Half of data connections by top 500 Android apps are 'covert' with no effect on user experience

Posted:
in iPhone edited November 2015
Researchers at the Massachusetts Institute of Technology have discovered that half of the communications connections established by the top free Android apps are hidden to the user, and much of the data is being transmitted for unknown purposes.


Illustration credit: MIT News.


The new study, summarized on Thursday by MIT News, looked at data transferred to and from the 500 most popular applications available on Android. Specifically, MIT was interested in so-called "covert" communications being silently sent by the top apps.

MIT found that roughly 50 percent of the communication channels opened by the top Android apps had no bearing on the user experience.

These "covert" connections are about half analytics data, sharing information about usage and user experience. But the other half of the "covert" data being transmitted remains a mystery.



"The interesting part is that the other 50 percent cannot be attributed to analytics," said Julia Rubin, a postdoctoral researcher at MIT Computer Science and Artificial Intelligence Laboratory who led the new study. "There might be a very good reason for this covert communication. We are not trying to say that it has to be eliminated. We're just saying the user needs to be informed."

To verify that the data transmission has no affect on user experience, researchers modified 47 of the top 100 Android apps to block "covert" communications. In 30 of those 47 applications, test subjects could detect no difference between the two versions of the app.



MIT's study found that Wal-Mart's Android app discreetly sends information associated with eBay without the user's knowledge. Disabling the ability of the app to send the information was said to have no affect on the user experience.

The full paper is available online and is credited to Rubin, Michael I. Gordon, Nguyen Nguyen, and Martin Rinard.
«1

Comments

  • Reply 1 of 29
    foggyhillfoggyhill Posts: 4,767member
    Oh, Android.... You are such a piece of crap OS! Let us count the ways that is so...
  • Reply 2 of 29
    gatorguygatorguy Posts: 24,176member
    The apps are spying. Simple as that.

    I am curious what DARPA's interest is tho since they were the backers of the study.
  • Reply 3 of 29

    Yea we all know how "secure" Android is.

     

    But, I wish if they researched top iOS apps as well, I would like to know which apps are getting away with my data so I can remove them, or Apple could block them till they start behaving again.

  • Reply 4 of 29
    muppetrymuppetry Posts: 3,331member
    Quote:

    Originally Posted by Gatorguy View Post



    The apps are spying. Simple as that.



    I am curious what DARPA's interest is tho since they were the backers of the study.



    DARPA funding is very broad, and sponsorship statements such as that are somewhat boilerplate and can cover multiple projects. It doesn't mean that they specifically solicited this study, but rather that it just fell into a wider research area.

  • Reply 5 of 29
    gatorguygatorguy Posts: 24,176member
    muppetry wrote: »

    DARPA funding is very broad, and sponsorship statements such as that are somewhat boilerplate and can cover multiple projects. It doesn't mean that they specifically solicited this study, but rather that it just fell into a wider research area.
    Here's a more comprehensive summation of the study, and as a bonus it's in plain English. That's a nice breath of fresh air from a technical blog.
    http://phys.org/news/2015-11-mysterious-android-apps-effect-user.html

    Towards the end of the article they explain why DARPA is interested.
  • Reply 6 of 29
    muppetrymuppetry Posts: 3,331member
    gatorguy wrote: »
    muppetry wrote: »

    DARPA funding is very broad, and sponsorship statements such as that are somewhat boilerplate and can cover multiple projects. It doesn't mean that they specifically solicited this study, but rather that it just fell into a wider research area.
    Here's a more comprehensive summation of the study, and as a bonus it's in plain English. That's a nice breath of fresh air from a technical blog.
    http://phys.org/news/2015-11-mysterious-android-apps-effect-user.html

    Towards the end of the article they explain why DARPA is interested.

    Yes - that seems like a good reason to be interested. Maybe a good reason for the DoD to switch to iOS, too.
  • Reply 7 of 29
    gatorguygatorguy Posts: 24,176member
    muppetry wrote: »
    Yes - that seems like a good reason to be interested. Maybe a good reason for the DoD to switch to iOS, too.
    In a quick search for the other half dozen DARPA-funded studies on mobile OS's this article pops up, and it does have to do with iOS. I don't know for a fact it's reporting on one of the DARPA ones but I'll have a gander at the source reports in awhile.

    http://www.csoonline.com/article/3003454/vulnerabilities/ios-apps-more-vulnerable-than-android.html#tk.rss_news

    EDIT: I'm guessing that DARPA was involved in this one too as the US Army is listed as a client.

    Here's the link to the source study too.
    https://www.checkmarx.com/white_papers/the-state-of-mobile-application-security-2014-2015/
  • Reply 8 of 29
    lkrupplkrupp Posts: 10,557member

    No wonder the bad guys all use iPhones. One of the reports about the Paris attacks said that there are recordings of ISIS operatives talking about which version of iOS is best to use. Yes, it’s that good apparently.

  • Reply 9 of 29
    I think an important point to emphasise is that this will never be a static issue. Apple's current enviable position is a function of years of investment in the code architecture, the Eco-system, the hardware, encryption, developer policy etc etc. Now they have definitely not got everything right first time - it would be impossible to do so - but the continual process of assess, improve, assess means that they have achieved this current enviable position relative to android. If they stopped doing any of those things then the situation would quickly change. This is why I find the knee jerk response to failures frustrating: success is the result of long term engineering effort and things can often not be fixed overnight. It is apples long term and long view response to all issues that best demonstrates the reason for their dominance and what (at least in my case) justifies my loyalty.
  • Reply 10 of 29
    gatorguy wrote: »
    Here's a more comprehensive summation of the study, and as a bonus it's in plain English. That's a nice breath of fresh air from a technical blog.
    http://phys.org/news/2015-11-mysterious-android-apps-effect-user.html

    Towards the end of the article they explain why DARPA is interested.
    How interesting. Safari refused to open your link because there were too many redirected links.
  • Reply 11 of 29
    gatorguygatorguy Posts: 24,176member
    How interesting. Safari refused to open your link because there were too many redirected links.
    Use this one as it's a direct link to the source study:
    https://www.checkmarx.com/white_papers/the-state-of-mobile-application-security-2014-2015/
  • Reply 12 of 29
    muppetrymuppetry Posts: 3,331member
    gatorguy wrote: »
    Here's a more comprehensive summation of the study, and as a bonus it's in plain English. That's a nice breath of fresh air from a technical blog.
    http://phys.org/news/2015-11-mysterious-android-apps-effect-user.html

    Towards the end of the article they explain why DARPA is interested.
    How interesting. Safari refused to open your link because there were too many redirected links.

    Strange. It opened just fine in Safari for me.
  • Reply 13 of 29
    gatorguy wrote: »
    Actually, it appears to be different, at least on the surface. Looking at the links in the article, they go straight to the MIT abstract. Yours links to a different organization called AppSec Labs. Probably my loss, but I don't subscribe to unknown (to me) links in order to download unknown materials either. I guess I will just never know.
  • Reply 14 of 29
    muppetry wrote: »
    Strange. It opened just fine in Safari for me.
    Most likely has to do with settings on my iOS version.
  • Reply 15 of 29
    gatorguygatorguy Posts: 24,176member
    Actually, it appears to be different, at least on the surface. Looking at the links in the article, they go straight to the MIT abstract. Yours links to a different organization called AppSec Labs. Probably my loss, but I don't subscribe to unknown (to me) links in order to download unknown materials either. I guess I will just never know.
    Sorry I was being confusing. My fault. The second link was to the State of Mobile Security Report. The first one you were having Safari problems with was the better summation (IMO) of the article AI was discussing.
  • Reply 16 of 29
    lkrupp wrote: »
    No wonder the bad guys all use iPhones. One of the reports about the Paris attacks said that there are recordings of ISIS operatives talking about which version of iOS is best to use. Yes, it’s that good apparently.

    But but but Samsung Knox!
  • Reply 17 of 29
    richlrichl Posts: 2,213member

    I doubt that iOS is any better. Virtually all mobile apps collect (anonymous) user analytics and free apps are likely to feature ads.

  • Reply 18 of 29
    Quote:
    Originally Posted by bloggerblog View Post

     

    Yea we all know how "secure" Android is.

     

    But, I wish if they researched top iOS apps as well, I would like to know which apps are getting away with my data so I can remove them, or Apple could block them till they start behaving again.




    Exactly my thought. Until Apple introduces a sort of "Network" permission for apps, nothing really prevents them to transmit anything available on the device (through public and/or private APIs).  And the network permission should not be dummy yes/no to ALL, but yes/no to an explicit white list of domain names requested for access.

  • Reply 20 of 29

    I have no idea what the authors of that study think they are trying to show.  Their methodology is inane.   Only when I'm specifically asking for something network related (load a web page, send a message, etc), will the connection be overt.  All background services are "covert" and they are supposed to be. That is not nefarious, it's good design. And of course the application continues to run with little or no impact on the user experience if you block those connections.   That's an explicit requirement for designing a mobile application.  You have to assume that a network connection may not be available and you write your app to work anyway. In fact, Apple explicitly tests whether your app works when connections fail and rejects it if it doesn't do something reasonable.  The user experience isn't affected if you block my app's check for updates, you just won't get updates. 

Sign In or Register to comment.