Smartphone Spy: Top 10 Apps That Collect Your Data
The personal data market brings billions of dollars to tech companies. The main commodity in it are users, who transfer information about themselves to dozens of sites and services and do not even realize it. The Bell examined the top 100 Google Play Store to find out which applications collect the most user data.
How we counted
To calculate, we used the top 100 apps in the Google Play Store as of September 2019, according to the AppBrain website. We used the App Census service to determine what data and to which sites the apps were transferring information. We obtained information about trackers and permissions requested by the app from the app privacy audit platform Exodus.
Who transmits the most data
As The Bell learned, of the 100 most popular free apps in Russian Google Play Store only 11 do not share user data with third parties:
- Maps Widget
- Navitel Navigator
- Logic and deduction game
- Language – GO Keyboard
- Ebookdroid reader
- Anti-virus Dr.Web Light
According to calculations by The Bell, the most recipients (channels) of data transmission was the app “Read for free” from Litres. Book reader sends data via 31 channels. Not all apps encrypt the information they send. The same “Read for Free” sends unencrypted Android Ad ID channels, which allows you to link a particular device to a user in the entire Google advertising system.
Of the top 100, 12 apps send data in unencrypted form – to their own IP addresses or to third parties:
- “Read for free” by Litres
- “First channel”
- Poker Game: World Poker Club
- GPS Navigator CityGuide
- Gismeteo Lite
- Voyage 2: Russian Roads game
- Player Dream
A significant part of this list are applications of TV channels which send data to Mediascope (formerly TNS Russia – this name is preserved in trackers).
Channel One’s app was the leader in terms of unencrypted user data streams. It transmits to Mediascope not only the Android Ad ID, but also the unique MAC address of the device. In addition, the app sends unencrypted information to the AdFox advertising network.
It also turned out that the “Channel One” and NTV applications use the HTTP protocol, rather than the more secure HTTPS protocol, when transferring data to Mediascope.
They say. “If the data uses an unencrypted channel – this is a flaw in the developers, and the data may be available to third parties,” warns Digital Security analyst Maxim Romodin. This means that when sending data, the provider or third parties can “break into” the data transmission channel and get access to your data – the location or network MAC-address of the device. This would allow, for example, marketers to determine what kind of device you use (expensive or cheap), and law enforcement to track a particular device on any public network available to them.
“Security of user data is one of our main priorities, and we regularly check the correctness of applications,” a representative of Litres Group assured The Bell. – “The data analysis from AppCensus used version 3.3 of the Read Free app, but the current version of our app uses the Appodeal SDK 2.5.7, and all data in it is encrypted.”
The company also said in a comment that it recommends users to update the application in time, “this ensures the correctness and security of its work.
Leaders in the number of trackers
Another serious security threat is the presence of ad trackers, which help Google and Facebook to recognize a user’s account in any application and show them relevant ads. Of the hundred most popular free apps in the Russian Play Store, only three do not use trackers at all. These are the book reader Ebookdroid reader, Anti-virus Dr.Web Light and navigator GPS Navigator CityGuide. Two trackers each use Yandex.Metro and Qiwi Wallet applications.
The leader in the number of trackers was the app for short video clips Coub. According to Exodus, 30 different trackers were found in the app’s code. The majority of them are owned by Google and Facebook and collect various information about the user – from the location to the ads seen. Slightly fewer, 27 trackers, belong to the aforementioned data leader, Litres’ Read for Free.
The most common, not surprisingly, were trackers from Google ad networks (41% of all apps on Google Play), Facebook (13%) and Yandex (1%). Developers also often use Flurry tracker from Yahoo (present in 12% of apps) and myTarget (2%).
It’s telling. Not all trackers follow the user for the sake of making money from advertising. “Ad trackers are a related service to make money from mobile advertising, trackers like Crashlytics are technical and help developers debug apps,” explains Ivan Begtin, director of Information Culture. There are also trackers that track user behavior, the most common of which is Google Analytics.
“Data transmitted by analytics services are mostly impersonal and are used for big data analysis”, reassures Maxim Romodin of Digital Security.
The analyst reminds that Google imposes requirements on all applications. According to the company’s policy, the application must request only the permissions necessary to work. In addition, the data collected by the application cannot be transmitted to third parties for advertising purposes or used for espionage or surveillance. In case of non-compliance with this program, Google will notify the developer of the possible removal of the app from the store. That said, Google even offers a reward if users are able to expose developers for violating the rules.
What we allow apps to do
In most cases, it is up to the user to allow an app access to their data. When you install an app from the Play Store and run it for the first time, the app asks the user for access to certain functions of the device. For example, almost all of the apps in the top 100 ask for access to read and write data on the memory card. “This is necessary to store cache on the memory card and offline copies of pages,” the company explained the need for access to the memory card for Browser. Other applications can store game saves, map cache and other information in the device’s external memory.
Things are much more complicated with access to the camera and audio. According to calculations by The Bell, more than a third of the top 100 Google Play Store applications request access to them.
According to data from Symantec, 46% of all Android applications request access to the smartphone camera, another 25% want to record audio without notifying the user (according to other data, this may be more than half, and some applications may not even request permission to send audio to external servers or do this despite a direct prohibition).
By comparison, the proportion of iOS apps with access to the camera, according to the same Symantec study, is 25%, with the ability to record audio at 9%. In addition, Apple smartphone apps can’t access the call and texting history on the device.
They say. “Developers sometimes purposely add rarely needed features to their apps that allow them to request additional rights on the user’s device,” says Begtin of Information Culture. He specifies that a large amount of information allows to clarify the user’s profile as a buyer and recipient of advertising.
But not all information is knowingly requested solely for commercial purposes. For example, fitness applications track geolocation for correct work, and access to audio allows voice assistants – Google Assistant and “Alice”.
Who’s asking for the most permissions
The most greedy for user data of the top 100 Google Play Store was the application of the social network VK. When installing it, it requests 60 different permissions. Russian users have long known that VK from Mail ru Group tracks every step of the user, down to his exact location with an accuracy of up to half a meter.
Among the permissions for VK, Exodus considers dangerous:
- access to location (exact and approximate);
- to the camera;
- accounts on the device;
- call history;
- smartphone data (model, battery charge, amount of free RAM);
- access to the microphone;
- access of the application to the system settings;
- priority mode of displaying notifications.
About this they say. Even those permissions that Exodus considers dangerous, applications have to request – first, in order for all their functionality to work correctly, and secondly, to pass moderation on the Android platform, explains the representative – and gives examples:
- Location: sites can request the user’s location via HTML5 API. Permission is needed so that our apps can transmit the user’s location with their permission.
- Camera access: the user can upload images and pictures from the camera to the sites.
- Accounts: we allow you to authorize in one Yandex application and use the account in the others, this permission is required.
- Read memory card and write to memory card: necessary for storing cache on the memory card and offline copies of pages.
- Recording audio: necessary for the voice assistant “Alice”.
- The Price of Data.
The problem of saving user data is one of the most important in the IT market. Facebook and Google make billions of dollars from ads shown to millions of people around the world. To show ads more accurately, the Internet giants use user data. The same data they share with other companies so they can better target their offers. At the same time, Apple refused to sell user data so as not to put them at risk, essentially cutting off advertisers’ access to their users’ data.
After the Cambridge Analytics scandal, Facebook lost $6 billion in market capitalization in a short time. Despite this, the company continues to collect data and sell it to third parties. According to rough estimates, Facebook alone can earn up to $85 million a year from the sale of data.
The Financial Times estimates that one user’s data can be worth anywhere from 10 cents to $2, depending on social status, age and other criteria.
Doing the same math for Google is very difficult. While on Facebook, people fill out profiles and like interesting pages by themselves, Google collects data from everything from search queries and selected search results to browser history and bookmarks. That is why the U.S. Congress is proposing that technology companies disclose the value of the data they sell to third parties.