Monday, October 29, 2018

Meddling Smartphone Apps

Read this article in Spanish / Lea en Español aqui.

Some smartphone apps can be unexpectedly meddling by lurking in our private information. A priori our thoughts are “I don’t care; I have anything to hide”, however, there is a lot in stake. Let’s take a tour on what is in stake, why some mobile apps are lurking on your stuff, and how this information represents a liability for you. Lastly, let’s dive into what you can do to stay safe with minimal effort.

Overall, I’ll use Android apps as examples, but the same principles apply to iOS apps.

What is in stake?
Apps sometimes are really greedy on the permissions they request.

Some video games require access to your contacts and location, otherwise, they won’t work. Why? We want to just play the game. Only some few times location access makes sense (for instance when playing Pokemon Go).

Some other apps ask to run at startup and to prevent phone from sleeping. An example of this is NerdWallet. This combo entitles them to run in the background as long as they want, anytime. What are they doing in the background? Why do they need that? They don't explain why and there is no reasonable explanation.

United Airlines asks a handful of privileges: monitor your calls, access bluetooth, access your storage, use NFC, use your location and prevent device from sleeping. But United doesn't explain why they need access to Bluetooth neither NFC. Also, they ask for your location so they are entitled to track you all the time for the small benefit of getting an airport map handy -- not really worth the risk on my opinion. They also ask to make phone calls directly from their app, but there is no need for such a requirement. The United app can trigger a phone call from the phone app without asking for this privilege.

Another strong permission that I've seen apps request is "Device & app history". This allows them to read sensitive data, like your browsing history and what apps you use. With this, developers are getting to know you a lot.  A web browser or an anti-virus will certainly require "device & app and history”. However, those permissions should not be required by a game or an app to check your credit score. NerdWallet used to request this permission and I filed a claim about this. Fortunately, they fixed it some few months ago.

Sometimes is not about what they know, but why they need that and what are they going to do with your information. Are they going to store it safely? Will they sell it to third parties? Will they use it to influence an electoral campaign?

Personally, I would never install an app that require permissions without a clear need or explanation.

Why they lurk?
There are three main reasons why app developers want your data.

Reason 1: they want to offer a better service
- App developers use the information they collect from you to:
Learn how you use the app so they can improve the sticky points. This way they can design a more intuitive UI.
- Discover if the app crashes, if it runs slow, and if it uses too much resources. This way the engineering team can solve issues.
This is great! Because by collecting data developers can figure if something is going wrong, or if their app loads slow or consumes too much battery.

Reason 2: they want to make extra money
- Getting to know you better allows the company to offer a better service. For example, Target might offer you discounted products on things you usually buy. Or Seamless might pop a notification that your fav restaurant is having a happy hour.
- Knowing the market and trends allow airlines to work better on supply and demand (I’ve a draft blog post coming up soon about this topic).

This is good (mostly the first point). I love when Facebook shows me relevant events in my area! I don't want to see lame ads, so by allowing them to know me better, I'm getting something back.

Reason 3: they sell your data to 3rd parties
- It’s no secret that information is power. There is a big market for selling data and small companies can make a lot of cash by selling users information. And this is not really cool for obvious reasons.

There is more
But the story is not simple. Even if app developers have good intentions, they may screw up on how your data is stored and secured. This is the case for lots of startups that don’t take the required steps to secure users’ data. Maybe they are not evil, maybe they just want to make a great impact in the world and thus developed a quick solution for a real world problem. But things can go wrong. They can get hacked and your information get leaked, like your name, SSN, credit cards and so on.

On the other hand, I trust big companies with my data. For example, I’m a power user of Facebook and I know they use my data to make business. However, I am confident that Facebook will protect my sensitive data so it doesn’t get exposed in the web. I am also confident that Facebook won't sell my data for cash. I mean, they already do a lot of money with ads targeting thus there is no clear need for them to sell users’ private information.

This doesn’t apply to small companies, especially the ones that don’t charge for a service. Apps that you can use for free make money mainly by displaying ads, and also some of them make extra cash by selling data to 3rd parties.

Please, keep an eye on the Chrome Extension apps that you use to find discounts online. The extension from Honey asks to read all the information that is visible in every page you visit. This includes your emails, your posts, even your pictures, bank statements, investments, and credit card statements! I'm not stating that they *are* making money with this, but suspiciously they offer this free service of discounts and they have all this privileges at hand.

What can you do about it?
In no particular order, here I present some paths you can take to stay safe. Make sure to further research and understand the risks you are putting yourself into.

Neglect to use the app (or their website)
Story time: recently I had a bad experience with an airline. I got into a 7 hour delay because of technical difficulties. In order to issue a claim I researched on the web and came across with this website that helps you file a claim. After filling a long form with the information of my flight, I was asked to log in with my email credentials and the website was requesting mandatory permission to read all my emails. Seriously? Read all my emails in exchange of helping me file an airline claim? No way. I’d not compromise my privacy to get that sort of assessment. My email contains a lot of information about the things I buy, my habits and health. Sometimes I even chat with people via email. This is a no go.

But there is more! I was about to close the page but then I realize I could use any email address. I authenticate with a burner account that I have (an email account that I only use to sign up on sketchy websites), and got the response of the assessment: they were unable to help me :/
The fact that they didn't said this beforehand tells me a lot about their intentions: nothing good.

Other suspicious situation I found myself into was when Banana Chiquita was running a contest to win a fancy pencil case in 2017. In order to participate you had to fill a form that asked for name, address, phone number and email, among other details. This was inconceivable. A lot of personal information to get a raffle for such a small prize. This was a no go, I didn't complete the form.
Additionally, usually this raffles offer really few prizes and the chance of winning is really low (say, 10 prizes for 1M participants).

Find an alternative
Several times you can search in the Play Store / App Store for other apps that offer a similar service but won’t be needy with what they ask from you. It’s just a matter of searching and finding a good alternative.

This happened to me recently when I was searching for a file organizer app. Many of the top listed in the Play Store were requiring location permission and to run at startup. After doing some research I found one that didn't ask for those permissions.

Use their website instead
Using the web browser and visiting a webpage is safer than installing an app that will always run in the background. For example, I always use NerdWallet via a browser instead of having their app installed on my phone.

Use a different user (Android only)
Android phones allow you to have multiple users in the device, same way you can have several accounts on a computer. I have a second user in which I'm signed in with my burner Gmail account.

One of the uses I give the second user is to install apps that I need but that are bad boys. For example, in that user I have iPass installed. iPass is great, I love that you can get online for free in any airport (as long as you have a membership with them). What I dislike about them is that the app requires location access to work. This is a red flag, no need to know my location. Additionally, through a acquaintance that works in their sales department I came to know they are looking to sell users’ data to third parties. To add more to this weird situation, in their iOS app they suggest you grant them access to your health data. Really suspicious.

By having the iPass app in a different users I make sure the app runs in its own rig without getting access to my main Gmail account, and because I rarely use my phone with that Android user, I limit the run time the app gets.

Assume the risk
Sometimes the service the app offers is something valuable to you or you are in a rush to get a job done. For example, I recently needed to join two videos and I quickly searched in the Play Store an app to do some basic video editing. I didn't mind that the app could upload and keep my video because this was a one time thing and because the video wasn't anything confidential or sensitive.

I hope you enjoyed the brief privacy overview in this ever changing smart world. If you have any questions feel free to add them in the comment section below.

Note: no-one paid me or influenced the opinion described in this post. I elaborated this conclusions based on my own knowledge in the topic.