Topic: Security / Privacy
“Your Apps Are Watching You”
Source: The Wall Street Journal Online
Presented By: Corey Campbell
Article Overview
Among our devices, smartphones know us best.
Time for an investigation.
The Wall Street Journal conducts an
investigation:
 App analysis – iPhone & Android
 Consumer protection
 Ad networks
Introducing…Your Data
Key categories being looked at:
CATEGORY
PROCESS
User name, password
Create an account : interact with Facebook
Contacts
Access to address book : permission
Age, gender
Captured by a form
Location
GPS : triangulate with Wi-Fi or cell signals
Phone ID
Phone’s SSN : hard to delete
Phone number
Passed to app maker or Facebook
Introducing…Your Data
The ones that are watching your data:
WHO
MORE INFO
App owner
Ones that create or operate the app:
 Once data is obtained, few restrictions
governing the use of it
Third parties
Marketers and companies that monitor
app usage:
 Create detailed profiles of users
What The Investigation Dealt With
Examined 101 popular smartphone apps for iPhone & Android
Results included:
 56 apps transmitted phone’s unique device ID to other
companies without user awareness or consent
 47 apps gave away the phone’s location
 5 apps sent age, gender, and other personal details outside of
the app
Intrusive behavior of online-tracking companies to append data to
your profile
How Did The iPhone Do?
iPhone sent off more data than Android phones
(within 101 app test)
An app that shard the most data:
TextPlus 4 – iPhone text messaging app
 sent iPhone’s UDID to 8 ad companies
 phone’s zip code, user’s age & gender
to 2 ad companies
Apple & Android Apps
Pandora – popular music app
 sent age, gender, location, and phone identifiers
to different ad networks
Paper Toss – game of tossing paper into
trash can
 sent phone’s ID number to at least 5 ad
companies
Some Comments
Michael Becker of Mobile Marketing Association –
“In the world of mobile, there is no anonymity”
Device is always on and with us
Apple supports a review of app before being offered publicly
Apple & Android protect users from revealing data through
permissions
Tom Neumayr – Apple spokesman
“We have created strong privacy protections for our customers,
especially regarding location-based data. Privacy and trust are vitally
important.
Getting Around The Rules
Pumpkin Maker – pumpkin-carving game
 gave away phone’s location to an ad
network without asking permission
 Apple declined to talk about this
violation
What Are The App Makers Saying?
TextPlus 4 & Pandora:
 Data passed is not linked to an individual
 Personal details (such as age, gender) are volunteered by users
Pumpkin Maker:
 Unaware of Apple’s guidelines to seek user approval before sending data
Paper Toss:
 Did not want to comment
Consumer Protection
Privacy Policies:
 45 of the 101 apps did not provide a privacy policy
 Apple & Google don’t require them
WSJ Designs A System
 System intercepts and records data
 Decodes data stream
 Covered 50 iPhone apps & 50 Android apps
The Jury Is In
The most widely shared item was the phone’s identifier, or UDID for
the iPhone.
 ID is set by phone makers, carriers, or OS makers
 Difficult to delete or hide
Why, Oh Why?
Meghan O’Holleran – Traffic Marketplace
 Track everything by phone ID
 Apps downloaded
 Usage frequency
 Time spent on app
 Areas used in app
 Data is combined, not linked to an individual
No Standards In Mobile
Apple sees UDID as “personally identifiable information”
 Can be combined with info from App Store and iTunes
In contrast, Google and most app makers don’t consider
device IDs to be identifying information.
Ad Networks
 An expanding industry
 Mobclix – an ad exchange
 Matches more than 25 ad
networks with approximately
15,000 apps needing advertising
 Takes phone IDs, encodes them, and assigns them to interest categories
based on users’ usage factors.
 Does a “best guess” of where person lives to mix location data from
Nielsen Co.
 Powerful system, but categories are still broad enough not to identify
people.
An Example: Mobclix Inner-workings
 Within a quarter-second,
Mobclix can place a user in
one of 150 segments it
offers to advertisers
 Segment types: “green
enthusiasts”, “soccer moms”
 “die hard gamers” segment:
 15 – 25 year old males
 more than 20 apps on phone
 use an app for more than 20 minutes at a time
The Ad Networks Have My Info
 Claim data is anonymous and brings more relevant advertising
 Google received most data overall in the tests by WSJ, but says it
does not mix data from its ad units: AdMob, AdSense, Analytics, and
DoubleClick
 AdMob gives advertisers access to phone users by locations, device
type, and demographics (gender, age group)
 Apple has its iAd network – only for iPhone
 Apple uses App Store and iTunes info to target ads.