The 2019 USENIX Security Symposium includes our study on the use of side and covert channels by apps in order to circumvent the permission system. In addition to our paper, we are writing a series of blog posts to explain our main findings. In this post, the first in the series, we provide the names, versions, and MD5 hashes of the affected apps (Android APKs). Baidu As we noted in a previous post, every phone Read more…
The International Mobile Equipment Identity, or IMEI, is a special number that is tied to every unique mobile phone. It is used whenever the phone is registered on a mobile network. It can also be used to blacklist a phone off of the network, which happens, for example, when it is reported as stolen. Blacklisting keeps phones off the network even if the SIM card or telephone number changes. For it to be effective for Read more…
The Ad ID Persistent identifiers are the bread and butter of the online tracking industry. They allow companies to learn the websites that you visit and the apps that you use, including what you do within those apps. A persistent identifier is just a unique number that is used to either identify you or your device. Your Social Security Number and phone number are examples of persistent identifiers used in real life; cookies use persistent Read more…
In our work looking at COPPA violations, one company really stood out: Tiny Lab Productions. They currently have 98 games available in the Play Store. Most of these games are in Google’s Designed for Families (DFF) program, which means that the developer is specifically marketing their apps to children under 13. We cited them in the paper as a particularly egregious example because their children’s apps were collecting location data, persistent identifiers, and even email Read more…
One of the things we noticed when doing our large-scale study of children’s games was that way more apps were accessing location data than were seen actually sending it. In some ways this makes sense—COPPA quite explicitly forbids sending location data without verifiable parental consent, something that our testing framework did not provide. Nevertheless, since we couldn’t come up with a plausible reason why many of these apps actually needed location, we thought there was Read more…
In late February of this year, we received word that an advertising company, ironSource, had obtained a leaked draft of our paper on COPPA violations in Android apps. In that version of the paper, we mentioned them (and their subsidiary, Supersonic) exactly once: in a table of advertising SDKs whose terms of service prohibit their use in child-directed apps (Table 2 of the final paper). We noted that many third-party SDKs include these clauses presumably Read more…
In our study of kids’ Android apps, we observed that a majority of apps specifically targeted at kids may be violating U.S. privacy law: the Children’s Online Privacy Protection Act (COPPA). In response to this revelation, many companies that we named in our paper have responded by stating that they are not covered by the law because either their apps are not directed at children or they have no knowledge that any of their users Read more…
As a followup to my previous post, I both emailed CVS and tweeted at them to give them an opportunity to comment on their app’s location-sharing practices: I noticed that your mobile app appears to be sharing my location data with around 40 different third parties. Can you please explain this? Is this a bug? They responded 5 hours later, claiming that they do not share location data with any third parties: …we do not Read more…
Recently, we decided to take a closer look at apps in our database that are sharing location data. This is a concern, because it could be used to track someone over time. One app in particular stood out, just based on the sheer number of data recipients. The “CVS/pharmacy” app appears to be sending the user’s GPS coordinates to over 40 different entities! Some of these include:
(more…)