A new app notifies people when an Android smartphone app is tracking their location, something not previously possible without modifying the operating system on a device, a practice known as “rooting.”
The new technology comes amid new revelations that the National Security Agency seeks to gather personal data from smartphone apps (see “How App Developers Leave the Door Open to NSA Surveillance”). But it may also help ordinary people better grasp the extent to which apps collect and share their personal information. Even games and dictionary apps routinely track location, as collected from a phone’s GPS or global positioning system sensors.
Existing Android interfaces do include a tiny icon showing when location information is being accessed, but few people notice or understand what it means, according to a field study done as part of a new research project led by Janne Lindqvist, an assistant professor at Rutgers University. Lindqvist’s group created an app that puts a prominent banner across the top of the app saying, for example, “Your location is accessed by Dictionary.” The app is being readied for Google Play, the Android app store, within two months.
Lindqvist says Android phone users who used a prototype of his app were shocked to discover how frequently they were being tracked. “People were really surprised that some apps were accessing their location, or how often some apps were accessing their location,” he says.
According to one Pew Research survey, almost 20 percent of smartphone owners surveyed have tried to disconnect location information from their apps, and 70 percent wanted to know more about the location data collected by their smartphone.
The goal of the project, Lindqvist says, is to goad Google and app companies into providing more prominent disclosures, collecting less personal information, and allowing users to select which data they will allow the app to see. A research paper describing the app and the user study can be found here. It was recently accepted for an upcoming computer security conference.
In many cases, location information is used by advertisers to provide targeted ads. But information gained by apps often gets passed around widely to advertising companies (see “Mobile-Ad Firms Seek New Ways to Track You” and “Get Ready for Ads That Follow You from One Device to the Next”).
Google, which maintains the Android platform, has engineered it to block an app from gaining information about other apps. So Lindqvist’s team used an indirect method using a function within Android’s location application programming interface (API) that signals when any app requests location information. “People have previously done this with platform-level changes—meaning you would need to ‘root’ the phone,” says Lindqvist. “But nobody has used an app to do this.”
Google has flip-flopped on how much control it gives users over the information apps can access. In Android version 4.3, available since July of last year, users gained the ability to individually disable and enable apps’ “permissions” one by one, but then Google reversed course in December 2013, removing the feature in an update numbered 4.4.2, according to this finding from the Electronic Frontier Foundation.
The new app and study from Lindqvist’s team could help push Google back toward giving users more control. “Because we know how ubiquitous NSA surveillance is, this is one tool to make people aware,” he says.
The work adds to similar investigative work about Apple’s mobile operating system, iOS. Last year different academic researchers found that Apple wasn’t doing a good job stopping apps from harvesting the unique ID numbers of a device (see “Study Shows Many Apps Defy Apple’s Privacy Advice”). Those researchers released their own app, called ProtectMyPrivacy, that detects what data other apps on an iPhone try to access, notifies the owner, and makes a recommendation about what to do. However, that app requires users to first “jailbreak” or modify Apple’s operating system. Still, unlike Android, Apple allows users to individually control which categories of information an app can access.
“Telling people more about their privacy prominently and in an easy-to-understand manner, especially the location, is important,” says Yuvraj Agarwal, who led that research at the University of California, San Diego, and has since moved on to Carnegie Mellon University. Ultimately, though, Agarwal believes users must be able to take action on an app’s specific permissions. “If my choice is to delete Angry Birds or not, that’s not really a choice,” he says.