Your Apps Are Watching You

CS 595 - Elliott Peay

Overview

• Article Focus• What Happened• Findings• What is Going On

Article Focus

Wall Street Journal investigates what information is sent over the network by the apps we use.

Also contains an analysis of the information.

What Happened

• About the Investigation• Investigation Methodology

About the Investigation101 Apps were tested• 50 popular on iPhone• 50 popular on Android• WSJ iPhone app

Android shown at right

iPhone apps will not be covered.

Source:  http://blogs.wsj.com/wtk-mobile/

Investigation Methodology

Device was restricted to increase accuracy of data gathered.

• Single-Process Mode• No 3G Access• Man in the middle attack used to obtain data streams• "Mallory" software used to decrypt data

Findings

• Generally, free apps sent more data than paid apps• Generally, iPhone apps sent more data than Android apps• Google was the biggest data recipient

Facebook (Android)

Data Recipients:• Facebook

Data Sent:• Username/Password

Source:  http://blogs.wsj.com/wtk-mobile/2010/12/17/facebook-iphone/

PaperToss (Android)

Data Recipients:• AdWhirl• Flurry• Geocade• AdMob (Google)• AdSense (Google)• Microsoft

Data Sent:• Phone ID• Location Information

Source:  http://blogs.wsj.com/wtk-mobile/2010/12/17/paper-toss/

Calorie Counter (Android)

Data Recipients:• FatSecret (Owner)• DoubleClick (Google)• Analytics (Google)

Data Sent:• Username/Password• Phone ID• Location Information• Phone Number

Source:  http://blogs.wsj.com/wtk-mobile/2010/12/17/calorie-counter/

What is Going On?

Many different groups are using this information

• Ad Networkso Targeted Advertising

• Software Developerso Analyticso User Information

Ad Networks

Multiple apps who work with a particular ad network allow for complex user profiles to be developed.

Application Data Sent

Realty / Mapping App Device ID, GPS Information

Social Networking App Device ID, Gender, Age, Ethnicity

Shopping App Device ID, Product Types

"Why is my GPS icon blinking?"

Information which is generally harder to obtain is of more value to an ad company.

"In its software-kit instructions, Millennial Media lists 11 types of information about people that developers may transmit to "help Millennial provide more relevant ads." They include age, gender, income, ethnicity, sexual orientation and political views. In a re-test with a more complete profile, MySpace also sent a user's income, ethnicity and parental status."

Source:  http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html

Privacy Differences vs Computers

"The great thing about mobile is you can't clear a UDID like you can a cookie,[...] That's how we track everything."

Meghan O'HolleranTraffic Marketplace

Image:  http://blogs.wsj.com/wtk-mobile/Source: http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html

Developers Want Our Information, Too

• Analyticso Track user navigation through website

• Demographicso See who is using the app

Source:  http://blogs.wsj.com/wtk-mobile/   (Image compressed horizontally for presentation)

Conclusion

Finding the over-sharing apps are not possible at first glance.

Trust is a critical step in finding a good app

Source:  http://blogs.wsj.com/wtk-mobile/