back to article Android tool catches apps silently pumping hundreds of ad, tracking servers red-handed

Security researchers have developed an Android application that's capable of alerting when other apps on a phone or tablet are covertly tracking users and connecting to ad networks. The team at France's Eurecom and Technicolor Research – explained in a paper published in the Cornell University Library archive that their …

  1. Andrew Jones 2

    It's worth noting though - that because privacy and tracking are specifically being categorised here - the vast majority of these URLS are likely to be Analytics - about how the app is used, what are the most frequently access sections etc etc - all valuable data for an app builder - that doesn't necessarily tell them who you are. Of course the alternative is to not have any app tracking going on, and people will simply uninstall the app because "it's crap", leave negative reviews on the Play Store without actually leaving a detailed description of how the app could be improved and the developer will be left in the dark trying different things to attempt to make the app better - but without knowing what is actually wrong with it - and almost no-one will bother to actually write an email to the developer offering constructive criticism.

    1. elDog

      Why are app trackers (GA, etc.) not part of the 1st party domain

      I have no problem letting a web site that I voluntarily visit run JS from its own site. I figure it has already vetted the JS as well as its own HTML, CSS, etc.

      I have lots of problems with all these sites that use 5-20-50 other sites for JS resources. The primary site is obviously not able to vet the contents of these possibly changing resources.

      I can limit this cross-site JS usage with microMatrix or other tools but it really becomes a PITA. Personally I think it also makes the primary sites less responsive and more prone to breakage.

      Google (Analytics) needs to come up with a better way to make this happen. ClickTrackers can just go f themselves.

      I had one co-developer tell me "if you don't allow arbitrary JS to run on you sites, you shouldn't be programming web apps."

    2. Mark 85

      Analytics? Really... up to 2,000 times in the first minute? I'm not buying that...

  2. thomas k.

    Ghostery browser

    Ghostery, the browser add-on people, have released their own Android browser. It's available thru the Play Store.

    https://play.google.com/store/apps/details?id=com.ghostery.android.ghostery

    1. Dan 55 Silver badge
      Devil

      Re: Ghostery browser

      This is Google, that's so going to get pulled from the store when they realise what it is.

      1. Jonathan Richards 1

        Re: Ghostery browser

        Over 100,000 downloads at the time I snagged it, circa 1100 UTC.

    2. petur

      Re: Ghostery browser

      Last time I checked Ghostery I saw it actually tracks you too. So you're replacing/blocking tracking from a bunch of apps and sites, with other tracking.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ghostery browser

        but it only tracks you being tracked, because they CARE about YOUR anonymity (cough-cough). And they're not a commercial venture (cough-cough), nosir, notatall (going blue in the face).

    3. RobHib
      Unhappy

      @thomas k. — Re: Ghostery browser. And my kludge soln. for pernicious spying.

      I consider Ghostery an essential install-first tool on both Windows and Android, it's a good start but by no means the full answer. Also, I'd reckon down-loaders of Ghostery and similar apps would be especially flagged by Google if for nothing else other than to check how effective the anti-ad blocking tools are.

      I've been so pissed of with ads and the pernicious spying that I've taken rather drastic action—my Android is no longer a phone. I've removed the SIM and placed it back into my no-internet phone-only LG, so it's strictly only a phone. Now, the Android's only connection to the internet is via WiFi which I disconnect before using the apps (fortunately most of the apps I used can be run offline).

      Before reconnecting, apps are killed, CCleaner and other cleaners are run, and of course JavaScript is a no-no, so is Google's internet access (I use any other browser except Google). Same with Location Services, they're nuked except in exceptional cases.

      As I see it, Google created the Android platform with ads and user-spying as the primary application, the apps we users want to use are essentially nothing more than attractive lures.

      Once I used to balk at the commercialization of the internet under MS Windows but it's hardly a beginner against Google's Android.

      Damn nuisance really.

  3. oneeye

    I was onto this research yesterday!

    I tracked Luigi down last night after reading the article at MIT technology reviews,and reading the research paper. I asked for permission to post about the research and app,and did so around 3:30 pm EST. He invited me to join the playstore beta test,but I did not hear back yet. I hope I did not get him in hot water. The app link was live yesterday,but others must have gotten wind of the app,which only had a link in the paper. I had posted at Mallwaretips.com where I am a member. Never got to post it at Android Central. But by tonight,the link was dead. If I finally do get the invite for beta test,I'll come back and post my experience.

    1. Anonymous Coward
      Thumb Up

      Re: I was onto this research yesterday!

      It's nicely done research and the paper was well done too. Here's hoping on the beta.... On, and if you get the chance, pass back to the team "Well done" from this crazy (ex-nuclear engineer) econometrician. It's a rare academic read that literally ticks off the check-boxes before I even think about them.

  4. JaitcH
    Unhappy

    And, I wonder, how much ...

    all these free loading bums cost by way of data allowances?

    Little wonder those who roam soon run out of data allowance time.

  5. speco
    Thumb Up

    App available at github

    Though a developer has already mailed to the original creator, he has cloned the apk file @

    https://github.com/sponnusa/NoSuchApp_Mirror/tree/master

  6. Anonymous Coward
    Anonymous Coward

    all you need is ...

    Have to say though my phone use case may be somewhat atypical I have been able to get by on only installing apps from F-Droid on my Android handset. Granted that is not air tight protection from this garbage but generally F-Droid does let you know when and how apps behave slightly shady (with source of the apps available its hard to deny if someone flags and looks). The privacy guard that also comes with Cyanogenmod also works seamlessly with the F-Droid apps I use and does keep apps (unless you verify) out of your location information, texts, contacts, etc. I originally did this to go open source only and get away with not having a google account associated (no accounts actually) with the phone. Funny that I keep coming across side benefits.

  7. This post has been deleted by its author

  8. Badvok
    Unhappy

    Let's play statistics!

    2,146 apps requested internet access permission, of those 436 didn't bother actually connecting to anything - eh?

    Of the 1,710 apps that did access the net they accessed 1 url for every 68 user actions. Or was that 10,000 scripted events split over 1,710 apps? But that seems like too little interaction - 6 user interactions per app?

    Many of the apps were probably free and thus depended on ad revenue - no statistics provided - why not?

    The only really interesting stats here are the 5.6% suspicious URLs, and the 2.9% malicious, but then no detail provided on what type of apps generated this, or even what proportion of the 1,710 apps did this.

    1. Badvok

      Re: Let's play statistics!

      I've just bothered to read the actual paper that this article is based on. They do identify the baddest apps and yes all the apps they examined were 'free', aka ad-funded. The bad apps are very much a minority of the sample, though not a small enough minority to be ignored.

      The majority of URLs/domains are those you would expect from ad-funded apps, i.e. google ads and analytics, doubleclick.net, etc.

      The 10,000 user interactions were per app, so lots of user interactions per URL.

      The 'suspicious' score in the reg article of 5.6% is a bit misleading, in the paper the researchers identified 94.4% of apps as failing to access any url/domain identified as suspicious by any of 52 different sources. Since there are likely to be a few false positives across those 52 URL rating sources, saying 5.6% accessed suspicious URLs is not really a fair reflection.

  9. paulc
    Linux

    Got Root?

    Do I need root access to run this app?

    1. phil dude
      Linux

      Re: Got Root?

      If you have Root you can disable all the tracking BS.

      Unfortunately some of us need to keep the "warranty" intact, and so we have to put up with Google's half-arsed security model.

      P.

  10. DCLXV

    Right, well...

    "Tool" my ass, if it's not just a shell script with a flash UI calling the bundled Busybox util I'll eat my hat

  11. Sebby

    iOS

    I'm not seeing this supposed security advantage: lots and lots of ad servers being hit (and blocked by my resolver) on a regular basis by apps just running in the background. Flurry, GA, admob, etc etc etc.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like