Android Apps May Automatically Transmit Sensitive Information Through Mobile Phone’s Built-in Sensors

Three years ago, the Fed­eral Trade Com­mis­sion dimmed hopes for the Brightest Flash­light app for Android, slap­ping its devel­oper with charges of con­sumer decep­tion. Why? The app was trans­mit­ting users’ loca­tions and device IDs to third par­ties without telling the users or get­ting their permission.

New research led by Northeastern professor Guevara Noubir reveals that some Android apps may automatically transmit sensitive information, such as the routes you travel, through the phone’s built-in sensors. A malicious developer, he says, “can infer where you live, where you’ve been, where you are going.” (Credit: Younghee Jang/Northeastern University)

Per­mis­sions, though, are only a small part of the Android-​​app pri­vacy story. New research from Northeastern’s Gue­vara Noubir and col­leagues shows that Android apps can be manip­u­lated to reach inside your mobile phone to track your where­abouts and traffic pat­terns, all without your knowl­edge or consent.

The researchers know this because they built an Android app and tested it.

Their system uses an algo­rithm that inserts data from the phone’s built-​​in sen­sors into graphs of the world’s roads. The researchers applied the algo­rithm to var­ious sim­u­lated and real road­trips. For each trip, the system then gen­er­ated the five most likely paths taken. The most recent results? A 50 per­cent chance that the actual path trav­eled was one of the five.

“For $25, anyone can put an app on Google Play, the store for Android apps,” says Noubir, pro­fessor in the Col­lege of Com­puter and Infor­ma­tion Sci­ence. “Some of them may be malicious—no one is screening them.”

How it works

If an Android app wants to access sen­si­tive user infor­ma­tion, such as loca­tion, it must let the user know. But often per­mis­sion for such access is buried in terms-​​of-​​use agreements—the small print that many users don’t read—or comes up not when the app is down­loaded but later, unbe­knownst to the user, when access for that infor­ma­tion kicks into gear.

Android apps present fur­ther pri­vacy risks because they auto­mat­i­cally have access to key sen­sors inside the phone that detect the device’s loca­tion, move­ments, and ori­en­ta­tion. Together these sen­sors can pro­vide clues to every­thing from the route you take to work to whether you carry your phone in your pocket (the phone is rel­a­tively stable) or your purse (it swings).

“In our research we show that an app in fact does not need your GPS or Wi-​​Fi to track you,” says Noubir. “Just using these sen­sors, which do not require per­mis­sions, we can infer where you live, where you have been, where you are going.”

The tests

To gauge the effec­tive­ness of the system, the researchers con­ducted two types of tests.

They sim­u­lated drives in 11 cities around the world including Berlin, London, Rome, Boston, and Atlanta. They also got behind the wheel them­selves, dri­ving for 1,000 kilo­me­ters over more than 70 dif­ferent routes in Boston and Waltham, Mass­a­chu­setts. In both tests they col­lected scores of mea­sure­ments derived from the phones’ changing posi­tions, including the angles of turns and the tra­jec­tory of curves.

Their most cur­rent results sur­passed those ini­tially pub­lished in the pro­ceed­ings of the 2016 IEEE Sym­po­sium on Secu­rity and Pri­vacy: A 50 per­cent chance that the actual path trav­eled was one of 10 generated.

“Infer­ring a dri­ving pat­tern from an Android app can lead to much greater inva­sions of pri­vacy, such as where the user lives and works,” says Noubir. Addi­tional infor­ma­tion, he warns, can then be gleaned by searching town and city public data­bases for, say, prop­erty tax records. “Adver­saries can recover lots of details through these side channels.”

Pro­tecting yourself

What’s an Android user to do short of for­going apps altogether?

For starters, do your home­work, says Noubir. “You should not install apps that are not familiar to you—ones that you have not inves­ti­gated,” he says. “Be sure that your apps are not still run­ning in the back­ground when you’re not using them.”

He also advises unin­stalling apps that you don’t use fre­quently. “Why keep apps that can access your sen­sors if you don’t use those apps seri­ously?” he asks.

The team included Sashank Narain, PhD’17, Triet D. Vo-​​Huu, PhD’16, and Ken­neth Block, PhD’18. Noubir’s next project: to examine how much this tracking is actu­ally hap­pening to Android users in the real world.


Tell Us What You Think

Do you have a review, update or anything you would like to add to this news story?

Leave your feedback