Your Apps Are Watching You
CS 595 - Elliott Peay
Overview
•
•
•
•
Article Focus
What Happened
Findings
What is Going On
Article Focus
Wall Street Journal investigates what information is sent over
the network by the apps we use.
Also contains an analysis of the information.
What Happened
• About the Investigation
• Investigation Methodology
About the
Investigation
101 Apps were tested
• 50 popular on iPhone
• 50 popular on Android
• WSJ iPhone app
Android shown at right
iPhone apps will not be
covered.
Source: http://blogs.wsj.com/wtk-mobile/
Investigation Methodology
Device was restricted to increase accuracy of data gathered.
•
•
•
•
Single-Process Mode
No 3G Access
Man in the middle attack used to obtain data streams
"Mallory" software used to decrypt data
Findings
• Generally, free apps sent more data than paid apps
• Generally, iPhone apps sent more data than Android apps
• Google was the biggest data recipient
Facebook (Android)
Data Recipients:
• Facebook
Data Sent:
• Username/Password
Source: http://blogs.wsj.com/wtkmobile/2010/12/17/facebook-iphone/
PaperToss (Android)
Data Recipients:
• AdWhirl
• Flurry
• Geocade
• AdMob (Google)
• AdSense (Google)
• Microsoft
Data Sent:
• Phone ID
• Location Information
Source: http://blogs.wsj.com/wtk-mobile/2010/12/17/papertoss/
Calorie Counter (Android)
Data Recipients:
• FatSecret (Owner)
• DoubleClick (Google)
• Analytics (Google)
Data Sent:
• Username/Password
• Phone ID
• Location Information
• Phone Number
Source: http://blogs.wsj.com/wtk-mobile/2010/12/17/caloriecounter/
What is Going On?
Many different groups are using this information
• Ad Networks
o Targeted Advertising
• Software Developers
o Analytics
o User Information
Ad Networks
Multiple apps who work with a particular ad network allow for
complex user profiles to be developed.
Application
Data Sent
Realty / Mapping App
Device ID, GPS Information
Social Networking App
Device ID, Gender, Age, Ethnicity
Shopping App
Device ID, Product Types
"Why is my GPS icon blinking?"
Information which is generally harder to obtain is of more value
to an ad company.
"In its software-kit instructions, Millennial Media lists 11 types of information about
people that developers may transmit to "help Millennial provide more relevant
ads." They include age, gender, income, ethnicity, sexual orientation and political
views. In a re-test with a more complete profile, MySpace also sent a user's
income, ethnicity and parental status."
Source: http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
Privacy Differences vs Computers
"The great thing about mobile
is you can't clear a UDID like
you can a cookie,[...] That's
how we track everything."
Meghan O'Holleran
Traffic Marketplace
mage: http://blogs.wsj.com/wtk-mobile/
Source: http://online.wsj.com/article/SB10001424052748704694004576020083703574602.html
Developers Want Our Information, Too
• Analytics
o Track user navigation through website
• Demographics
o See who is using the app
Source: http://blogs.wsj.com/wtk-mobile/
Image compressed horizontally for presentation)
Conclusion
Finding the over-sharing apps are
not possible at first glance.
Trust is a critical step in finding a
good app
Source: http://blogs.wsj.com/wtk-mobile/