Researchers: Thousands of Android Apps Are Secretly Tracking, Snooping On Your Private Data

Anyone who has driven an Android smartphone any distance whatsoever has no doubt wondered whether any of the apps they use could be serving as information conduits. The relaxed vetting process that the Google Play Store has in place ('relaxed' versus the jailer-esque process in use by those minding Apple's app store) results in their stocking all but the most obviously malicious apps, after all, so a little suspicion in the mix just makes sense.

So is this neat new Find Parking app that just asked for location privileges pushing data on my movements into some database somewhere? Will personal data end up indelibly etched on a list (or two...or ten) if I use this app to buy the concert tickets from my phone?


Wonder no longer. Yes, many of those cute little apps we love to load onto your digital pocket pals ARE giving up the goods, covertly shooting off data to ad sites and user tracking sites, and in some cases even sites that are considerably more nefarious. Now, though, thanks to the work of a group of security researchers at Eurecom in France, Android users everywhere will soon be able to use an app to monitor the behavior of other apps on their smartphone and uncover precisely which sites they are being clandestinely connected to.

The new app, NoSuchApp ('NSA' for short, named "in honor of a similarly acronymed monitoring agency"), is the result of a massive research project that involved the downloading and installation of 2146 free apps from all 25 categories on offer in Google Play. Specifically, the researchers performed their analysis on the apps using a Samsung Galaxy SIII Mini smartphone running Android 4.1.2, which was configured to a local VPN that could be monitored for traffic activity, employing tcpdump to create a package for each individual application. Use of each application was simulated via a series of 1000 automated user interactions, with each packet capture processed with tshark to extract URLs. Those URLs were then compared against EasyList (an ad-related sites database) and EasyPrivacy (a user-tracking sites database) — two lists used by AdBlock Plus and other adblocking and anti-trafficking software — and also against Virustotal (a free virus, malware and URL online scanning service) for good measure, to ascertain the conclusions of the Eurecom study.

And the conclusions the group reached are chilling. Approximately 10% of the apps tested connected to more than 500 distinct URLs, with the worst offenders connecting to over 1,000 URLs each and about 100 top level domains. On the ad side, about two-thirds of the apps tested connect to an average of 40 ad URLs (with some connecting to over 1000) with Google-owned domains hovering near the top. Regarding user tracking sites, less than 30% make a connection, however some that connect do so with over 800 different trackers. To illustrate, the worst of the bunch — an app called Eurosport Player — connects to 810 tracking sites. The good news, though, if you can call it that, is that 94.4% of all of the URLs tested scored 0 with Virustotal, with the worst case for the outliers being that hits were recorded by three of the service's 52 different engines.

Android users who have read this far are no doubt gearing up to grab Eurecom's NoSuchApp app, to see just what kind of beneath-the-covers activities their smartphone apps are getting up to under their very noses. At this time, though, the app is not yet available on Google Play, and the DropBox link that Eurecom set up for NoSuchApp is temporarily disabled at this time due to excessive traffic (but do keep trying).