Android apps may be automatically transmitting sensitive information, such as the routes you travel, through the phone's built-in sensors.
Three years ago, the Federal Trade Commission accused the developers of the ‘Brightest Flashlight’ app for Android of consumer deception because it was transmitting users' locations and device IDs to third parties without getting their permission.
Permissions, though, are only a small part of the Android- app privacy story.
New research from North-Eastern's Guevara Noubir and colleagues shows that Android apps can be manipulated to reach inside your mobile phone to track your whereabouts and traffic patterns, all without your knowledge or consent.
The researchers know this because they built an Android app and tested it.
Their system uses an algorithm that inserts data from the phone's built-in sensors into graphs of the world's roads. The researchers applied the algorithm to various simulated and real road trips. For each trip, the system then generated the five most likely paths taken, with results revealing a 50 per cent chance that the actual path travelled was one of the five.
"For $25, anyone can put an app on Google Play, the store for Android apps," says Noubir, professor in the College of Computer and Information Science. "Some of them may be malicious - no one is screening them."
Android apps present further privacy risks because they automatically have access to key sensors inside the phone that detect the device's location, movements, and orientation. Together these sensors can provide clues to everything from the route you take to work to whether you carry your phone in your pocket (the phone is relatively stable) or your purse (it swings).
"In our research we show that an app in fact does not need your GPS or Wi- Fi to track you," says Noubir. "Just using these sensors, which do not require permissions, we can infer where you live, where you have been, where you are going." To gauge the effectiveness of the system, the researchers conducted two types of tests.
They simulated drives in 11 cities around the world including Berlin, London, Rome, Boston, and Atlanta. They also got behind the wheel themselves, driving for 1,000 kilometres over more than 70 different routes in Boston and Waltham, Massachusetts.
In both tests they collected scores of measurements derived from the phones' changing positions, including the angles of turns and the trajectory of curves.
"Inferring a driving pattern from an Android app can lead to much greater invasions of privacy, such as where the user lives and works," says Noubir.
Additional information, he warns, can then be gleaned by searching town and city public databases for property tax records for example. "Adversaries can recover lots of details through these side channels."
So what's an Android user to do?
“For starters, do your homework”, says Noubir. "You should not install apps that are not familiar to you - ones that you have not investigated," he says. "Be sure that your apps are not still running in the background when you're not using them."
He also advises uninstalling apps that you don't use frequently. "Why keep apps that can access your sensors if you don't use those apps seriously?" he asks.