Law Enforcement, Legal, Mobile Devices, Research, Software

Who Is Spying On Android Users, Why Do They Do It And What Are They Doing With The Data?

If you’ve been following the news, you may already know about the many cases where companies, big and small, were caught spying on their users. It might appear that just about everyone making a phone or an app is after your personal information. In this article we’ll try to figure out who collects your personal data, why they do it and what they do with the data they collect.

They Are Watching You

Android is a Google OS. Google has access to every part of the device down to the last sensor. “To better serve its customers”, Google collects, transmits, stores and processes overwhelming amounts of data including personal and sensitive information. In particular, Google stores your browsing history (Chrome) and Google search requests (Chrome or any other browser if you are signed in to your Google Account); it syncs your logins and passwords, has access to your Gmail messages, contacts, call logs and text messages. Google Drive is available to store your files and backups, while Google Photos is there to take care of your photos. Google logs and transmits information about nearby cellular towers, Wi-Fi and Bluetooth networks, which helps the company track your location even if high-accuracy and battery-hogging GPS receiver is turned off.

Location data is of particular interest. Let’s have a look what Google uses your location data for.

First and foremost, Google is a major player in the map industry. Google is one of the few companies in the business of making and maintaining their own maps (along with TomTom, HERE, Baidu, Navitel, as well as OpenStreetMaps and a few other companies). Google Maps are among the best on the market.

Points of Interest (POI) are one of the major features of Google Maps. By knowing what is nearby, Google not only knows the user’s coordinates on the map, but it can guess the venue as well. As an example, let’s look at the following map saved from my Google Timeline.

karlsruhe

As we can see, Google knows the following about me:

  • I traveled to Karlsruhe, Germany on September 27 – 29
  • I stayed in Star Inn Hotel
  • I walked and ride in a car (if I’d use public transportation, Google would map it as well)
  • On September 28, 8:22am to 17:22pm I was in Brauhaus 2.0

I happen to know the sources of this data. Google used the following information to build this map:

  • The primary source was location data mapped to Google Maps POI
  • In addition, Google scanned my email and discovered my travel arrangements that included a hotel reservation and Deutsche Bahn ticket. This data is also clearly visible in Google Trips.

Below is a screen shot captured in Google Trips:

starinn

I can see exactly where this data comes from: Google quotes an email from Booking.com as a source.

So Google scans your emails and tracks your location. What does it use the data for? While Google’s main source of income is advertising, Google naturally uses location data to allow better targeting to its advertisers. However, since it is you who have the choice of agreeing or disagreeing to Google storing your location, the company offers its users some great perks. For example, Google knows how busy a place is during lunch time, and can guess how long you’re probably going to spend in that restaurant. It also knows how long you are going to wait for your food to be served. Google estimates waiting time by assuming that people would be using their phones while waiting for their order, and put them away when the food is served.

Here is what it looks like:

visited

This is how it works according to Google itself:

Visit data may include:

  • Popular times graph: Shows how busy your location typically is during different times of the day. Popular times are based on average popularity over the last several weeks. Popularity for any given hour is shown relative to the typical peak popularity for the business for the week. For example, in the image below, 6:00PM-7:00PM on Thursday is one of the more popular times of the week for this business.
  • Live visit data: Shows how active your location is right now. Live visit data is updated in real time and overlaid on the popular times graph. For example, in the image below, the highlighted section of the graph represents how active the location is right now compared to its usual level of activity.
  • Visit duration: Shows how much time customers typically spend at your location. Visit duration is based on customer visits to your location over the last several weeks.

More information:

This is but one example of how Google puts your location data to good use. Another example is live traffic data. Google Traffic is a feature on Google Maps that displays traffic conditions in real time. Google Traffic is based on location reporting of a large number of Android users. By calculating the speed of users along a length of road, Google is able to generate a live traffic map. Google processes the incoming raw data about mobile phone device locations, and excludes anomalies such as a postal vehicle that makes frequent stops. Google Traffic relies on location data working in background on a large number of devices.

What’s in It for Google

Knowing the average waiting time for a restaurant or being able to route around a local traffic jam are great featured for the end user, yet Google does not get paid for any of that. So why is Google doing it?

As we already mentioned, Google’s main source of income is advertising. The company’s desktop and browser-based advertising program, the Google AdSense, is a major and probably the largest context advertisement platform. Google’s AdMob is an in-app ad network that targets mobile developers. Since Google gets paid per click rather than charging advertisers per thousand impressions, it is in everyone’s interest to serve users with the most relevant ads with the greatest potential of being clicked. In order to maximize its profits, Google makes use of everything it knows about the user (and it knows just about everything) to serve ads that might be of interest to that user wherever they are and whatever they feel like.

What About the Users?

Users are sharing their personal data with Google for a reason. In exchange for sharing their email, they receive a convenient and innovative mail service for free. In exchange for sharing their location data, they receive access to numerous services. By sharing call logs with Google, users can quickly restore their calls when they replace their handset. The list goes on. However, everything has its price, and you’re naturally paying for all these services with your very own privacy.

Besides, constant location requests put a toll on your phone’s battery. It’s not that much of a toll these days as Google mastered background collection of location data without waking your phone too often or using too much of its hardware. Notably, other companies are much less gentle with your phone’s battery.

Can I Disable Data Collection?

Yes, you can. Google is a reputable company with a concise privacy policy. You have the right to opt out of data collection at any time. Moreover, you have fine-grained control over what bits of data you agree to share with Google. You can withdraw your consent at any time, optionally leaving or erasing the data that Google collected about you in the past.

For example, you can stop sharing your location by simply disabling Location History on your device. This will NOT prevent access to any Google services such as Maps, Traffic, or Places. However, you will not be able to access your Timeline. When disabling Location History, you may choose whether to disable the feature for a given device, other devices, or the entire account. You can also choose what happens to location data already collected by Google; it is your right to erase that data at any time.

Unfortunately, there is no single switch that would say something like “stop tracking me, full stop”, nor such a switch would be technically possible. In order to control how Google uses your personal information, you would have to discover the many options scattered around Android Settings, Google Settings and Google Account settings. In many cases, you would have to know exactly what you are looking for in order to find it and disable it. (As an example, I still don’t know if I can stop Google from syncing call logs with the cloud, let alone how to do it.)

Even if you do know your options, disabling data collection may not be in your best interest. For example, if you don’t want Google to scan your email, you would have to close your Gmail account and delete all email messages stored on Google servers. If you stop sharing your contacts, you will be unable to use Google to sync them with your other devices. You can easily disable syncing of Chrome passwords and browsing history across devices, meaning you would have to remember your passwords when signing in on a new device, and so on. Disabling all cloud services effectively turns your smartphone into a dumb phone, which is probably not what you’d like to do.

More on Google’s use and collection of personal information:

The Third Parties

So we figured that Google knows just about everything about its users. The company is straightforward about what it uses the data for, and allows granular control over what types of data you agree to share. Other companies may not be nearly as nice.

Let’s talk about Facebook. Facebook is the second largest in-app advertisement broker. The company owns Facebook Audience Network, an ad network catering to mobile developers and competing with Google’s AdMob.

Facebook offers advertisers access to a powerful targeting system with what is arguably world’s best Web-in-app matching and extremely powerful cross-device matching. Advertisers can target their ads by demographics, interests, behaviors, locations and connections of the users. When an advertiser opts in the Audience Network, that targeting applies to all of their ads displayed on Facebook and in third-party apps. According to Facebook itself, this works because the company matches ad requests to Facebook users using the device ID or advertising ID from their devices. Once Facebook identifies the user, the network is then able to show them an ad similar to one they would have seen on Facebook.

Sometimes it’s a bit too much. In October 2016, Facebook was identified to allow racially targeted ads, particularly for housing, employment and credit advertisements. This is as blatant a violation of the Fair Housing Act as one could ever imagine, so the company reluctantly agreed to stop this practice followed by massive public backlash.

Interestingly, Facebook claims that it does not know users’ races. Instead, the company tries to determine its users’ ethnic affinity by what posts and pages they engage with on the platform.

Facebook and Power Consumption

Facebook does not have the deep OS integration enjoyed by Google services, yet the company wants access to as much of your personal data as Google. As a result, users installing the official Facebook app on their Android smartphones sometimes start noticing severe battery drain even while they are not using the app. The increase is significant with 20 per cent higher daily battery drain with Facebook app installed and signed in compared to the same device without the Facebook app. Most interestingly, Facebook does not appear as an offender in Android battery stats or even in third-party battery monitoring app. Why does that happen?

Facebook makes use of Google Cloud Messaging and Google Location Services to receive notifications and track user location. As a result, it’s Android System and Google Play Services appearing in the battery stats as power-consuming applications, even though it is actually Facebook that wakes up the phone to request frequent location updates.

How frequent, exactly, are those requests? A research carried out by the French National Institute for Informatics Research (INRIA) and National Commission on Computing and Liberty (CNIL) pointed out that Facebook made 150,000 location requests during the 3-month period. This comes to about 1500 location requests a day, or about one request per minute even while you’re sleeping. Doesn’t it seem a bit too much?

Google serves background location requests about once every 15 minutes, and Google gives you Maps, Traffic, Popular Times and a lot more. What does Facebook give you in return for draining your battery and watching your every step?

Can You Disable Facebook Tracking?

Not really. Facebook’s official Android app offers no built-in mechanism to disable background activities, data collection or location tracking other than featuring a link to their privacy policy (which you already accepted when you signed up for an account). Facebook will continue tracking you even while you’re not using the app unless you restrict its ability to do so in Android settings.

Android 6.0 comes with granular control over permissions, allowing you to restrict access to precise location for any given app. If you are among the 27% of Android users whose phone received a Marshmallow update, you may go ahead and disable Location permission for Facebook in Android settings. If you do this, Facebook will no longer be able to tell your exact location, and will instead have to use approximate location data derived from your IP address and Wi-Fi networks, which is enough to locate you with acceptable precision.

If, however, you are among the 73% of Android users who’s phone never got a Marshmallow update, there is no way for you to disable Facebook tracking without disabling Android Location Services entirely.

You can also resort to using an alternative third-party app for accessing Facebook. There are lots and lots of such apps available in Google Play Store including Friendly for Facebook, Folio, Metal, Tinfoil, Swipe for Facebook, SlimSocial and a number of others. Most of these apps are about 50 to 100 times smaller in size compared to the official Facebook app, use minimum permissions and offer granular control for accessing your location. Those apps are also not known to cause excessive battery drain.

Games

Did you ever notice that Android smartphones tend to become more and more sluggish over time? This behavior is greatly dependent on the apps you install. Some of those apps may put excessive toll on your phone resources, making the phone track your activities all the time, even while you are not using those apps.

For example, Angry Birds, a popular game by Rovio, includes background services that run all the time, even if you are not gaming. These services collect and transmit information about the users, slowing down your system and draining your battery. Considering the target audience of the game, this went completely unnoticed for a long while until this happened:

https://www.propublica.org/article/spy-agencies-probe-angry-birds-and-other-apps-for-personal-data

Rovio drew public criticism in 2012 when researchers claimed that the app was tracking users’ locations and gathering other data and passing it to mobile ad companies. In a statement on its website, Rovio says that it may collect its users’ personal data, but that it abides by some restrictions. For example, the statement says, “Rovio does not knowingly collect personal information from children under 13 years of age.”

Why would a game need access to your contacts or run a background service to collect location data? Does it enhance or improve your gaming experience in any way? Absolutely not. By installing certain game titles, you agree to hand some of your privacy to game publishers who in turn sell the data to so-called data brokers. Data brokers will then offer the information to advertisers and ad brokers who will use it to improve their targeting.

So what data exactly does Angry Birds collect? The following article has all the details down to API calls and server addresses:

Birds, farms, zoos, candies and other time killers routinely install background services collecting your data and tracking your location and activities. No wonder your phone becomes sluggish with all of those running and spying on you all the time. Google Play Store has more than a hundred thousand apps identified to track their users in background.

Can I Stop This?

Not really. You can deny or disable location access to game titles if you run Android 6 or newer, but no version of Android offers a mechanism to block unwanted background services. Not unless you root your phone or run one of the custom ROMs. The best you can do is checking permissions and reading their privacy policies.

Amazon Underground

Amazon is one company that’s particularly interested in precise targeting. Amazon is available for all major platforms. Amazon has an app store of their own. It’s not quite as big as Google Play, but it still offers a lot of popular titles.

Amazon wants to be Google, at least on devices that it makes. The company developed its own infrastructure that tries to replace Google Play Services and Google Cloud Messaging. Amazon has its own maps to replace Google Maps, Amazon Device Messaging (ADM) for delivering push notifications on Amazon hardware instead of Google Cloud Messaging (GCM), and Amazon GameCircle to replace Google Play Games. Amazon Drive, Amazon Photos and other services are also available for users of Amazon’s own devices (the many models of Kindle Fire tablets, Amazon Fire Phone and several models of Amazon Fire TV).

Amazon tablets do not come with Google Play Services out of the box. They are topping the charts of all Android tablet sales in the US, so Amazon’s strategy seems to be working.

However, Amazon app store and services were of little interest to developers not targeting Amazon devices. The company tried to address that by introducing Amazon Underground with what they call Actually Free, a program allowing Android users to freely download certain paid apps and obtain in-app purchases that they would otherwise have to pay money for. Since in-app purchases can rack up quickly and amount to hundreds or even thousands dollars per month, Amazon Underground can be a great chance to save. Amazon Underground must be sideloaded as Google won’t allow it in its Play Store.

With Amazon Underground, users are getting paid apps and in-app purchases for free. Developers are paid by Amazon for every minute their apps are used. So is it free cheese for everyone?

Yes, with a catch. Since Amazon pays app developers per minute of usage, the company requests tracking access, which would allow Amazon to track how much time the user spends in a given app. This tracking feature is fully official, and it can be easily disabled in Amazon Underground app settings (with obvious consequences of losing access to apps participating in the Actually Free program).

So if you want those free paid apps and in app-purchases, you’ve got to agree to some tracking. What’s Amazon’s profit? The Inquirer interviewed Aaron Rubenson, the director of the Amazon App Store.

“When we ingest the apps, we add a very small wrapper which handshakes to the Underground app, and that’s how we aggregate information on users. For Underground, we take one piece of data, which is one anonymous aggregate of time spent on the apps. That’s it. We take privacy very seriously both in Underground and in Amazon as a whole.” (Full interview).

Amazon Underground contains Amazon Store, and is Amazon’s way to get a better engagement with its customers. Amazon already knows a lot about its users, including name and address, their exact location, and many other things. Amazon Underground is yet another way for Amazon to collect even more information about their users.

Can I Disable Amazon Tracking?

Amazon app usage tracking is fully transparent and can be disabled by switching off the “Collect App Usage Data” in Amazon Underground app. As a consequence, you will lose the ability to use Actually Free apps; however, you can still install and use most other apps from Amazon app store.

What Else?

Android is an open platform that offers access to massive amounts of information without asking for special permissions. For example, just two permissions (Internet and Access_Wifi_State) are enough for tracking users’ location. Both permissions are granted to all apps being installed without prompting the user. There is no way to revoke those permissions even if you are using Android 6 or newer.

The user’s approximate location can be derived even with no access to Google Location Services by analyzing the IP address and available Wi-Fi networks. Performing a reverse lookup of Wi-Fi networks through a database such as openwlanmap.org returns user’s location within approximately 40 meters.

Identifying a unique Android device is possible by accessing its MAC address and/or its Advertisement ID. The CNIL research analyzed 121 popular apps from Google Play store. Every third application attempted to profile users, collect and transmit personal information. An unnamed app requested location information one million times during a single month.

Chinese Backdoors

We had a look at reputable companies collecting personal information. What about shady practices?

In October 2016, several BLU phones were identified to have been secretly sending personal data via a third-party app (source). Apparently, the backdoor was embedded into the phones’ firmware by their Chinese manufacturer. The backdoor was part of the system update app that has root-level access to everything in the device. According to reports, the software (AdUps) was collecting and transmitting information to Chinese servers. This included the following:

  • Comprehensive call logs
  • Text messages including those with one-time passwords
  • Device identifiers including IMSI and IMEI
  • Comprehensive data on app installs and usage data
  • In certain cases, location information was also transmitted

Once this was uncovered, Amazon quickly pulled the Blu device it was offering to Prime members at a discount. The problem has since been fixed by the manufacturer via a firmware update, and Amazon is now selling the phone once again.

Other manufacturers were not quite as lucky. For example, Barnes & Noble NOOK Tablet 7 also uses AdUps but does not offer OTA capability. While the company promised to fix the issue via a firmware update, it is likely that the users would have to manually download and apply the update via a PC.

More about Chinese backdoors:

There were other cases of Chinese devices being sold with malware. Tablets with pre-installed malware have been sold on Amazon for quite a while. This mostly applies to C-brands and no-name devices as well as anything ordered directly from China through one of the many Web outlets.

Conclusion

Compared to iOS, Android does not offer the best of security. The platform is hardly maintained by device manufacturers, with many smartphones and tablets being abandoned and left working on outdated versions of Android without recent security patches. The majority of Android devices still run Android 5.1 or older with no granular permission management and with no way for the user to disable tracking.

This article was submitted by ElcomSoft, a digital forensics solutions provider specialising in password recovery, mobile and cloud forensics.

Discussion

Trackbacks/Pingbacks

  1. Pingback: Week 52 – 2016 – This Week In 4n6 - December 30, 2016

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 995 other followers

%d bloggers like this: