Are Phone Apps Spying on Us? This Northeastern Prof Thinks So

If you’re militant about protecting your privacy, those occasional rumors that smartphones are doubling as spy devices probably ring true. And a new study out of Northeastern University that tested 17,260 Android apps does little to dial down such fears.

While the study — which dubs itself as the first large-scale, empirical one of its kind — has not found outright abuse of our phone’s camera, microphone or touch screen (though doesn’t rule it out, either), it does make some disturbing discoveries about other information we assume to be private escaping our mobile devices through some apps, likely without our knowledge.

The Northeastern University team found apps that either directly or through recycled code from third-party libraries had uploaded images or had recorded images and videos of screen use, without users’ knowledge.

“We find that on Android there is no permission required for third-party code in an app to continuously record the screen (that the app) displayed to the user. As such, users may unwittingly use apps that collect video recordings containing sensitive information…,” the study’s authors found.

To put this in perspective, David Choffnes, an assistant professor in Northeastern’s College of Computer and Information Science said, we assume what we type, swipe or photograph is private unless we send, post or upload it.

And, we believe that “at anytime we can erase it and it’s like it never happened,” said Choffnes, who worked on the study. “But now we have some of these apps and some of their behaviors are such that what we thought was temporary or … transient … is actually being sent out on the internet, probably before we wanted it to be. That obviously has privacy implications.”

Perhaps even worse, said Choffnes, as comprehensive as the research was — it looked at apps from Google Play, AppChina, and Anzhi — “we just scratched the tip of the tip of the iceberg…. this is a conservative underestimate of what’s happening.”

Conducting the research with Choffnes was Elleen Pan, Jingjing Ren, Martina Lindorfer and Christo Wilson.

BostInno spoke with Choffnes to find out more.

BostInno: Many people worry that their phones’ microphones or cameras are secretly spy on them. But it sounds like you found something that nobody is really thinking about, right?

Choffnes: Right. … What we found is that it’s possible for an app – or a code that’s provided by a third party, in this case, AppSee – to record what is happening on the screen (while using that app) and then send that over the internet without any permissions required. It’s different from the camera or the microphone because if an app is going to use those, it needs to ask you first. We’re all familiar with those prompts. But not only is it possible that the screen can be recorded with no permission, there’s also no notifications to the user.

BostInno: And do these screenshots can actually have a lot of information in them?

Choffnes: It depends on how these apps are being used. … But, I think you’re right, often our screens have sensitive and personal information, and those things we (now) know can be shared with other parties without … any permission or without any user consent. So I think everyone should be a bit alarmed by that. We don’t have any evidence of abuse of it … but that doesn’t mean it can’t be used for malicious purposes. The biggest thing that scares me is that if – or when – it is used maliciously, the average user will have no way of knowing that it’s happening, and will have no protections.

BostInno: You also talk about some photo editing apps that users expect are working inside their phones, but that actually upload photos over the internet, sometimes as soon as a photo is taken. 

Choffnes: When we use our built-in camera app and we apply a filter, we assume that everything is being done on our phone, and for the built-in apps – whether they’re iOS’ or Android’s – that’s going to be the case. But what was surprising to us was that, you have these apps where you select a photo for editing and it gets uploaded to another server. Sometimes that’s disclosed, but in many cases, it’s not clear, even from the privacy policy. What’s particularly alarming is that it could be the case — that you take a photo and before you even chose to edit it, it uploads it. Some of us have photos that we want to throw away and some of those might be sensitive, if it’s already been uploaded to a server the moment you took the picture, then the cat is already out of the bag.

BostInno: And like we saw with the Equifax hack … stuff gets out, and once it’s out of your hands, there’s the potential that it could get saved, reused or hacked, right?

Choffnes: That’s the right analogy. We implicitly or explicitly trust our data with certain parties. But what we’re finding is that in general you might not know that your data is being trusted with parties that you do not have a direct relationship with, and, in some cases it’s shared in ways that you never knew it would be shared. The more companies that have data about you, at least one of them will get hacked at some point and then your data is exposed.

This interview was edited for brevity, clarity and to accommodate the short attention spans we all have in this digital age.

Copyright Boston - BostInno
Contact Us