Hello,

We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not an Insider? Subscribe now for unlimited access to online articles.

Emerging Technology from the arXiv

A View from Emerging Technology from the arXiv

The Truth About Smartphone Apps That Secretly Connect to User Tracking and Ad Sites

Security researchers have developed an automated system for detecting Android apps that secretly connect to ad sites and user tracking sites.

  • May 1, 2015

There are essentially two starkly different environments in which to download apps. The first is Apple’s app store, which carefully vets apps before allowing only those deemed fit to appear. The second is the Google Play store, which is more open because Google exercises a lighter touch in vetting apps, only excluding those that are obviously malicious. 

But because Google Play is more open, the apps it offers span a much wider quality range. Many connect to ad-related sites and tracking sites while some connect to much more dubious sites that are associated with malware.

But here’s the problem—this activity often takes place without the owner being aware of what is going on. That’s something that most smartphone users would be appalled to discover—if only they were able to.

Today, Luigi Vigneri and pals from Eurecom in France have a solution. These guys have come up with an automated way to check the apps in Google Play and monitor the sites they connect to. And their results reveal the extraordinary scale of secret connections that many apps make without their owners being any the wiser.

Vigneri and co began by downloading over 2,000 free apps from all 25 categories on the Google Play store. They then launched each app on a Samsung Galaxy SIII running Android version 4.1.2 that was set up to channel all traffic through the team’s server. This recorded all the urls that each app attempted to contact.  

Next they compared the urls against a list of known ad-related sites from a database called EasyList and a database of user tracking sites called EasyPrivacy, both compiled for the open source AdBlock Plus project. Finally, they counted the number of matches on each list for every app

The results make for interesting reading. In total, the apps connect to a mind-boggling 250,000 different urls across almost 2,000 top level domains. And while most attempt to connect to just a handful of ad and tracking sites, some are much more prolific.

Vigneri and co give as an example “Music Volume Eq,” an app designed to control volume, a task that does not require a connection to any external urls. And yet the app makes many connections. “We find the app Music Volume EQ connects to almost 2,000 distinct URLs,” they say.

And it is not alone in its excesses. The team say about 10 percent of the apps they tested connect to more than 500 different urls. And nine out of 10 of the most frequently contact ad-related domains are run by Google.

The user tracking sites that apps connect to are less pervasive. More than 70 percent of apps do not connect to any user tracking sites. But those that do can be extravagant, some connecting to more than 800 user tracking sites. What’s more many of these are created by organizations that Google has designated with “top developer status.” The worst offender is an app called Eurosport Player which connects to 810 different user tracking sites.

A small proportion of the apps even seem designed to connect to suspicious sites connected with malware.

Most users of these apps will have little, if any, knowledge of this kind of behavior. So Vigneri and co have developed their own app that monitors the behavior of others on a user’s smartphone and reveals exactly which external sites these apps are attempting to connect to.

They call their new app NoSuchApp or NSA for short “in honor of a similarly acronymed monitoring agency.”

That should give Android users confidence in the apps they use. “With this application, our goal is to provide a mechanism for end users to be aware of the network activity of their installed Android applications,” say Vigneri and co.

The team plan to make the app publicly available on Google Play in the near future.

Ref:  arxiv.org/abs/1504.06093 : Taming the Android AppStore: Lightweight Characterization of Android Applications

Tech Obsessive?
Become an Insider to get the story behind the story — and before anyone else.

Subscribe today
Want more award-winning journalism? Subscribe and become an Insider.
  • Insider Plus {! insider.prices.plus !}* Best Value

    {! insider.display.menuOptionsLabel !}

    Everything included in Insider Basic, plus the digital magazine, extensive archive, ad-free web experience, and discounts to partner offerings and MIT Technology Review events.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

    Bimonthly digital/PDF edition

    Access to the magazine PDF archive—thousands of articles going back to 1899 at your fingertips

    Special interest publications

    Discount to MIT Technology Review events

    Special discounts to select partner offerings

    Ad-free web experience

  • Insider Basic {! insider.prices.basic !}*

    {! insider.display.menuOptionsLabel !}

    Six issues of our award winning print magazine, unlimited online access plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

    Bimonthly print magazine (6 issues per year)

  • Insider Online Only {! insider.prices.online !}*

    {! insider.display.menuOptionsLabel !}

    Unlimited online access including articles and video, plus The Download with the top tech stories delivered daily to your inbox.

    See details+

    What's Included

    Unlimited 24/7 access to MIT Technology Review’s website

    The Download: our daily newsletter of what's important in technology and innovation

/3
You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.