Researchers: Thousands of Android Apps Collude To Spy on Users
Thursday, April 13, 2017
Got an Android phone or tablet? Considering an Android phone? Then, pay close attention. Researchers have found that more than 20,000 pairs of Android apps work together to spy on users: collect, track, and share information without notice nor consent. The Atlantic magazine explained:
"Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone... A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data... Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information. When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data..."
Researchers at Southern Illinois University and at Virginia Tech collaborated on the highly technical report titled, "Collusive Data Leak And More: Large-Scale Threat Analysis of Inter-App Communications" (Adobe PDF). The report compared DIALDroid to other inter-app analysis tools, and analyzed whether the data leaks were intentional or unintentional (e.g., due to poor design).
The vulnerabilities the researchers found seem three-fold. First, there is the stealth collusion described above. Second, how the data collected and where it is sent are problematic. The Atlantic article explained:
"When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS."
Third, the vulnerabilities apply to apps operating on corporate networks. The researchers warned in their technical report:
"User Applications. Although DIALDroid is for marketplace owners, Android users can also benefit from this tool. For example, enterprise users can check possible inter-app collusions using DI-ALDroid before allowing certain apps to be installed on the devices of their employees. Moreover, a large-scale public database similar to ours, when regularly updated, can be queried by users to find out possible inter-app communications to or from a particular app."
"Marketplace owners" refers to organizations running online app stores. "Enterprise users" refers to information technology (I.T.) professionals managing (and securing) internal organization networks containing highly sensitive, confidential, and/or proprietary information. Corporate, government, health care organizations, and law firms immediately come to mind.
Prior blog posts and firmware reports have identified numerous vulnerabilities with Android devices. Now, we know a little more about how some apps work together secretly. Add this new item to the list of vulnerabilities.
Android phones may be cheaper than other brands, but that comes at a very steep cost. What are your opinions?
The first thing that I say is that leaks is the wrong word. This is not leaking, which connotes an accidental or at least unintended occurrence. What is happening among these apps is intentional collusion to misappropriate a user's personal information without consent, so what these apps are colluding to do is steal a user's personal information, that is, steal the information which a user creates from his online activities. So what we have here is theft, not leakage.
What can the federal government do about this? It depends. First, Congress is at fault, because despite repeated requests from the FTC, it has refused to empower the FTC to promulgate rules that can protect consumers' privacy in the marketplace for goods and services, including but not limited to apps. Yet the FTC may be able to act. Because this theft of personal information is intentional and is done without consent or even notice, the FTC can prohibit this coordinated theft as a deceptive trade practice and/or a privacy violation because it occurs without any assent to the terms of an agreement.
What will the FTC do under the Trump Administration with a majority of three Republican commissioners? I suspect that the answer is not much, even though this collection of user's/consumers' personal info without consent, that is, this theft, violates well established precedents.
Posted by: Chanson de Roland | Friday, April 14, 2017 at 10:42 AM
Readers:
Below is the list of questions I have submitted to Google:
1. Who are the developers of the leaky Android apps?
2. Are any developers responsible for multiple leaky apps? If so, please provide names.
3. Do these leaky apps dominate particular types (e.g., mobile banking, Android Pay)
4. If Google does not know who these developers are, what are you doing to identify and contact them?
5. What action will Google take with these apps and developers? If these apps won’t be removed from your app store, please describe other action.
6. On Apple iOS, the user has to give an app permission to collect data from other apps. Why isn’t Android doing this? Does Pixel fix the security problem?
7. If you are are changing the way Android apps allow permissions for #6, when will this be available?
If I receive a reply, I will post it on my blog.
George
Editor
http://ivebeenmugged.typepad.com
Posted by: George | Friday, April 14, 2017 at 01:44 PM