A group of researchers at Northeastern University published a report Wednesday, the full report, about some serious security concerns with the Android platform. They found that several Android apps have “alarming” privacy holes, enabling mobile apps to take and share screenshots and video of the phones’ app activity without users’ knowledge.
The researchers examines 17,260 apps from Google Play, and some overseas app stores. The majority were not found to be abusing their ability to record media, but they did uncover instances of covert recording.
“Our study reveals several alarming privacy risks in the Android app ecosystem, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent,” the researchers said in the report. “We also identify a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user and without requiring any permissions.”
Code was examined, as well as testing and evaluating the running programs, to find out if they were inappropriately collecting and leaking media, such as videos or pictures. Examining whether or not they requested access to the camera and microphone, whether the media APIs are referenced in the apps code, and whether those references are in code from the developer or a third-party library.
App Issues
In one incident, the researchers found that an on-demand delivery app (GoPuff, available on Google Play), had leaked video to a third-party analytics platform provider’s domain. Upon decompiling the APK of the app, they found that GoPuff records the screen and sends a video of the interaction to a domain owned by the third-party analytics company, Appsee, as soon as the app starts.
“Screen recording, if adopted at scale and/or in apps that handle sensitive data, could expose substantial amounts of users’ PII, especially when the full burden of securing private information is placed on developers,” the researchers said. “Further, we argue that the recording of interactions with an app (without user knowledge) is itself a privacy violation akin to recording audio or video of the user.”
The researchers shared their discoveries with GoPuff, which did pull the Appsee SDK from their apps and update their privacy policy. The researchers also informed Google, who responded that “Google constantly monitors apps and analytics providers to ensure they are policy-compliant.”
The research also reveals that they tested dozens of applications that use Appsee, but GoPuff was the only one who did not disclose this to their users. Appsee immediately disabled GoPuff's tracking and purged their data from the servers.
Another app used the camera-taking abilities of a mobile beta-testing platform found on Google Play, TestFairy, to record users interactions through screenshots. This API screenshot method was used by a networking app for a conference, called SAHIC. The networking app used the beta-testing library to take 45 screenshots including a search for attendees, messages to contacts and a response to a survey.
“While this feature is typically used during beta testing, the app was not labeled as a beta version in the Google Play Store,” the research says. “The user is also not informed of the recording, nor is she offered the opportunity to consent to beta testing upon opening the app. Thus, any reasonable user of these apps would likely never expect screenshots of her interactions.”
Also noted is a disturbing trend where photo editing apps – including one called Photo Cartoon Camera – PaintLab – would send photos to their servers for processing (without notifying users) as opposed to performing the editing on the devices themselves.
They found six guilty apps – including FaceApp, Prisma Photo Editor, and InstaBeauty – Makeup Selfie Cam. The privacy disclosures for these apps also are unclear – for instance, the app developer of two of the photo editing apps, Fotoable, provided a privacy disclosure that only made a general statement that personal data might be collected and used. “This disclosure is arguably misleading as the app does not indicate uploading of a user’s photo while they are editing it,” they said.
Android Permissions and Third Parties
It is possible that the app developers are including third party libraries without understanding what data is collected. Perhaps they are just trying to create and app and earn money from it and are unsure of what they are doing.
One thing I believe to be a huge security flaw with Android is that the APIs for taking screenshots and recording videos of the screen are no protected by any permissions, and there is no disclosure to end-users if they are being leaked to third-parties. “Given that sensor data is highly sensitive, the Android and iOS operating systems include mandatory access control mechanisms around most sensors,” the researchers said. “However, existing permission models only partially mitigate multimedia privacy concerns because they are coarse grained and incomplete.”
Android app developers must list the permissions they plan to use in the AndroidManifest.xml file in all Android Packages (APKs), researchers said. Users, meanwhile, can accept or reject permission requests. However, when it comes to camera and audio APIs, they are not protected by any permission – meaning that apps can potentially record users’ screen interactions without them knowing.
Google’s personal and sensitive information privacy policy states that app must have a privacy policy that, together with any in-app disclosures, comprehensively discloses how the app collects, uses and shares user data, including the types of parties with whom it’s shared.
Prevention
The research highlights that users should always pay close attention to their app permissions, especially for apps handling sensitive data.
Users, for their part, can access app permissions, open their settings app, click on the app they want to examine, and tap Permissions. From there, they will be able to see everything an app can access – and turn off certain permissions.
My Conclusion
For now, I am certainly happy that I have had the long time policy of avoiding anything to do with Google. Google has been shown to share any data it collects with anyone willing to pay for it, and with law enforcement. The first problem is the fact that they collect it without permission to begin with. I have never see a disclaimer on their search page saying anything you search for is monitored and sold to the highest bidder.
DuckDuckGo is a great search engine that does not collect of share information. I will do a write up on it in the near future.
It truly scares me how large Google is getting and how dishonest and sneaky they are as a corporation.
If you believe google did not know these apps were spying on users, I won't argue with you. Perhaps they did not know. If you honestly believe Google themselves is not taking advantage of these "loopholes" that they intentionally put in their system, you are naive.
"Trust is like a mirror, you can fix it if it's broken, but you can still see the crack in that mother fucker's reflection" - Lady Gaga
Posted from my blog with SteemPress : http://mrunderstood.com/index.php/2018/07/06/all-seeing-google-another-reason-to-avoid-google-and-stay-safe/
Congratulations @mrunderstood! You have completed the following achievement on Steemit and have been rewarded with new badge(s) :
Award for the number of upvotes
Click on the badge to view your Board of Honor.
If you no longer want to receive notifications, reply to this comment with the word
STOP
Do not miss the last post from @steemitboard:
SteemitBoard World Cup Contest - Russia vs Croatia
Participate in the SteemitBoard World Cup Contest!
Collect World Cup badges and win free SBD
Support the Gold Sponsors of the contest: @good-karma and @lukestokes
Your post had been curated by the @buildawhale team and mentioned here:
https://steemit.com/curation/@buildawhale/buildawhale-curation-digest-07-09-18
Keep up the good work and original content, everyone appreciates it!