Slashdot Mirror
Study Finds That a Large Number of Popular Android Apps Secretly Cast the Screen To Third Parties, But They Don't Listen To Conversations (gizmodo.com)
Kasmir Hill, reporting for Gizmodo: It's the smartphone conspiracy theory that just won't go away: Many, many people are convinced that their phones are listening to their conversations to target them with ads. [...] Some computer science academics at Northeastern University had heard enough people talking about this technological myth that they decided to do a rigorous study to tackle it. For the last year, Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes ran an experiment involving more than 17,000 of the most popular apps on Android to find out whether any of them were secretly using the phone's mic to capture audio. The apps included those belonging to Facebook, as well as over 8,000 apps that send information to Facebook. Sorry, conspiracy theorists: They found no evidence of an app unexpectedly activating the microphone or sending audio out when not prompted to do so. Like good scientists, they refuse to say that their study definitively proves that your phone isn't secretly listening to you, but they didn't find a single instance of it happening. Instead, they discovered a different disturbing practice: apps recording a phone's screen and sending that information out to third parties.
Good news residents, thieves aren't coming to plunder your document safes. Instead, they're only going to rummage through your jewelry boxes.
May as well have led with a bit on no conclusive evidence that the apps were trying to give you cancer.
... that the following may be true:
People are far more forgetful of the actions they've taken online and how they could be used by data/ad companies.
People aren't entirely likely to notice ads without having some reason (e.g. just having talked about it)
Data/ad companies are far better about targeting their results than they were in the past.
People love a good conspiracy. I know I do.
There is no XUL, only WebExtensions...
I'll assume it's a shortening of "broadcast" and that they mean that images of the screen are being sent to these third parties.
BroadCAST
TeleCAST
WebCAST
VidCAST
SportsCAST
WeatherCAST
OutKast
Any of those ring a bell? Well, casting the screen is another way of saying ScreenCAST.
Class dismissed.
That seems worse than whatever stupid shit I might say near my phone.
Indeed! So, if I chose the "show password" to make sure I'm writing it correct- it can screenshot my password and send it to a third party? If I open PayPal it can screenshot what I've spent and send it to a third party?
Are these apps only screenshotting within themselves- or potentially everything you do. This could be extremely serious.
"That's the way to do it" - Punch
On my Android, quite frequently, Firefox asks for permission to use the microphone. I deny it every time.
But why is it doing this? Is it malicious ads that are trying to record me?
The real "Libtards" are the Libertarians!
Stupid post is stupid.
All android apps can REQUEST the permission to record your screen. Hell, there's good reason for it in some cases: See "CalcyIV" for Pokemon Go (which reads the pokemon's stats and provides more detailed info), or even Google's own Now / Assistant which screenshots and gives information about what you're looking at.
Unless it's preinstalled on your phone (and even if it is, it might still need to request it), there's going to be this huge "[APP] requests to record everything on your screen" prompt. Then, every time it records your screen, an icon appears in your status bar by the Wifi/3G/clock and I believe a notification appears.
In Oreo, you're probably going to be reminded at least once that the app recently used it. It just notiffied me that Soundhound used my mic the other day, and that was with me actively using the app.
Additionally, apps can block (https://android.stackexchange.com/questions/133022/disable-screenshot-security) screenshot/casts.
You literally have to ignore 3-4 warnings / notifications *AND* your banking apps / password requests have to be programmed badly (it's literally one line of code) for your information to be recorded.
I believe one thing that is happening is targeting ads based on the client IP address. If the IP address is that in the range of a typical ISP, then there is a very good chance that all of the devices with that IP address are in the same household, and targeting ads across devices would be profitable. About a week ago my girlfriend and I were talking about my old camper, and the work we did towards restoring it. She googled "vintage campers" on her cell phone, and on my laptop I had googled for my exact make and model camper. A little bit later I used my cell phone, and when I opened Facebook, it took me directly to a promoted Facebook Group called "Vintage Campers" and a listing of someone selling my model camper.
So, search terms and websites visited on two different devices somehow funneled into Facebook, which then showed me a Facebook group and post on a third device. It was so seamless I almost overlooked it, but the software developer in me quickly realized something deeper was going on as I had not done any searching on my phone at all (or within FB for that matter), nor did I use the term "vintage" in my searches on my laptop.
My point in all of this is it is trivial for ad services to put one and one together and deliver targeted ads in this way, and we could easily have misinterpreted it that my phone was "listening" to our conversation since I never did any of that searching on my phone yet it targeted me with ads. In these anecdotal reports, very likely one or the other person in the conversation was online and searching in regards to the topic at hand, and then ads were pushed to other devices due to using the same IP address.
Better known as 318230.
Have gnu, will travel.
FunFact: Not every version of Android has a that permissions system. Some of them, especially older ones, grant all permissions by default when you install the app.
https://www.wsj.com/articles/t...
The WSJ reports:
Google said a year ago it would stop its computers from scanning the inboxes of Gmail users for information to personalize advertisements, saying it wanted users to âoeremain confident that Google will keep privacy and security paramount.â
But the internet giant continues to let hundreds of outside software developers scan the inboxes of millions of Gmail users who signed up for email-based services offering shopping price comparisons, automated travel-itinerary planners or other tools. Google does little to police those developers, who train their computersâ"and, in some cases, employeesâ"to read their usersâ(TM) emails, a Wall Street Journal examination has found.
One of those companies is Return Path Inc., which collects data for marketers by scanning the inboxes of more than two million people who have signed up for one of the free apps in Return Pathâ(TM)s partner network using a Gmail, Microsoft Corp. or Yahoo email address. Computers normally do the scanning, analyzing about 100 million emails a day. At one point about two years ago, Return Path employees read about 8,000 unredacted emails to help train the companyâ(TM)s software, people familiar with the episode say.
This examination of email data privacy is based on interviews with more than two dozen current and former employees of email app makers and data companies. The latitude outside developers have in handling user data shows how even as Google and other tech giants have touted efforts to tighten privacy, they have left the door open to others with different oversight practices.
Stupid post is stupid.
All android apps can REQUEST the permission to record your screen. Hell, there's good reason for it in some cases: See "CalcyIV" for Pokemon Go (which reads the pokemon's stats and provides more detailed info), or even Google's own Now / Assistant which screenshots and gives information about what you're looking at.
Unless it's preinstalled on your phone (and even if it is, it might still need to request it), there's going to be this huge "[APP] requests to record everything on your screen" prompt. Then, every time it records your screen, an icon appears in your status bar by the Wifi/3G/clock and I believe a notification appears.
In Oreo, you're probably going to be reminded at least once that the app recently used it. It just notiffied me that Soundhound used my mic the other day, and that was with me actively using the app.
Additionally, apps can block (https://android.stackexchange.com/questions/133022/disable-screenshot-security) screenshot/casts.
You literally have to ignore 3-4 warnings / notifications *AND* your banking apps / password requests have to be programmed badly (it's literally one line of code) for your information to be recorded.
I've never once been asked by an app to record my screen. Nor have I ever seen any icon that looks like a "recording screen" icon. I hope that means I just don't have anything installed that records... but I'm not convinced.
"That's the way to do it" - Punch
> 17,000 of the most popular apps
"popular" more like.
Apps fucking idiots install also a possiblity.
This is what people asked for anyway. With free apps they get what they pay for.
+----------------- | What is the question!
This proves trusting an install wizard is a bad idea.
Blank until
Just another reason for the librem by purism. Can't wait to have a phone with adblock. No more garbage web experience on my phone!
internet in general is the most complex, detailed conversation in most internet users' lives today. It is definitely being "listened to" and contains far more information than most realize - not just information pertaining to conversations you had but also your thoughts and opinions if they invoked a question in your mind that caused you to make a query. Simple information like what if any reviews you looked at while purchasing a product can speak volumes about the way you think.
Without legislation to ban all trackers and recording of requests by ISPs and others, that's pretty much just the way it is.
SurfCAST
A live mic in a room thats collecting user data for a lot of brands. Dont worry no human is listening. A computer system gets every word spoken into a type of data. A type of data is not a human listening in real time so its legal.
Domestic spying is now "Benign Information Gathering"
No human is looking at the words and images collected. A computer looks over each word and image. That data set is then worked on for ads.
As no human is looking its legal.
Domestic spying is now "Benign Information Gathering"
but I thought you needed the "Apps that can appear on top" permission to record what a user is doing in other apps. Without it, the only thing that can be recorded is the developer's own app. This makes the privacy implications much smaller for most apps, since the developer will always have access to know what it is showing you (along with what you tap/type/press) as that is inherent in its ability to be interactive. That's not to say privacy couldn't be improved. In particular, "Apps that can appear on top" does not convey the ability to record a person's activities, so that really should to be renamed (or else sectioned out into a different permission). Also, for apps like web browsers and clients that connect to servers not operated by/for the developer, recording interactions in one's own app is a much bigger issue. I'm still not sure if there's anything that can be done about this security-wise though, because -- again -- the app needs access to the data in order to display it. Lastly, I feel like screenshots (as opposed to data like coordinates, strings values of fields, etc) are a kind of crude method for analytics anyway, yet they're the only thing this study focuses on. So it kind of gives a false impression to criticize this SDK, when I'm sure essentially the same information is transmitted (much more frequently) in text form and couldn't be detected by this survey.
The brands that make the phone offer the live mic support too. No extra special user interaction needed to enjoy that live mic collection.
Domestic spying is now "Benign Information Gathering"
at Gizmodo is so much higher than here. This comment included.
I'd initially hoped they'd done it on the hardware level; monitoring the mic voltage and tapped the ADC channels.
I'm not surprised that shitty app devs are monetizing their users' data for a few extra cents. My particular concern is alphabet soup agencies and a creeping Staasi state doing it on some sort of fundamental level that bypasses permissions (and morality). Yes, I like my windows to have curtains, my mail to have envelopes, and my conversations to be private.
It's not a conspiracy theory when articles like this refute your study.
https://www.nytimes.com/2017/1...
Just another day in Paradise
sarCASTic
CASTing couch
CASTrated
Just another day in Paradise
Because Google Play needs access to everything or it pops up complaints all of the time if you limit it. On a pretty regular basis I get a notice that Google Play is having issues because I haven't allowed it to use my phone, access my contacts, and whatever else stupid shit it wants access to. Instead of failing gracefully it's a constant nag, and they've been ignoring bug reports on this "feature" for 3-4 years now.
You just described Dark Pattern design at work (darkpatterns.org for more info). The idea is that you get annoyed and as a result give the apps full rights without thinking the consequences. If it was possible to deny permanently certain rights without the annoyance of constant reminders very few users would grant the apps free access to data on the phone.
You pay for the "free" apps by giving up your privacy. What you described is an intentional feature and will not be listed as a bug.
1. The hardware specs aren't competitive with iPhone X and Pixel 2. They are already nearly obsolete and the phone isn't even out yet.
My Nexus 4 is still chugging along reasonably well running SailfishOS. The Librem 5 should be a good upgrade for me.
2. Lack of apps. Yes, they have their own store, but that means nothing.
Install plasma-mobile and apt-get install whatever you want from the ubuntu repos. I don't know much about PureOS, I presume it will have a decent package manager, just like any modern distro.
In 2018, HUGE amounts of business and social situations require downloading third-party smart phone apps, and that means using the iOS App Store or Google Play.
Then fuck 'em. If they're requiring me to install application to provide a service which could reasonably be done through a web page, then they're obviously up to no good, and I wouldn't want to do business with them anyway.
Purism has discussed creating method for running Android apps in sandbox isolation, but unfortunately has NOT prioritized that. Unless they do, Librem 5 will never go mainstream.
Why should this be a high priority for Purism? Sure, anbox should work as long as you have a recent kernel (and the librem 5 does), but if Android apps are a priority for you, just get a damned android phone.
I don't give a shit about the fucktons of garbage apps available in the Play store. All i really want is a decent web browser, an ubuntu-sized package repo, and for the OS to never say "no" when I ask it to do something. Anything else (i.e. pretty much everything on the market right now) is just trash.