Half of data connections by top 500 Android apps are 'covert' with no effect on user experience
Researchers at the Massachusetts Institute of Technology have discovered that half of the communications connections established by the top free Android apps are hidden to the user, and much of the data is being transmitted for unknown purposes.
The new study, summarized on Thursday by MIT News, looked at data transferred to and from the 500 most popular applications available on Android. Specifically, MIT was interested in so-called "covert" communications being silently sent by the top apps.
MIT found that roughly 50 percent of the communication channels opened by the top Android apps had no bearing on the user experience.
These "covert" connections are about half analytics data, sharing information about usage and user experience. But the other half of the "covert" data being transmitted remains a mystery.
"The interesting part is that the other 50 percent cannot be attributed to analytics," said Julia Rubin, a postdoctoral researcher at MIT Computer Science and Artificial Intelligence Laboratory who led the new study. "There might be a very good reason for this covert communication. We are not trying to say that it has to be eliminated. We're just saying the user needs to be informed."
To verify that the data transmission has no affect on user experience, researchers modified 47 of the top 100 Android apps to block "covert" communications. In 30 of those 47 applications, test subjects could detect no difference between the two versions of the app.
MIT's study found that Wal-Mart's Android app discreetly sends information associated with eBay without the user's knowledge. Disabling the ability of the app to send the information was said to have no affect on the user experience.
The full paper is available online and is credited to Rubin, Michael I. Gordon, Nguyen Nguyen, and Martin Rinard.
The new study, summarized on Thursday by MIT News, looked at data transferred to and from the 500 most popular applications available on Android. Specifically, MIT was interested in so-called "covert" communications being silently sent by the top apps.
MIT found that roughly 50 percent of the communication channels opened by the top Android apps had no bearing on the user experience.
These "covert" connections are about half analytics data, sharing information about usage and user experience. But the other half of the "covert" data being transmitted remains a mystery.
"The interesting part is that the other 50 percent cannot be attributed to analytics," said Julia Rubin, a postdoctoral researcher at MIT Computer Science and Artificial Intelligence Laboratory who led the new study. "There might be a very good reason for this covert communication. We are not trying to say that it has to be eliminated. We're just saying the user needs to be informed."
To verify that the data transmission has no affect on user experience, researchers modified 47 of the top 100 Android apps to block "covert" communications. In 30 of those 47 applications, test subjects could detect no difference between the two versions of the app.
MIT's study found that Wal-Mart's Android app discreetly sends information associated with eBay without the user's knowledge. Disabling the ability of the app to send the information was said to have no affect on the user experience.
The full paper is available online and is credited to Rubin, Michael I. Gordon, Nguyen Nguyen, and Martin Rinard.
Comments
I am curious what DARPA's interest is tho since they were the backers of the study.
Yea we all know how "secure" Android is.
But, I wish if they researched top iOS apps as well, I would like to know which apps are getting away with my data so I can remove them, or Apple could block them till they start behaving again.
The apps are spying. Simple as that.
I am curious what DARPA's interest is tho since they were the backers of the study.
DARPA funding is very broad, and sponsorship statements such as that are somewhat boilerplate and can cover multiple projects. It doesn't mean that they specifically solicited this study, but rather that it just fell into a wider research area.
http://phys.org/news/2015-11-mysterious-android-apps-effect-user.html
Towards the end of the article they explain why DARPA is interested.
Yes - that seems like a good reason to be interested. Maybe a good reason for the DoD to switch to iOS, too.
http://www.csoonline.com/article/3003454/vulnerabilities/ios-apps-more-vulnerable-than-android.html#tk.rss_news
EDIT: I'm guessing that DARPA was involved in this one too as the US Army is listed as a client.
Here's the link to the source study too.
https://www.checkmarx.com/white_papers/the-state-of-mobile-application-security-2014-2015/
No wonder the bad guys all use iPhones. One of the reports about the Paris attacks said that there are recordings of ISIS operatives talking about which version of iOS is best to use. Yes, it’s that good apparently.
https://www.checkmarx.com/white_papers/the-state-of-mobile-application-security-2014-2015/
Strange. It opened just fine in Safari for me.
But but but Samsung Knox!
I doubt that iOS is any better. Virtually all mobile apps collect (anonymous) user analytics and free apps are likely to feature ads.
Yea we all know how "secure" Android is.
But, I wish if they researched top iOS apps as well, I would like to know which apps are getting away with my data so I can remove them, or Apple could block them till they start behaving again.
Exactly my thought. Until Apple introduces a sort of "Network" permission for apps, nothing really prevents them to transmit anything available on the device (through public and/or private APIs). And the network permission should not be dummy yes/no to ALL, but yes/no to an explicit white list of domain names requested for access.
And now Android phones are exploding!: http://www.ksl.com/?sid=37423516&nid=148&title=utah-woman-says-samsung-wont-pay-for-damages-from-exploding-cellphone&s_cid=queue-18
I have no idea what the authors of that study think they are trying to show. Their methodology is inane. Only when I'm specifically asking for something network related (load a web page, send a message, etc), will the connection be overt. All background services are "covert" and they are supposed to be. That is not nefarious, it's good design. And of course the application continues to run with little or no impact on the user experience if you block those connections. That's an explicit requirement for designing a mobile application. You have to assume that a network connection may not be available and you write your app to work anyway. In fact, Apple explicitly tests whether your app works when connections fail and rejects it if it doesn't do something reasonable. The user experience isn't affected if you block my app's check for updates, you just won't get updates.