A recent Pew study found that 91% of Americans feel as though consumers have lost control over their data.
After a year of privacy headlines that includes banks and retailers losing customer records, Facebook turning on your mic to figure out what you're watching, and an Attorney-General who complains about tech companies encrypting phones so well that law enforcement agents can't spy on them, perhaps Pew’s findings aren’t too surprising.
While our behavior online and at the register is of great interest to hackers and marketers alike, our smartphones are an even greater treasure trove of behavioral information – and the apps we use are often the weakest link.
Knowledge is power
We know that our web browsers transmit our habits to a ton of trackers and advertisers (unless we've downloaded a privacy plugin). And there are upsides to being tracked anyway, so what's the big deal if it happens on your phone?
“There is a lot more sensitive data on your smartphone, such as your call log, contact lists, and location,” says Professor Jason Hong, leader of the Carnegie Mellon University research team that created PrivacyGrade.org, a site that grades Android apps on their privacy behaviors. “Smartphone advertising is currently not as bad as online advertising because it's limited, but in the near future, it wouldn't be hard for it to get far more intrusive.”
For example, advertisers may be able to learn something as personal as the hours you sleep by monitoring the level of sound through any app that requests access to the mic.
PrivacyGrade is funded by the National Science Foundation, NQ Mobile, Google and the Army Research Office and analyzes apps for what data users expect to be taken versus what data the app actually lifts. The privacy grade isn't so much a reflection of how tight a grip the app keeps on user data, but rather how aware the user is of its data skimming.
Hong says that when people know why an app is using something as sensitive as their location – for example, for targeted advertising – it makes them more comfortable than when simply told an app is using their location.
“It's about being aware [of how an app uses data] so people can make better decisions,” Hong says.
Yet many apps may violate their own privacy policies, resulting in private posts that aren’t actually private or users being tracked against their will.
From indefinite storage of supposedly deleted content, to the unknowing transmission of personal data directly to the NSA, the worst apps for privacy are...
An app that knows everywhere you go: Uber
Most of us expect that our locations are recorded and fed back to certain apps for a better service. Naturally, a car-hailing app whose success is dependent on its ability to locate the nearest vehicle and send it to you is expected to have access to this data. What isn't expected is for the data to be used to track its customers.
In November, Uber started an investigation of its New York director for looking up the profile of a Buzzfeed News journalist and tracking her Uber trips. This followed allegations that Uber allowed any employee to use an internal company tool called God View to track any Uber passenger's movements -- of particular concern when each profile is attached to some personal information, unlike passengers in regular taxis.
“There's a lot you can tell about a person from their location,” says Parker Higgins, activist at the Electronic Frontier Foundation. “When they arrive at and leave work, if they're spending the night at home or frequently somewhere else, how religious someone is based on their location on Sundays. Location is a sensitive thing that wraps a lot of other sensitive things.”
Supposedly anonymous apps: Whisper, Secret, Yik-Yak
Whisper, Secret and Yik Yak are social networking apps with two major selling points in common: all three claim that users can make anonymous posts, and all three subsequently failed to deliver on that claim.
Whisper called itself “the safest place on the internet”, but an investigation by the Guardian published in October revealed that the app violated its own terms of service by tracking users who had opted out and storing posts that users thought they had deleted in a searchable database that goes back to Whisper's 2012 launch. According to the report, users deemed to be newsworthy -- such as individuals who claimed to work at Disney, Capitol Hill or in the military -- were monitored through their history of posts and locations.
“The kind of secrets that people are confessing to on these sites could be used as leverage to bully or even extort the confessor should their identity be revealed,” says Lookout senior security product manager Jeremy Linden. “This is exacerbated by the fact that these services are attractive to teens.”
Another Whisper-style app, Secret, had 42 security holes revealed by white-hat hackers. In particular, security researchers Benjamin Caudill and Bryan Seely were able to exploit Secret's news feed feature that shows posts from (anonymous) friends once a user amasses seven or more.
By using bots for fake accounts, the researchers connected seven bots with one real user and because the bots didn't post, they were able to read all the posts from one user and identify them based on the details in the posts.
“There are vulnerabilities with these apps in terms of encryption,” Linden says. “Many of them do not encrypt their data and even more only encrypt the parts of the session that the developers feel needs to be protected, such as financial transactions or logins.”
Take Yik Yak, the anonymous social network especially popular with high-school and college students, which doesn't use passwords -- and doesn't encrypt all traffic from the app.
Cloud security company SilverSky Labs found that hackers could de-anonymize users and take control of the account by intruding on the non-encrypted traffic between Yik Yak and an analytics company.
Linden's advice is to be cautious with the personal data you share with apps. “If you don’t want apps to collect your location or contacts, make sure to turn off these features in the settings [of the apps],” he says.
Games: Fruit Ninja, Despicable Me, Drag Racing
Hundreds of millions of Android, iOS and Windows 8 users have downloaded the wildly popular Fruit Ninja – and like Despicable Me and Drag Racing, Fruit Ninja requests the phone's unique identity as well as access to the internet for use in targeted advertising. It takes a user's precise location apparently to show where users get free Starfruit (the game's currency), but also uses it to deliver -- you guessed it -- targeted advertising.
All three apps received a lowball grade of D from PrivacyGrade.org for the massive gap between what data users expected to be taken and what data was really taken.
“The problem is that people aren't aware that this is going on,” Hong says.
The software that makes up these apps, like many others, includes third-party libraries -- pieces of code created by ad networks or social networks that allow the app to use their services. For example, a Facebook library allows an app to use Facebook login or find a user's Facebook friends, while an ad library helps developers monetize their apps by showing ads. “Often it's the libraries that do this data taking,” Hong says. “Developers may not know what they're doing.”
Fruit Ninja uses libraries from six ad networks, while Despicable Me uses two ad libraries; Drag Racing uses three. Using the phone's unique identity, advertisers can therefore track users between any apps that use their networks.
Games the NSA really likes: Angry Birds
Advertisers aren't the only ones interested in your fruit-slicing, bird-slinging efforts. The New York Times reported that the NSA and its British equivalent, GCHQ, were targeting leaky smartphone apps including Angry Birds -- which has been downloaded over 2 billion times -- for user data such as age, gender and location. One classified 2012 British report included a code for mining profiles created when Android users play Angry Birds. Another documented that an ad company called Millennial Media worked with Angry Birds developer Rovio to create more intrusive profiles for Android and iOS versions, including additional categories such as ethnicity, marital status and sexual orientation.
Since then, President Obama has announced major reforms to the surveillance program, so our exploits with the furious fowl may be less leaky.
The self-destructing photo app that doesn't: Snapchat
Last year, self-deleting photo messaging app Snapchat was hacked and lost a database of 4.6 million usernames connected to phone numbers. After being charged by the Federal Trade Commission (FTC), the company made partial amends by adding a feature for users to opt out of entering their phone numbers. But the app is far from its self-claimed “ephemeral media” ideal.
Photos that are sent over Snapchat can't be screenshotted and are meant to be viewable for only 1-10 seconds, depending on the sender, but there are several third-party apps for Android and iOS that work with Snapchat to allow recipients to screenshot images for as long as they're on screen. Most notorious of all is Snapsaved, which earlier this year lost hundreds of thousands of photos that Snapchat users had (unethically) saved to its cloud servers.
This doesn't take into account the simplest hack of all: using another phone to take a photo of a Snapchat “temporary” photo.
Though most of the photos sent over Snapchat are not “sensitive content,” according to a University of Washington study, the same study found that many users would change their behavior after knowing about Snapchat's (lack of) security features.
Bottom line? It’s a private messaging app that isn't. But it's fun if you don't mind the possibility of your photos sticking around forever.
Flashlight apps: Flashlight (iOS), Brightest Flashlight (Android)
Yes, the humble flashlight app that harnesses the power of your camera's LED flash is also guilty of accessing data way beyond what any torch should need.
Brightest Flashlight (Android) is one of the lead offenders, snatching your precise location and exploiting your phone's internet connection in order to deliver targeted advertising.
Its developer Goldenshores Technologies was charged by the FTC for misrepresenting how users' unique identities and locations were sent on to third parties.
Over on iPhone, the Flashlight app by iHandy gets a namecheck in this Wired story about the sneakiness of data mining by flashlight apps.
The fix? If you're on an iPhone, what are you doing downloading torch apps? Since iOS 7, the swipe-up flashlight has been the no-brainer option. Android users can head to PrivacyGrade's list of flashlight apps to get the A-grade options.
Messenger apps: Mxit, QQ
If you're one of the world's 600 million WhatsApp users, or one of its 500 million Facebook Messenger users, you can breathe a (small) sigh of relief: the world's most used messenger apps are not the worst offenders when it comes to the security and privacy of your messages, according to the EFF's Secure Messaging Scorecard.
QQ, a China-based IM offering used by 820 million people that's available in six languages, and Mxit, a smaller, South African based-social network, were the two least-private services, sending and storing messages in plain text so hackers and staff alike can access them. Nor did they verify contacts so users know they're talking to who they think they're talking to (to be fair, neither does Google Chat, Viber, Yahoo or any other popular service). Their security designs were also not open to review, nor had they had code audited for vulnerabilities.
Facebook Messenger and WhatsApp were just barely superior, encrypting messages in transit. Apple's iMessage was deemed the best of the mainstream messengers: messages are encrypted end-to-end and can't be decrypted by Apple.
Why Facebook didn't make the list
As a service, it's certainly one of the data hoovers out there, with a ready database of personal info that allows it to guess some pretty personal facts about people who aren't even Facebook users.
But as an app, it's not doing anything you didn't agree to its terms of service – the litmus test for whether the FTC goes after a company. Sure, Facebook gets to use all the content you post for anything it wants (even if you keep on posting those bogus declarations of copyright), and no photo is ever really private on Facebook unless no one can see it at all.
However, fret not: “Given the scrutiny from the public and regulative bodies, we'd be surprised if Facebook was taking too many liberties in its handling of user data,” Linden says. “Facebook has been in hot water for its users' privacy before.”
The social network settled a suit with the FTC in 2011 in which it agreed to privacy audits every two years for the next 20 years. Last year, its Android app leaked hundreds of millions of phone numbers, a bug Facebook says it subsequently fixed. “There's no doubt that Facebook has its users' data on its mind in both its mobile and web properties,” Linden says.
Checking in with PrivacyGrade finds that Facebook -- like Gmail, Twitter and other juggernauts that handle our most personal content on a daily basis -- received an A for realistically managing users' expectations of what data was taken and how it was used.
Protect your permissions
“Once you give permission for access to a feature, there's nothing holding the app to do what it said it would do with it,” Higgins says.
But we can selectively deny some permissions an app has requested. Unlike Android apps, iOS apps don't display the list of permissions requested at installation, but iOS does pop messages up every so often alerting users that an app is trying to access location or a contacts list. You can simply deny the permission if you don't feel, for instance, that the Weather Channel should track your location even when you're not using the app.
Android users can download an app called SnoopWall Privacy App that shows which apps are requesting what permissions, selectively granting and retracting access. (An iOS version is coming.)
Many apps collect far more data than they need, resulting in a glut of permission requests. “A lot of these companies don't know what they'll monetize,” Higgins says. “Having that data leaves options open.” For this reason, paid apps are often better than free apps when it comes to privacy as there's a clear revenue model.
Are any permission requests shadier than others?
A Pew study found that half of Americans feel their location data is very sensitive, but though this information can be used to create some pretty specific profiles, it's also used for app features many people like: geo-tagging photos, receiving offers at nearby shops, and of course, hailing taxis.
Browsing history can reveal even more through data such as search queries and most-visited sites. “We have heard of advertisers that piggyback on apps and do things like pull your browser history from your browser,” Higgins says. Unfortunately, a request to access your browser history is usually not couched in such clear terms.
Call logs are also quite telling. “You can infer your social relationships based on call logs,” Hong says.
There are myriad legitimate uses for all this data, and more. Figuring out which permissions are O.K. or not comes down to context. Social media apps are likely to want access to your contact list; phone apps to your call log; but games probably don't need your location. (Of course, you could be completely comfortable with sharing your location, as you should be, in an ideal world of anonymized Big Data.)
“One of the big issues tech companies face now is that it isn't clear what the best practice for privacy is,” Hong says. Unlike computer security software, for example, there isn't yet an established correct way to deal with the increasingly comprehensive, sensitive information our smartphones and apps collect about us.
Right now, companies legally only need to adhere to their own privacy policies, but in the future, a clearer standard for how user data must be treated could help developers build apps that are profitable as well as privacy-friendly – and help users regain control over their data.
[woman shocked at smartphone via Shutterstock]