffic areas that listen for those tones, sending location information back to whoever? And that's just to augment other devices that might be infected with a listen-and-report app.

    This isn't an advertising tool, it's a ubiquitous surveillance tool for three-letter-agencies that advertisers have discovered. That is, of course, assuming it actually works outside a lab and isn't just an untested fantasy the ad types latched onto.

    Anyway, IF phones can both transmit and detect ultrasonic tones (which I question), it's only a matter of time until someone produces a 'secure' phone that has physical filters in line with the speaker and mic wires to filter out anything outside the range of human hearing.

    1. Re:It's more sinister than that by Anonymous Coward · · Score: 5, Funny

      "Hey there, Jim. Looks like you're in the market for a new TV. This Samsung 65" 4K model would look perfect from any point in your 10' by 20' living room. If you're not sure, just go ask Bob next door. He bought one last week and the whole family has been enjoying its crystal clear display. You can even control it from your iPhone 6 Plus, but the experience is much better with a new Samsung phone. Have you considered upgrading that? Don't worry, your MacBook Air will still connect to any new Samsung phone or television. What do you say Jimbo? Oh, you're more interested in the 50" models? You wouldn't be getting quite the same experience, but... Oh no, Jimmy, you don't want one of those Vizios, just slide on back to the Samsungs. Jimboree? Jim-jam? James? Come back here before I tell your wife where you were last Thursday night."

  3. Rearch paper for this. by mystik · · Score: 5, Informative

    Cited research paper:

    http://christian.wressnegger.i...

    Found via the reddit thread on the same topic, It names a few of the apps, primarily using the SilverPush library.

    --
    Why aren't you encrypting your e-mail?
  4. Re:Oy, how to block this? by Baron_Yam · · Score: 5, Interesting

    1a) Hardware switches need to come back into fashion. CUT THE WIRES. Since physical switches have an irritating habit of failing, they need to be easily replaceable, so they need to plug in and touch contact points, not be soldered in.

    1b) These switches should exist for power and every corruptible/interceptable I/O path. If a light sensor senses, an LED blinks, a mic listens, or tone is generated, there should be a physical, circuit-interrupting switch to kill the related hardware. If there isn't, your device isn't as secure as it could be.

    2) The OS should fake permissions for apps, since so many refuse to run without access they don't actually require. Instead of 'yes/no' when access is requested, we need the options 'yes', 'no', and 'fake it'. Anybody who demands location, camera, mic, contact, and file access to run their app that needs none of that should not be respected enough that you have to go with 'just do not install'. They're immoral, you be immoral right back.

  5. Re:Oy, how to block this? by ctilsie242 · · Score: 5, Informative

    XPrivacy used to do exactly this on Android. An app wanting a GPS location? Here is one. Contact info? Here is a randomly generated list. Ad IDS? Pick a 128 bit number.

  6. Re:Oy, how to block this? by Rakarra · · Score: 5, Funny

    1a) Hardware switches need to come back into fashion. CUT THE WIRES. Since physical switches have an irritating habit of failing, they need to be easily replaceable, so they need to plug in and touch contact points, not be soldered in.

    But then you would have to increase the thickness of the phone by 0.5mm, and that would be a FUCKING DISASTER.