_
_
_
_

I spy: How Android phones keep tabs on our every move

A study by two Spanish academics reveals the scope and lack of control over pre-installed apps

Jordi P¨¦rez Colom¨¦
The study authors Juan Tapiador (left) and Narseo Vallina-Rodr¨ªguez.
The study authors Juan Tapiador (left) and Narseo Vallina-Rodr¨ªguez.Kike Para

As a consumer, you buy a new Android cellphone. It could be any brand, but it is likely to be an Android as they account for more than 80% of today¡¯s cellphone market. You open the box, press the ¡°On¡± button and the phone connects to the internet. Without further ado, you have just triggered the most sophisticated surveillance machine to date for monitoring your routines.

It no longer matters whether you have downloaded Facebook or activated a Google account, or given permission to some app or anti-virus program to access your contacts, camera and microphone. Whatever you do from that moment on, your new cellphone will be sharing details of your activity with the rest of the world. The software that comes pre-installed is the most accurate resource on your phone for predicting where you might be, what you might download, what messages you might send and what music you might listen to.

It is the scale of it that makes it so serious: we are talking about hundreds of thousands of millions of Android phones Juan Tapiador, professor and co-author of study

¡°The pre-installed apps are an indication of another reality:?agreements between actors (manufacturers, data traders, mobile operators and advertisers) for added value, but also for commercial ends,¡± says Juan Tapiador, a professor at Carlos III University in Madrid and co-author of the study on this alarming situation, along with Narseo Vallina-Rodr¨ªguez from IMDEA Networks and the International Computer Science Institute at Berkeley University.

While none of the findings are in themselves earth-shattering ¨C we already know, for example, that cellphones walk a fine line?when it comes to compiling and sharing data ¨C what they do reveal is the extent of pre-installed apps¡¯ reach, their lack of transparency, and their privileged position within the devices. Researchers analyzed 1,742 phones made by 214 manufacturers in 130 countries.

¡°Until now, research on the risks to privacy from cellphones has been focused on apps that are listed on Google Play or malware,¡± says Vallina. Instead, he and Tapiador analyzed the pre-installed apps on standard cellphones and it turns out that, due to a complex ecosystem of manufacturers, mobile operators, app developers and service providers, the guarantees offered by Android are looking less than foolproof.

The research is to be published in detail on April 1 and will be presented at one of the biggest global cyber security and privacy conferences in the world, the 41st IEEE Symposium on Security & Privacy, in California.

The authors gave EL PA?S an early look at the study, which shows how our personal data is sent to a broad network of interested parties, which generally includes servers belonging to the cellphone¡¯s manufacturer, companies that are regularly accused of harvesting our personal data such as Facebook and Google, but also to a murky world of big corporations and start-ups that package it, tag it and sell it on to whoever offers the right price.

Our personal information is sent to a broad network of interested parties, some of which are controversial

In a research project on an unprecedented scale, Tapiador and Vallina created the app Firmware Scanner to pick up the pre-installed software on the cellphones of volunteers. The open code of Android¡¯s operating system means that any manufacturer can have this version of it along with other pre-installed apps. A cellphone can have more than 100 pre-installed apps and a further 100 that? are third-party libraries included in the code, many of which are specialized in monitoring the user and in advertising.

It is, in effect, an international landscape of hundreds of thousands of apps with common, dubious, unknown, dangerous and potentially criminal uses ¨C a chaotic environment of mass surveillance with only the tip of the iceberg revealed by the year-long research.

A jigsaw of parts

An Android cellphone is not produced by just one manufacturer. The chip comes from one company and the updates of the operating system will possibly be outsourced to another, while separate software will be added by the mobile operators and distributors. There are a lot more players involved in the final product than the name on the box might suggest, although the final control of all the software belongs to the brand, which may or may not have privileged access to the user¡¯s data.

The result is an ecosystem so complex that all the players can sidestep the responsibility of where our personal data ends up. Google created the open-code platform but this is now available to everyone. And what belongs to everyone belongs to no one. ¡°The world of Android is like the jungle or the Wild West, particularly in countries with little regulation for the protection of personal data,¡± says Tapiador.

Vallina adds, ¡°There is no supervision on what is imported and sold within the European Union when it comes to software, and to a large extent hardware too.¡±

Consequently, each version of our Android cellphones tells its base what we are up to from the moment we turn it on, without skipping a beat. The problem is not only what is said about us, but also that the user has no control over the management of personal data.

Google Play¡¯s permissions

The companies that compile consumer data for advertisers already have access to user data via Google Play¡¯s regular apps. So why do they seek to reach agreements with manufacturers allowing them to be part of the pre-installed software?

Imagine our data is stored in a house that has several floors. The Google Play apps would look like windows that we can open and close. Sometimes we let the data out and sometimes not. That depends on each user¡¯s decision on how to manage their personal data. But what this user cannot know is that Android cellphones come with a door that is wide open all the time, making the windows irrelevant.

There is no supervision on what is imported and sold within the European Union when it comes to software, and to a large extent hardware too Narseo Vallina-Rodr¨ªguez, co-author of study

Pre-installed software is always there. We cannot eliminate it from the device without breaking the protection offered by the system; but this is something beyond the scope of the average user.

Apps downloaded from Google Play come with the option of data management. For example, it might say: ¡°Allow your new free game to have access to your microphone?¡± Or: ¡°Allow your app to access your location to improve its productivity?¡± If we decide there are too many permission requests, we can simply scrub the app from our phone. Google apps have their own service terms and need to ask explicit permission before acting. The user is ultimately responsible for the management of their data.

But pre-installed apps reside below the radar of the indexed apps in the store, and in many cases their permission agreement is incorporated into the operating system. ¡°Google Play is a garden that has a gate that is shut and policed, but 91% of the pre-installed apps that we have seen are not in Google Play,¡± says Tapiador. And outside Google Play, no one is aware of what is going on in their phone.

Additional problems

Pre-installed software has two further problems; first, it is inside an operating system that has access to all the cellphone¡¯s functions and, secondly, these apps can be automatically updated, which allows them to mutate. The operating system is the cellphone¡¯s brain. It has constant access to everything and it automatically updates. And these updates are important because a manufacturer might have given permission to a company to be on its mobile code for something innocuous. Then two months later, this can be updated, adding permission for other things such as recording conversations and accessing messages.

The pre-installed apps are easy for their creators to update; when the needs of the tracking company change, the creators can introduce new software and new instructions. The owner of the cellphone is powerless to stop that from happening; there is no permission request; the operating system is simply updated.

The user does not know that Android cellphones come with a door on their personal data that is wide open

¡°Some of these apps call home base asking for instructions, and they pass along information from the device where they are installed. At times, this information is massive and includes the technical characteristics of the phone, unique identifiers, location, contacts, messages and emails,¡± says Tapiador. ¡°All this is picked up by a server, which decides what to do with this. According to the country the device is in, the server could decide to install one app or another, or send the user certain ads over others. We discovered this by analyzing the code and the behavior of the apps.¡±

The server that receives the information could be the manufacturer or a social network that sells publicity to unknown data traders, or even an unidentifiable IP address.

At times, this information is massive and includes the technical characteristics of the phone, unique identifiers, location, contacts, messages and emails Juan Tapiador

One risk is that these obscure pre-installed apps can use the custom permissions to expose information to Play Store apps. The custom permissions are a tool that Android offers to software developers so that the apps share data with them. For example, if an operator or a bank service has a number of them, it is legal for them to talk between themselves and share data. But at times it is not easy to discover which data is being shared by which pieces of software.

In a new cellphone, there could, for example, be a pre-installed app that has access to the camera, contacts and microphone. This app was programmed, say, by Wang S¨¢nchez and it bears a certificate with his public code and signature. It is apparently legitimate but nobody can confirm whether Wang S¨¢nchez¡¯s certificate is bona fide. This app is always on and it clocks the location, activates the microphone and stores the recordings. But it does not send the information to any server because Wang S¨¢nchez¡¯s app does not have permission to send anything through the internet. What it does do is declare a custom permission that regulates access to the data and whoever else has this permission can get ahold of the data.

The owner of this cellphone might go to Google Play Store one day and find a fabulous sports app. The only official permission that has been asked for has been access to the internet, which is absolutely normal for apps. But the sports app also asks for the custom permission of the Wang S¨¢nchez app. The sports app is not aware these permissions are not shown to the user. So the first thing it will say to the pre-installed app is, ¡°Do you live here? Give me access to the microphone and the camera.¡± It was apparently a risk-free app, but the complexities of the system of permissions means these kinds of scenarios are common.

Governments and the industry have been aware for years of this process. The US federal agencies ask for their cellphones to come with operating systems that are free of pre-installed software. But ordinary citizens needs to wise up. Their data is not safe. ¡°Having regulatory control over all the possible versions of Android on the market would be almost unmanageable,¡± says Vallina. ¡°It would require a very expensive and extensive analysis.¡±

The bottom line is that we carry a massively sophisticated surveillance machine in our pockets.

The app authors

The authors of these apps are a huge mystery. In fact, Tapiador and Vallina¡¯s research has revealed something not unlike the dark web. There are, for example, apps that are signed by Google, which are unlikely to belong to Google. ¡°Working out who the authors are has been an almost manual task, looking at who has signed each one and if it has any kind of chain that can be linked to a library or known manufacturer,¡± says Vallina, who explains that while many send acceptable information to manufacturers or big companies, many others hide behind fake names.

The information they send out is easily linked to a particular telephone number or to personal data. The phone¡¯s SIM and dozens of apps linked to the email or to social media accounts easily reveal the origin of the data.

English version by Heather Galloway.

Tu suscripci¨®n se est¨¢ usando en otro dispositivo

?Quieres a?adir otro usuario a tu suscripci¨®n?

Si contin¨²as leyendo en este dispositivo, no se podr¨¢ leer en el otro.

?Por qu¨¦ est¨¢s viendo esto?

Flecha

Tu suscripci¨®n se est¨¢ usando en otro dispositivo y solo puedes acceder a EL PA?S desde un dispositivo a la vez.

Si quieres compartir tu cuenta, cambia tu suscripci¨®n a la modalidad Premium, as¨ª podr¨¢s a?adir otro usuario. Cada uno acceder¨¢ con su propia cuenta de email, lo que os permitir¨¢ personalizar vuestra experiencia en EL PA?S.

En el caso de no saber qui¨¦n est¨¢ usando tu cuenta, te recomendamos cambiar tu contrase?a aqu¨ª.

Si decides continuar compartiendo tu cuenta, este mensaje se mostrar¨¢ en tu dispositivo y en el de la otra persona que est¨¢ usando tu cuenta de forma indefinida, afectando a tu experiencia de lectura. Puedes consultar aqu¨ª los t¨¦rminos y condiciones de la suscripci¨®n digital.

More information

Archived In

Recomendaciones EL PA?S
Recomendaciones EL PA?S
_
_
seductrice.net
universo-virtual.com
buytrendz.net
thisforall.net
benchpressgains.com
qthzb.com
mindhunter9.com
dwjqp1.com
secure-signup.net
ahaayy.com
tressesindia.com
puresybian.com
krpano-chs.com
cre8workshop.com
hdkino.org
peixun021.com
qz786.com
utahperformingartscenter.org
worldqrmconference.com
shangyuwh.com
eejssdfsdfdfjsd.com
playminecraftfreeonline.com
trekvietnamtour.com
your-business-articles.com
essaywritingservice10.com
hindusamaaj.com
joggingvideo.com
wandercoups.com
wormblaster.net
tongchengchuyange0004.com
internetknowing.com
breachurch.com
peachesnginburlesque.com
dataarchitectoo.com
clientfunnelformula.com
30pps.com
cherylroll.com
ks2252.com
prowp.net
webmanicura.com
sofietsshotel.com
facetorch.com
nylawyerreview.com
apapromotions.com
shareparelli.com
goeaglepointe.com
thegreenmanpubphuket.com
karotorossian.com
publicsensor.com
taiwandefence.com
epcsur.com
southstills.com
tvtv98.com
thewellington-hotel.com
bccaipiao.com
colectoresindustrialesgs.com
shenanddcg.com
capriartfilmfestival.com
replicabreitlingsale.com
thaiamarinnewtoncorner.com
gkmcww.com
mbnkbj.com
andrewbrennandesign.com
cod54.com
luobinzhang.com
faithfirst.net
zjyc28.com
tongchengjinyeyouyue0004.com
nhuan6.com
kftz5k.com
oldgardensflowers.com
lightupthefloor.com
bahamamamas-stjohns.com
ly2818.com
905onthebay.com
fonemenu.com
notanothermovie.com
ukrainehighclassescort.com
meincmagazine.com
av-5858.com
yallerdawg.com
donkeythemovie.com
corporatehospitalitygroup.com
boboyy88.com
miteinander-lernen.com
dannayconsulting.com
officialtomsshoesoutletstore.com
forsale-amoxil-amoxicillin.net
generictadalafil-canada.net
guitarlessonseastlondon.com
lesliesrestaurants.com
mattyno9.com
nri-homeloans.com
rtgvisas-qatar.com
salbutamolventolinonline.net
sportsinjuries.info
wedsna.com
rgkntk.com
bkkmarketplace.com
zxqcwx.com
breakupprogram.com
boxcardc.com
unblockyoutubeindonesia.com
fabulousbookmark.com
beat-the.com
guatemala-sailfishing-vacations-charters.com
magie-marketing.com
kingstonliteracy.com
guitaraffinity.com
eurelookinggoodapparel.com
howtolosecheekfat.net
marioncma.org
oliviadavismusic.com
shantelcampbellrealestate.com
shopleborn13.com
topindiafree.com
v-visitors.net
djjky.com
053hh.com
originbluei.com
baucishotel.com
33kkn.com
intrinsiqresearch.com
mariaescort-kiev.com
mymaguk.com
sponsored4u.com
crimsonclass.com
bataillenavale.com
searchtile.com
ze-stribrnych-struh.com
zenithalhype.com
modalpkv.com
bouisset-lafforgue.com
useupload.com
37r.net
autoankauf-muenster.com
bantinbongda.net
bilgius.com
brabustermagazine.com
indigrow.org
miicrosofts.net
mysmiletravel.com
selinasims.com
spellcubesapp.com
usa-faction.com
hypoallergenicdogsnames.com
dailyupdatez.com
foodphotographyreviews.com
cricutcom-setup.com
chprowebdesign.com
katyrealty-kanepa.com
tasramar.com
bilgipinari.org
four-am.com
indiarepublicday.com
inquick-enbooks.com
iracmpi.com
kakaschoenen.com
lsm99flash.com
nana1255.com
ngen-niagara.com
technwzs.com
virtualonlinecasino1345.com
wallpapertop.net
casino-natali.com
iprofit-internet.com
denochemexicana.com
eventhalfkg.com
medcon-taiwan.com
life-himawari.com
myriamshomes.com
nightmarevue.com
healthandfitnesslives.com
androidnews-jp.com
allstarsru.com
bestofthebuckeyestate.com
bestofthefirststate.com
bestwireless7.com
britsmile.com
declarationintermittent.com
findhereall.com
jingyou888.com
lsm99deal.com
lsm99galaxy.com
moozatech.com
nuagh.com
patliyo.com
philomenamagikz.net
rckouba.net
saturnunipessoallda.com
tallahasseefrolics.com
thematurehardcore.net
totalenvironment-inthatquietearth.com
velislavakaymakanova.com
vermontenergetic.com
kakakpintar.com
begorgeouslady.com
1800birks4u.com
2wheelstogo.com
6strip4you.com
bigdata-world.net
emailandco.net
gacapal.com
jharpost.com
krishnaastro.com
lsm99credit.com
mascalzonicampani.com
sitemapxml.org
thecityslums.net
topagh.com
flairnetwebdesign.com
rajasthancarservices.com
bangkaeair.com
beneventocoupon.com
noternet.org
oqtive.com
smilebrightrx.com
decollage-etiquette.com
1millionbestdownloads.com
7658.info
bidbass.com
devlopworldtech.com
digitalmarketingrajkot.com
fluginfo.net
naqlafshk.com
passion-decouverte.com
playsirius.com
spacceleratorintl.com
stikyballs.com
top10way.com
yokidsyogurt.com
zszyhl.com
16firthcrescent.com
abogadolaboralistamd.com
apk2wap.com
aromacremeria.com
banparacard.com
bosmanraws.com
businessproviderblog.com
caltonosa.com
calvaryrevivalchurch.org
chastenedsoulwithabrokenheart.com
cheminotsgardcevennes.com
cooksspot.com
cqxzpt.com
deesywig.com
deltacartoonmaps.com
despixelsetdeshommes.com
duocoracaobrasileiro.com
fareshopbd.com
goodpainspills.com
hemendekor.com
kobisitecdn.com
makaigoods.com
mgs1454.com
piccadillyresidences.com
radiolaondafresca.com
rubendorf.com
searchengineimprov.com
sellmyhrvahome.com
shugahouseessentials.com
sonihullquad.com
subtractkilos.com
valeriekelmansky.com
vipasdigitalmarketing.com
voolivrerj.com
zeelonggroup.com
1015southrockhill.com
10x10b.com
111-online-casinos.com
191cb.com
3665arpentunitd.com
aitesonics.com
bag-shokunin.com
brightotech.com
communication-digitale-services.com
covoakland.org
dariaprimapack.com
freefortniteaccountss.com
gatebizglobal.com
global1entertainmentnews.com
greatytene.com
hiroshiwakita.com
iktodaypk.com
jahatsakong.com
meadowbrookgolfgroup.com
newsbharati.net
platinumstudiosdesign.com
slotxogamesplay.com
strikestaruk.com
trucosdefortnite.com
ufabetrune.com
weddedtowhitmore.com
12940brycecanyonunitb.com
1311dietrichoaks.com
2monarchtraceunit303.com
601legendhill.com
850elaine.com
adieusolasomade.com
andora-ke.com
bestslotxogames.com
cannagomcallen.com
endlesslyhot.com
iestpjva.com
ouqprint.com
pwmaplefest.com
qtylmr.com
rb88betting.com
buscadogues.com
1007macfm.com
born-wild.com
growthinvests.com
promocode-casino.com
proyectogalgoargentina.com
wbthompson-art.com
whitemountainwheels.com
7thavehvl.com
developmethis.com
funkydogbowties.com
travelodgegrandjunction.com
gao-town.com
globalmarketsuite.com
blogshippo.com
hdbka.com
proboards67.com
outletonline-michaelkors.com
kalkis-research.com
thuthuatit.net
buckcash.com
hollistercanada.com
docterror.com
asadart.com
vmayke.org
erwincomputers.com
dirimart.org
okkii.com
loteriasdecehegin.com
mountanalog.com
healingtaobritain.com
ttxmonitor.com
nwordpress.com
11bolabonanza.com