FTC Requests Input From The Public And Will Hold Hearings About 'Competition And Consumer Protection'
New Jersey to Suspend Prominent Psychologist for Failing to Protect Patient Privacy

Researchers Find Mobile Apps Can Easily Record Screenshots And Videos of Users' Activities

New academic research highlights how easy it is for mobile apps to both spy upon consumers and violate our privacy. During a recent study to determine whether or not smartphones record users' conversations, researchers at Northeastern University (NU) found:

"... that some companies were sending screenshots and videos of user phone activities to third parties. Although these privacy breaches appeared to be benign, they emphasized how easily a phone’s privacy window could be exploited for profit."

The NU researchers tested 17,260 of the most popular mobile apps running on smartphones using the Android operating system. About 9,000 of the 17,260 apps had the ability to take screenshots. The vulnerability: screenshot and video captures could easily be used to record users' keystrokes, passwords, and related sensitive information:

"This opening will almost certainly be used for malicious purposes," said Christo Wilson, another computer science professor on the research team. "It’s simple to install and collect this information. And what’s most disturbing is that this occurs with no notification to or permission by users."

The NU researchers found one app already recording video of users' screen activity (links added):

"That app was GoPuff, a fast-food delivery service, which sent the screenshots to Appsee, a data analytics firm for mobile devices. All this was done without the awareness of app users. [The researchers] emphasized that neither company appeared to have any nefarious intent. They said that web developers commonly use this type of information to debug their apps... GoPuff has changed its terms of service agreement to alert users that the company may take screenshots of their use patterns. Google issued a statement emphasizing that its policy requires developers to disclose to users how their information will be collected."

May? A brief review of the Appsee site seems to confirm that video recordings of the screens on app users' mobile devices is integral to the service:

"RECORDING: Watch every user action and understand exactly how they use your app, which problems they're experiencing, and how to fix them.​ See the app through your users' eyes to pinpoint usability, UX and performance issues... TOUCH HEAT MAPS: View aggregated touch heatmaps of all the gestures performed in each​ ​screen in your app.​ Discover user navigation and interaction preferences... REALTIME ANALYTICS & ALERTS:Get insightful analytics on user behavior without pre-defining any events. Obtain single-user and aggregate insights in real-time..."

Sounds like a version of "surveillance capitalism" to me. According to the Appsee site, a variety of companies use the service including eBay, Samsung, Virgin airlines, The Weather Network, and several advertising networks. Plus, the Appsee Privacy Policy dated may 23, 2018 stated:

"The Appsee SDK allows Subscribers to record session replays of their end-users' use of Subscribers' mobile applications ("End User Data") and to upload such End User Data to Appsee’s secured cloud servers."

In this scenario, GoPuff is a subscriber and consumers using the GoPuff mobile app are end users. The Appsee SDK is software code embedded within the GoPuff mobile app. The researchers said that this vulnerability, "will not be closed until the phone companies redesign their operating systems..."

Data-analytics services like Appsee raise several issues. First, there seems to be little need for digital agencies to conduct traditional eye-tracking and usability test sessions, since companies can now record, upload and archive what, when, where, and how often users swipe and select in-app content. Before, users were invited to and paid for their participation in user testing sessions.

Second, this in-app tracking and data collection amounts to perpetual, unannounced user testing. Previously, companies have gotten into plenty of trouble with their customers by performing secret user testing; especially when the service varies from the standard, expected configuration and the policies (e.g., privacy, terms of service) don't disclose it. Nobody wants to be a lab rat or crash-test dummy.

Third, surveillance agencies within several governments must be thrilled to learn of these new in-app tracking and spy tools, if they aren't already using them. A reasonable assumption is that Appsee also provides data to law enforcement upon demand.

Fourth, two of the researchers at NU are undergraduate students. Another startling disclosure:

"Coming into this project, I didn’t think much about phone privacy and neither did my friends," said Elleen Pan, who is the first author on the paper. "This has definitely sparked my interest in research, and I will consider going back to graduate school."

Given the tsunami of data breaches, privacy legislation in Europe, and demands by law enforcement for tech firms to build "back door" hacks into their mobile devices and smartphones, it is startling alarming that some college students, "don't think much about phone privacy." This means that Pan and her classmates probably haven't read privacy and terms-of-service policies for the apps and sites they've used. Maybe they will now.

Let's hope so.

Consumers interested in GoPuff should closely read the service's privacy and Terms of Service policies, since the latter includes dispute resolution via binding arbitration and prevents class-action lawsuits.

Hopefully, future studies about privacy and mobile apps will explore further the findings by Pan and her co-researchers. Download the study titled, "Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications" (Adobe PDF) by Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes.

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Dave

Why does the title say “Mobile” when this type of thing is a uniquely Android problem and generally not possible in iOS nor is it seen on any of the other minority platforms.

Many widespread issues seem to get written this way, I had numerous family/friends worried about Facebook collecting their SMS history and the big articles all talked about mobile, only when you read the details do you learn that only Android is this sloppy with permissions.

Is there any particular reason that whenever there is yet another case of mobile apps misbehaving which is limited to Android, authors just call it “mobile” in headlines and the above-the-fold summary/introduction paragraph?

George


Everyone:

In his comment above, Dave raised a good question: "Why does the title say “Mobile” when this type of thing is a uniquely Android problem and generally not possible in iOS nor is it seen on any of the other minority platforms?"

To answer that question, one can (re)read the NU announcement linked in the above blog post:

"Although the study was conducted on Android phones, both [researchers] Wilson and Choffnes said there is no reason to believe that other phone operating systems would be less vulnerable."

So, the vulnerability is not limited to Android OS mobile devices. As I wrote in the blog post, I look forward to future research studies -- which should confirm these findings for several operating systems.

George
Editor
http://ivebeenmugged.typepad.com

Chanson de Roland

When did it not be nefarious for an app and the people in control of it to surreptitiously record screenshots and video captures of users' keystrokes, passwords, and related sensitive information from their smartphones? Or to even put that kind of capability, the ability to surreptitiously record screenshots and/or videos of a user’s activity on his smartphone, in an application that an authorized user installs on his smartphone? As the late Sen. Daniel Patrick Monihan would have put it, we confront and have become so accustomed to the outrageous trespasses upon our privacy and dignity online and on our computing devices by tech firms that we’ve no choice but to define deviancy down, so that surreptitiously recording a user’s activity on his smartphone is not nefarious per se, unless the person in possession and control of that recorded information has some further nefarious purpose.

Well, not so long ago, it would have been sufficiently wicked to just place this capability to surreptitious record a user’s activity on his smartphone in an app for it to be a nefarious act, no matter what the scoundrel doing the recoding would use the recorded information for. The reason that was bad was because surreptitiously recoding users’ activity on their smartphones reveals, as the United States Supreme Court has found, the most intimate details and information about a person’s life, his associates, his activities, his secret thoughts and wishes, his communications, his financial information, his health information, his desires, and his intent, indeed, his whole life, so that he has a clear expectation of privacy in that information. And even though the Fourth Amendment of the U.S. Const. isn’t binding on private parties, that anyone would secretly violate another’s privacy or equip himself with the means to do so, without obtaining that other person’s meaningful consent, is such a vile violation of that other person’s privacy and dignity as to be nefarious without need of anything more or further. The foregoing is as true today as it was yesterday, so Appsee et al., who either create or use the capability to surreptitiously record videos and/or screenshots on people’s smartphone, are doing a wicked thing by simply doing either of those things.

So let’s recognize the deviance of the wickedness of what Appsee et al. have done and are doing without the discounting for such wickedness having become pervasive and prevalent. Appsee et al. are, for what they have done, are wrong, wicked, and most foul.

Chanson de Roland


Yes, for now, the vulnerability is limited to Android and does not involve Apple’s iOS. The two faculty members saying that they have no reason to believe that this vulnerability doesn’t afflict other smartphone operating systems does not extend the evidence of the vulnerability to any mobile operating systems beyond the ones that their students studied. If it turns out that Apple’s iOS does not have a similar vulnerability, and there are reasons to believe that, because of iOS’s design and Apple’s agreement with its developers, it doesn’t, the two professors’ statement comes perilously close to commercial defamation.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name and email address are required. Email address will not be displayed with the comment.)