published: (updated: by Harshvardhan J. Pandit
Android apps privacy
We all have smartphones, and we all have several apps on them that we use regularly. From the good old dialer to make phone calls to fancy apps that add filters to photos and videos. But do we realise how much data these apps use and what they do with them? In most cases, we do not even realise how bad this problem this, partially because apps are really sly about it, but mostly because we don't really care. For a simple example, a flashlight app  sucked up data it had no business using, and users were left none the wiser. The recent study by HPE  shows that this is a continuing problem even today.
In response, Apple's iOS and Google's Android, which share almost the entirety of the smartphone marketshare between them, have come up with several methods to tackle this problem. One of them is granular permission where the user has increased control over what resources are requested by an app. For example, instead of an app requesting a one-time permission to use the camera during install, the platform will show a message when the app actually requests to use the camera while running. The problem with such granular permissions is that they become a nuisance when they are being constantly deployed. No one wants to constantly answer whether the app should use the camera each time, and so they most often than not, click on allow always. While this model works at a basic level, there are a lot more things the apps use other than things such as camera and contacts. An app can run in the background, can use location while it is running, can read your call log, your SMS, see what apps are installed on your system, and so on and so forth.
With an increased sensitivity towards privacy, I recently flashed my OnePlus 3T with an open source ROM (Resurrection Remix OS based on LineageOS) that has several benefits over stock Android (and OxygenOS, which is OnePlus custom Android ROM). Important amongst them is Privacy Guard, which allows control over resources used by an app transparent from the app. This means that if I configure the privacy guard to not provide location info to an app, this is done without letting the app know that it has been restricted in some form. To the app, it sees as the location request having failed, and no location data being sent to it. Some apps are bold enough to quit or stall at that point, and explicitly ask the user for some piece of data in lieu of providing a certain service.
My 'experiment', as much as I can call that, is to study these apps that I have installed on my system, and try and understand why they need all that data. Using the privacy guard as my primary tool, I will restrict data and see if it affects the functionality of the app. Based on how it functions, I will try to make an educated guess as to why the app needs that particular data to function. My Masters by Research topic involved poking around in smartphone apps to see how they could better make use of contextual data, something that helped me understand how apps work and what role the platform plays in providing data access. I intend to exploit this knowledge in the long run by exploring further in how apps make use of data they collect. This can involve logging what data is sent out from the phone and onto the server, whether it contains data that was obtained without fair permission, and if the app is truly malicious or just ignorant regarding security.
Over the coming weeks, I will be publishing my results on this blog as a series of posts. Let me know if you have a particular request regarding an app you want me to study. For the sake of disclosure, I have the following apps on my phone that I will be looking into -
- Messengers: Whatsapp, Facebook Messenger, Hangouts, Signal
- Social: Twitter, Reddit
- Banking: Bank of Ireland, Ulster Bank
- Google: Play Store, Play Services, Calendar, Hangouts, Gmail, Drive, Keep, Maps
- Misc: Dropbox, Eventbrite, Firefox, Keybase, Tesco Mobile, Pebble, Pocket, Spotify