back to article Top Android app devs found exfiltrating mystery stealth packets

Four researchers have found two thirds of the most popular Android apps indulge in seemingly-useless covert chatter with remote servers. Top developers including Gameloft, Unity3d, and grillgames are implicated to varying degrees. The chatter has no use to users. About half of the traffic is related to analytics, such as that …

  1. cbars Bronze badge

    Phone home

    "This individual behaves like X, try showing them some adverts!"

    1. BillG
      Big Brother

      Re: Phone home

      There used to be a flashlight app on the Android app store that was about 3M in size and grabbed access to almost all phone privileges, including network access. It's since been taken down.

      I use a firewall to block network access to any app that doesn't need it, but I refuse to install any app that wants to toggle sync on and off, as no good can come from that.

      1. Phil Kingston

        Re: Phone home

        Hope that firewall app is a reputable one and doesn't indulge in its own analytic collection.

        1. Anonymous Coward
          Anonymous Coward

          Re: Phone home

          "Wait a minute. Do you want to advertarially enrich me again?"

  2. 45RPM Silver badge

    How does this compare with Windows or iOS?

    1. DwarfPants

      Comparison of android, iOS, Windows

      Probably same S*** different texture / consistency

      1. 45RPM Silver badge

        Re: Comparison of android, iOS, Windows

        The trouble is that when research of this type is published, concentrating on only one platform, it doesn't provide enough information for purchasers to make an informed decision. At worst, it provides more grist to the mill of adherents (fan boys) of other OSs that theirs is somehow better. Safer. And it may be - but there isn't enough data here to make that kind of judgment. Equally, it may not be - it may be worse.

        I would genuinely be interested to see this research but covering all the major mobile operating systems.

  3. Sir Runcible Spoon
    WTF?

    Sir

    Sounds like some kind of hidden licence, especially if the app stops working once it is stopped from phoning home.

    Who knows what data it is scraping up, assume everything, from contacts, phone logs, emails and other app purchases etc.

  4. xj650t
    Facepalm

    Oh Look

    My f#*cking battery is flat again.

    Must be all that background app chatter

    1. hapticz

      Re: Oh Look my data limit is reached!

      and the various contract providers are jumping with joy as data limits are exceeded every month for a few extra millions in fees too! look right to Verizon, comcast, att and euro providers to find no real throttles on this activity either. they love when they can keep the users blind to reality.

  5. Khaptain Silver badge
    Coat

    Feeding the hungry

    Might be the NSA, ISIS, Swedish Spy Affiliation Servcies, Rowandian Technology Expert Group, Anonymous or Hilary Badass Clinton requiring their daily dose of luser data....

  6. Anonymous Coward
    Anonymous Coward

    Which is why the move to more granular permission with Android 6.0 is welcome - I can then choose whether each app gets to read my contacts, call logs, access my SD card and so on.

    Apps exist that can do this already, but because they work at a lower level developers don't have to allow for an app being denied access to something. This means they can misbehave in all sorts of weird ways. Any 6-compatible app will have to handle it gracefully. I wonder how FB and Twitter will react to a sudden loss of incoming data?

    OTOH, I've already moved to using mobile websites for Facebook and Twitter. If nothing else, the HTTP protocol seems better at delivering data when you've got sketchy signal, no end of times I've sat there with 3G but no 4G, and the Facebook app refuses to do anything. Perhaps it prioritises the covert data!

    1. fuzzie

      Colour me cynical, but I'd not be too surprised if a lot of this background chatter is facilitated by that 800ln gorilla that is Google Play Services. It's also the service that has unfettered permissions, can even grant itself permissions, and tends to ignore other preferences/settings.

      Aside: Google pushed a broken Play Services update onto my phone a fortnight ago (not the first time this has happened) resulting in it (PS) crashing every 10min. So I uninstalled all updates (reverting to firmware version). Other Google apps, e.g. Maps, Hangouts, Newreader, started bleating that I needed to update PS. Most of those I don't/haven't used. Seems they've all been running regardless? Some third party apps also complained, but appeared to still work fine.

      PS: Wish I could uninstall Google bloatware---moreso for Gapps/Gservices that aren't available in my neck of the woods.

    2. DF118

      @Chris 125

      Which is why the move to more granular permission with Android 6.0 is welcome

      It's a great idea, but I fear the practice will simply become that any app, when so denied any given permission, will either refuse to operate, or operate in some kind of useless limp mode, until the permission is granted/restored.

      Seems unlikely that Google would have any reason to force app devs to give up their user data addiction, especially when it comes to behemoths like Faceache.

      This can already be seen happening with Facebook platform apps. FB now permits users some granularity of choice on permission requests, however when you deny one or more requested permissions many apps in return refuse to operate.

      1. Cuddles

        Re: @Chris 125

        "It's a great idea, but I fear the practice will simply become that any app, when so denied any given permission, will either refuse to operate, or operate in some kind of useless limp mode, until the permission is granted/restored."

        I'm, usually, not quite so pessimistic. The vast majority of app developers don't actually have anything useful to do with all the data they collect, they do it simply because they can and because everyone else is doing it. Those not actually making money from their data slurping will not continue to demand silly permissions because that would ultimately lose them users and money - even if only a small proportion of people refuse to use such apps, that's still money lost for no reason. It's only the big players who actually have real business models based on data collection - Google, Facebook, and so on, who would actually stand to lose money from being denied data and will therefore continue to demand it no matter what.

      2. Anonymous Coward
        Anonymous Coward

        Re: @Chris 125

        Well that's fine, the developers will have to then wade through a mass of "bug" reports, low scoring reviews and (hopefully) abuse from tech blogs when their apps fail to work for no valid reason.

        The Android Twitter app for example has a load of permissions that even I, as a user, can justify. Read and write SD card, because you can upload files. SMS, because (AFAIK) you can verify your phone number with a text. Contacts because it will offer to spam your mates.

        Control the sleep functions of my phone? Draw on top of other apps? Not so sure about those, so I'd disable them (for the record, I'd disable most of the ones I listed above too, but play along eh?). If the app then refuses to work, at least it would tell me why it needed those permissions (because I'd get to a certain function and it would go "Oh, sorry, you need to have A enabled to do B") or I could legitimately harass their support people until they coughed up why they were using that permission.

        I seem to remember reading also that part of the Google good-developer-guide-thing (probably not an official name) states that you have to intelligently handle lack of permissions come Android 6, not just bomb out totally.

        1. BinkyTheMagicPaperclip Silver badge

          Re: @Chris 125

          I think you severely overestimate the number of low scores an app will receive for not being sufficiently restrictive in its set of permissions.

          Look at Vista : it did mostly did The Right Thing. Windows 7 was made deliberately less secure, and needed an extra setting to restore the UAC to switch to the secure desktop and insist on a password.

          Users did not appreciate this at all, why do you think they're going to give a rats arse that Facebook wants to control their camera, speaker, phone, address book, network and sd card?

        2. DF118

          Re: @Chris 125

          No argument with any of that; I'm just making the observation. Plus, given the choice between:

          A) Being unable to use an app because it refuses to work with a given set of restricted permissions, then seeking to spend time "reviewing" the app to gripe about said refusal to operate.

          B) Finding something else

          and

          C) Simply granting the permissions.

          ...I highly doubt even a small minority of people would choose option A.

          Like I say, I'm with you on what apps should and shouldn't be asking for/getting, however the trouble is the (apparent) quid pro quo of having some new shiny game/app/whatever is seemingly enough for them to just hand over control. Devs know this and exploit it, and until more people start to care about their privacy, that state of affairs ain't going to change.

          I seem to remember reading also that part of the Google good-developer-guide-thing (probably not an official name) states that you have to intelligently handle lack of permissions come Android 6, not just bomb out totally.

          "We're sorry, but you agreed to the EULA, which states this software requires the following permissions, which you have not granted. Please grant the permissions listed in order to continue."

          To you and me, that's definitely bombing out, but at the same time it's a perfectly intelligent way to handle it. And more to the point, nobody can force your user to grant permissions, just like nobody can force you to provide a function/service without getting what you want in return for it.

      3. Adam Inistrator

        Re: @Chris 125

        Good privacy guards provide faked contacts, faked imei etc so no problem.

    3. BinkyTheMagicPaperclip Silver badge

      You mean, in the same way that Android apps are supposed to cope with auto rotation, save state properly and handle things like hardware keyboards? Yet, they don't, even with very popular apps (web browsers, snapchat, yadda, yadda..)

    4. MrRimmerSIR!

      Granular permissions

      There's a very good app called XPrivacy that allows you to feed an app randomised data for denied permissions e.g. serial number, operator name etc. So rather than causing the app to crash, it returns something that the app can understand.

  7. Anonymous Coward
    Anonymous Coward

    No root firewall

    This is rather slick and helps tame apps that shouldn't constantly communicate

    https://play.google.com/store/apps/details?id=eu.faircode.netguard

    1. Adam Inistrator

      Re: No root firewall

      It installs a dummy VPN disabling any existing running VPN, so no use to many.

  8. Anonymous Coward
    Anonymous Coward

    Would love to see a similar audit of Apple apps

    perhaps using cydia substrate to dynamically monitor and debug

  9. The Other Steve

    About half of the traffic is related to analytics,

    And most likely the other half was as well. Apps do telemetry now. They do A/B testing, etc. What's left over will probably be ads.

    It's a bit OTT when you state analytics traffic - mainly used to improve UX - is of no value to the user.

  10. kryptylomese

    Sounds like we need to bring back the master control program!

  11. Anonymous Coward
    Anonymous Coward

    One big difference between iOS and Android

    Other than tracking your location there is nothing in iOS that would give an application the ability to perform stuff like this on the background. This is one big technical difference between the two platforms. iOS does not have real multitasking. You can register to listen to location tracking events from Bluetooth or GPS and if you get permission from the user then you can periodically run things on the background. But there is nothing that would keep your application running from the time the OS starts.

  12. SquidEmperor

    The best form of defense is...

    Solution is easy. Once we know which apps are secretly sending back-chat usage data etc we should immediately ensure the entire cast of "Made in Chelsea" install these apps. The resultant usage data will be so skewed by these moronic people that any company attempting to leverage the data for commercial gain will inevitably become bankrupt.

  13. Teddy the Bear
    Angel

    Users might change

    Am I being desperately optimistic in wondering whether user behaviours might change once permissions become granular and everyone knows? Or will they see it as UAC from Vista and get their knickers in a twist?

    Hope it's the former... have to admit it's likely to be the latter though.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like