Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

The App That Tracks Who's Tracking You

timothy posted about 9 months ago | from the perfect-disguise-for-a-backdoor dept.

Android 52

Daniel_Stuckey writes "It's no secret that apps like maps or local weather know your current location, and you're probably cool with that because you want to use the handy services they provide in exchange. But chances are there are many other apps on your phone, anything from dictionaries to games, that are also geolocating your every move without your knowledge or permission. Now researchers are developing a new app to police these smartphone spies, by tracking which apps are secretly tracking you, and warning you about it. Before your eyes glaze over at the mention of yet another privacy tool, it's worth noting that this new app is the first to be able to provide this line of defense between snooping apps and smartphone users for Android phones. Android's operating system is engineered not to allow apps to access information about other apps. But a team at Rutgers University found a way around that, by leveraging a function of Android's API to send a signal whenever an app requests location information from the operating system. MIT Technology Review reported on the research today."

Sorry! There are no comments related to the filter you selected.

Allow blocking (0)

Anonymous Coward | about 9 months ago | (#46112647)

The app should allow blocking of certain apps access to gps or whatever system they are trying to access. If my dictionary app is accessing my gps then allow me to block that app from using it.

Re:Allow blocking (1)

olsmeister (1488789) | about 9 months ago | (#46112811)

Jelly Bean can already do that. [androidpolice.com] There is another comment below that mentions how to do it in Kit Kat.

Re:Allow blocking (3, Informative)

pepty (1976012) | about 9 months ago | (#46112903)

Google removed App Ops for versions in an update for 4.42. If you don't have a rooted phone, the closest thing I've found to a solution is Mobiwol, a firewall which forces apps to connect to the internet through a VPN that doesn't go anywhere. You can choose to give apps their access to the outside world whenever they have focus, so at least they only spy on you when you're using them. Then the problem is: should you trust Mobiwol?

Re:Allow blocking (2, Interesting)

icebike (68054) | about 9 months ago | (#46113061)

Google removed the api, but not because it was something they wanted to prevent.
The API was done in a hackish way that could cause more security issues than it solved.

I expect Google will install an after-the-fact fined grained permissions control in a future Android versions, that will allow you to turn off access for apps that are permission greedy. If you prevent access to some information, an installed app may fail, but that is preferable to the blanket installation time approval system we have today.

Re:Allow blocking (1)

psyclone (187154) | about 9 months ago | (#46113489)

Google's motives for removing fine-grained permission are all speculative at this point. Some argue that Google removed permission control because they don't want a user backlash against "broken apps" and don't want to slow down their marketshare growth.

I would counter that argument with those developers should get flooded with broken app messages so they can re-design their apps to still function or quit altogether if a given permission was not available to it. E.g. The shady Dictionary App should still work if geo-location fails (which it does if you've disallowed location for all apps in the global settings).

Re:Allow blocking (1)

Anonymous Coward | about 9 months ago | (#46115931)

Oh FFS, give the FUD a break. They said clearly that they were developing the permissions manager, that it wasn't ready for prime-time and that it would be released when it's ready.

The version that was implemented DID break apps. Even the version in Cyanogen breaks apps, and does so in a way which generates cryptic error messages. It ISN'T ready for release to a non-technical audience.

And sure, YOU may want users to get "flooded with broken app messages", but no company that wants to sell phones does. Not if they want to stay in business.

Re:Allow blocking (1)

psyclone (187154) | about 9 months ago | (#46116189)

This app has been available since Android 2.1 or earlier, and needs root access of course:
http://www.appbrain.com/app/pe... [appbrain.com]

Google has had years to implement user-chosen permissions revocation. Even hidden in Developer Tools under Settings would have at least given app developers the chance to test their apps against losing permissions.

Re:Allow blocking (1)

kenshin33 (1694322) | about 9 months ago | (#46125511)

They said clearly that they were developing the permissions manager,

no (afar as app opss is concerned). Read Dianne Hackborn's comments in here :
https://plus.google.com/+Danny... [google.com]

Re:Allow blocking (4, Interesting)

fuzzyfuzzyfungus (1223518) | about 9 months ago | (#46113301)

The app should allow blocking of certain apps access to gps or whatever system they are trying to access. If my dictionary app is accessing my gps then allow me to block that app from using it.

You probably want lying rather than blocking... The arms race between you and the hostile dev is over pretty quickly if you block (plus, naive applications that just assume they have the permissions they requested on install will probably crash right, left, and center, which is their fault; but your problem). Lying, by contrast, is unlikely to be 100% bulletproof against a good data-miner; but 'well-formed and plausible' is certainly much, much, harder to notice and respond to with certainty than being blocked is.

Re:Allow blocking (2)

Decker-Mage (782424) | about 9 months ago | (#46114869)

That's been my preferred method since the mid-90's. It also makes fingerprinting the device more difficult if you are jiggling the values between sessions. Now if it were as easy on my Nexus 7s as it's been on the desktop/servers.

Siri, who has seen me naked. (-1)

Anonymous Coward | about 9 months ago | (#46112651)

It looks like James has seen your Clapper.

social research, not app development (4, Informative)

fche (36607) | about 9 months ago | (#46112677)

Briefly reading TFA, these guys are analyzing people's reactions to various privacy-warning user interface options. Their baby app that heuristically monitors location-api usage is far less capable than xprivacy or its kin of android tools.

Re:social research, not app development (2)

fuzzyfuzzyfungus (1223518) | about 9 months ago | (#46113409)

While technical proficiency is a necessary feature, and doesn't really have any substitutes, I suspect that any attempt to extend meaningful privacy protection beyond paranoic geeks, recreational cypherpunks, and reasonably smart pedophiles who want to stay on the outside, will depend heavily on human-interface and psychology research in addition to technical prowess.

People underestimate how potent aggregated privacy compromises are, and they are (even when trying to cover their tracks) pretty easy to 'snow' under technical detail until they just stop struggling.

Giant external storage security hole patched? (1)

SuperKendall (25149) | about 9 months ago | (#46112707)

I can't find any good information on this either way, but in the past any Android app could read anything stored on external media - and some apps are stored to external media, meaning that any application could monitor them.

Is that still the case? Or do apps not have full read permissions on external media in Android if they are granted permission to access it?

Also on a side note it seems like if you grant an app permission to read SMS messages it could also monitor at least that activity...

Re:Giant external storage security hole patched? (1)

Delwin (599872) | about 9 months ago | (#46113683)

As of Android 4.4.2 apps can only access their own directories in external media. Needless to say this broke a number of apps like file browsers.

Re:Giant external storage security hole patched? (1)

SuperKendall (25149) | about 9 months ago | (#46114931)

That's good to know, I can't believe that existed until 4.4.2...

Hopefully there is no new permission that would let the "file browsers" work again!

BUTT !! (0)

Anonymous Coward | about 9 months ago | (#46112715)

It tracks you !!

(In Soviet Russia, they eat people !!)

App Ops does that already (2, Informative)

Anonymous Coward | about 9 months ago | (#46112719)

Despite Google yanking App Ops out of Kit Kat in the latest update, you can still put it back in [howtogeek.com] .

No need for Angry Birds to have access to your information. Simply limit what it can access and forget it.

Patching a hole with a hole... (5, Insightful)

Anonymous Coward | about 9 months ago | (#46112765)

There's a way for an app to discover and report on what other apps are doing? FAN-BLOODY-TASTIC! Because THAT'S not a security hole at all!

None of this impacts NSA metadata (2)

WillAffleckUW (858324) | about 9 months ago | (#46112777)

The actual metadata is collected at, or near, the source, they only download app "fixes" when you're actively being pursued.

So, this will give a false sense of security to the 99.9 percent of American citizens who are being tracked by the NSA in an Unconstitutional and Illegal manner.

Oh, and we know exactly where you are even when you turn off location services, btw.

Re:None of this impacts NSA metadata (0)

Anonymous Coward | about 9 months ago | (#46116523)

Yep. Tower triangulation has been refined down to about 5 meters now that most phones support multiband radios. The frequency discrimination allows for much finer resolution of the target's location. That resolution drops to about 1 meter if the target is moving, due to additional doppler phase shift that can be used to further refine location using phase correlators in the towers. . That's better than GPS by a long shot.

Re:None of this impacts NSA metadata (1)

WillAffleckUW (858324) | about 9 months ago | (#46116583)

Well, there's actually some additional mil band GPS info that gets you closer, but you need special sensors and circuits for that.

Basically, we always give you our old stuff.

Pffff that's nothing... (0)

Anonymous Coward | about 9 months ago | (#46112791)

I own an app that tracks the trackers that are being tracked by a tracker!

Re:Pffff that's nothing... (3, Informative)

JeanCroix (99825) | about 9 months ago | (#46113099)

Sounds like Xzibit pimped your phone...

Re:Pffff that's nothing... (0)

Anonymous Coward | about 9 months ago | (#46113875)

I know. I track people that use that app.

Re:Pffff that's nothing... (1)

mythosaz (572040) | about 9 months ago | (#46114175)

Gump My phone is plugged in here. Now this mother-fucking trace buster is gonna keep that mother-fucker from uh... tracin' our shit you know what I'm sayin'? And not only does this trace buster keep our buster from tracin' your call but it can also uh... uh... trace the mother-fucker that's tracin' your shit!
Cisco All right, so what if they have a trace buster too?
Gump Yo yo yo, that's why I gots this Trace Buster BUSTER. See, when the mother-fucker tries to bust your trace with a trace buster. This mother-fucker is gonna bust the mother-fucking trace buster that's bustin' your... uh...
Cisco Trace!
Gump That's my word playah!

Android's policy (1)

Anonymous Coward | about 9 months ago | (#46112793)

Or maybe, Android could deny approval of applications that try to seek location data for applications that have no location based function. Data mongering fuckers.

Re:Android's policy (5, Informative)

tlhIngan (30335) | about 9 months ago | (#46112991)

Or maybe, Android could deny approval of applications that try to seek location data for applications that have no location based function. Data mongering fuckers.

Android doesn't already have this? I mean, iOS has been asking about location usage for ages, and has an option to disable location services for individual apps for a while now. (An interesting side effect is that access to stored photos ALSO brings up the location services question as photos may have geotags in them - so apps can't get around it by snapping photos and reading out the geotag information).

And anyhow, you can always turn off location services on Android to keep apps from getting your location information.

OTOH, one has to consider that to Google, Android is really there to prevent Apple from locking Google out of mobile advertising. It's why Google acquired Android and why they made it open-source. Google knows mobiles would be a big part of it (and mobile traffic is roughly 2:1 iOS:Android), and that Apple could easily strangle Google in this field, hence, Android.

So perhaps it's all by design - Google's not wanting to give up mobile advertising. Sure they'll probably toss a bone or two - just enough to hobble mobile advertising competitors, but not Google's own advertising networks...

Re:Android's policy (0)

Anonymous Coward | about 9 months ago | (#46114333)

In Android (and Google in general), you are informed what resources the application will need in bulk, and you allow all or deny application installation.
You can workaround that with a rooted phone... But still, it's not nice.

Re:Android's policy (0)

Anonymous Coward | about 9 months ago | (#46113207)

Or maybe, Android could deny approval of applications that try to seek location data for applications that have no location based function. Data mongering fuckers.

Yeah, right.

When Google's entire business model is to mine every private bit of data about you they possibly can and sell it all to anyone who'll pay?

Re:Android's policy (2)

gnasher719 (869701) | about 9 months ago | (#46115391)

Or maybe, Android could deny approval of applications that try to seek location data for applications that have no location based function. Data mongering fuckers.

Didn't think there was any approval process in Android. So you install an app, it may tell you that it wants your location data, and if you say "no" it won't work. Your choice of giving up your location or not using the app. Minor case of blackmail. That's where the "walled garden" approach comes handy. If your app needs location data for no good reason then it doesn't get on the store. If it refuses to perform functions that don't need location data, when the user refuses to allow access to location, it doesn't get on the store. In any case, the user will be asked the first time location data is used, and can remove permission at any time in "Settings".

Seems like short term thinking. (1)

RightSaidFred99 (874576) | about 9 months ago | (#46112795)

While an interesting hack, I wouldn't call it "research". Something like this may or may not be supported forever by Android, may not work on all versions, apps may find ways to hide from it, etc...

Seems a bit low-brow to come from MIT, I'd expect something like this from a guy named HedRandroid93 on the XDA forums.

Let me see if I understand this right... (4, Funny)

nani popoki (594111) | about 9 months ago | (#46112853)

This is an app that exploits a security hole to detect apps that are exploiting a security hole? What's wrong with this picture?

Turtles? (4, Funny)

Anonymous Coward | about 9 months ago | (#46112955)

It's trackers all the way down.

Made to order for this meme.... (1)

rts008 (812749) | about 9 months ago | (#46113071)

"Yo, dawg! I heard you like....

Nah, it's just to easy.

What's wrong with this picture?

How much time do you have? How long is your attention span? Did you bring food?(this could take a long time)

I guessed you were asking a rhetorical question and already know some/most of the answers, so I did not elaborate.

If that was a serious question, reply back and I will try my best for you; if not, just ignore my stirring of the puddle. :-)

Re:Let me see if I understand this right... (1)

Andster (1180297) | about 9 months ago | (#46113165)

Is the geolocating stuff actually a security hole? I just assumed these exploits were possible because people click right on through the "This App wants access to your children's intestinal tract and your cars tire pressure monitoring system." I guess I'll RTFA.

Re:Let me see if I understand this right... (2)

Chemisor (97276) | about 9 months ago | (#46113497)

There is nothing wrong with this picture. Monopolizing a hole has been a successful evolutionary strategy for millions of years.

So does 'Lightbeam' (in a browser), but .. (2)

arisvega (1414195) | about 9 months ago | (#46112909)

.. if you go hastefully through the ToS it is very easy to miss that _some_ data will be communicated to 'momma' server _anyway_, regardless of user control settings, and that they reserve the right to do basically whatever they want with it.

Their stated intentions for the collected data, should they (the company behind the addon, working with Mozilla for the time being) not be acquired, go bankrupt or 'experience corporate restructuring', is to produce a public internet map with it to show which megacorp is connected to which other megacorp- but there is no link or even a timeline for that, and they are not really clear as to what data they will make public, how, when and where.

I have my doubts for them, as I do for this app.

Re:So does 'Lightbeam' (in a browser), but .. (0)

Anonymous Coward | about 9 months ago | (#46115781)

.. if you go hastefully through the ToS it is very easy to miss that _some_ data will be communicated to 'momma' server _anyway_, regardless of user control settings, and that they reserve the right to do basically whatever they want with it.

Lightbeam data is only sent if the user chooses to do so. If you really cant trust the privacy policy, go read the source code on github.

https://addons.mozilla.org/en-US/firefox/addon/lightbeam/privacy/

Re:So does 'Lightbeam' (in a browser), but .. (1)

arisvega (1414195) | about 9 months ago | (#46123437)

Lightbeam data is only sent if the user chooses to do so.

This. You have just proven my point.

Go read their ToS again, but this time actually read it. You may also want to actually read my post to which you replied.

Rooted (0)

Anonymous Coward | about 9 months ago | (#46112939)

Don't apps like this already exist, just the phone has to be rooted? I think some of them even allow you to prevent the offending apps from sending data/accessing resources. Of course A version of Android DID allow you to do some basic restrictions before they disabled the capability for questionable reasons.

Ok so... (1)

koan (80826) | about 9 months ago | (#46113177)

To the best of my knowledge Android doesn't allow you to set specific permissions on the app, only to agree or disagree. (on my Nexus 7 2nd Gen)
Android, if they allow the app, will release a patch to stop the "exploit" it's using.

They also don't allow you to access attached USB storage without rooting or other "work around" apps.

There's a reason for this.

contradiction in TFS (0)

Anonymous Coward | about 9 months ago | (#46113367)

Android's operating system is engineered not to allow apps to access information about other apps. But a team at Rutgers University found a way around that, by leveraging a function of Android's API to send a signal whenever an app requests location information from the operating system.

"Android's operating system is engineered not to allow apps to access information about other apps"
"But a team at Rutgers University found a way around that, by leveraging a function of Android's API"

Mr Stuckey needs some edumacation

Who's tracking the tracker (0)

Anonymous Coward | about 9 months ago | (#46113443)

that's tracking the tracker that you are using to track who's tracking you?

You do give them your permission (0)

Anonymous Coward | about 9 months ago | (#46113445)

With Android anyway, you have to accept all the access requests before it will download.

Privacy Guard (1)

EmagGeek (574360) | about 9 months ago | (#46113861)

Privacy Guard blocks location access to whatever apps it is enabled for.

Generally though, I examine the permissions an app requests _before_ I install it, and if it wants permissions it doesn't need, I don't install it in the first place.

Yo Dawg.... (0)

Anonymous Coward | about 9 months ago | (#46114647)

I heard you like tracking, so I put a tracking app to track apps that track you so you can track while being tracked.

Similar app for iOS - a must-have! (0)

Anonymous Coward | about 9 months ago | (#46114987)

It's called "Settings -> Privacy -> Location Services"

In addition to showing you which apps are using location services, you can also enable/disable on a per-app basis right here. Of those that are enabled, it shows you if an app has "recently" used your location, used it within 24 hours, or if it's using a geofence.

For Android Devs (2)

SirJorgelOfBorgel (897488) | about 9 months ago | (#46115571)

Immediately after reading the summary, I suspected this would just use "getLastKnownLocation" and correlate that with the foreground app. From searching through TFA, that is indeed the case. Technically, not very interesting at all.

A more apropos app (1)

David Govett (2825317) | about 9 months ago | (#46117507)

How about an app that tracks who's tracking you, then mails thousands of junk e-mails to every officer in the companies tracking you.

Maybe don't install a zillion apps? (1)

gelfling (6534) | about 9 months ago | (#46118745)

Oh I dunno, my Galaxy becomes unstable enough with an average sized suite of apps. I can't see how adding more to tell you about the status of the status is really going to help.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?