The realm of third-party trackers on Android

Luman android root cert

I was excited to learn about Lumen Privacy Monitor, as I’ve always wondered about the apps I have installed even when I have restricted the permissions wanted from the installed app.

New research co-authored by Mozilla Fellow Rishab Nithyanand explores just this: The opaque realm of third-party trackers and what they know about us. The research is titled “Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem,” and is authored by researchers at Stony Brook University, Data & Society, IMDEA Networks, ICSI, Princeton University, Corelight, and the University of Massachusetts Amherst.

“This is the start of a long project to uncover all the hidden data collection and data dissemination practices on the internet,” Nithyanand explains.

“There’s a huge lack of transparency around how mobile applications behave,” adds Narseo Vallina-Rodriguez, a co-author and researcher at ICSI. “People install software, but don’t know what that software is doing.”

The paper’s introduction lays out a troubling scenario: “Third-party services inherit the set of application permissions requested by the host app, allowing them access to a wealth of valuable user data, often beyond what they need to provide the expected service.”

To study this scenario, the researchers used Lumen Privacy Monitor, an Android app they built themselves over a two-year period.

So I installed it just to see what was going on with my Android devices. But there is a problem… Best summed up in this comment from Wcat.

Not open source? TLS interception? Before you install this stop and think about TLS interception. “Those who would trade privacy for security deserve neither.”

Luman asks for permissions to install its own root certificate, and this deeply worries me. TLS inception isn’t a trivial thing to be honest, I know its needed but it had me questioning how I really want to monitor the apps? Also if I remove the app, will the certificate be removed too/how would I know?

Right now, I’m keeping an eye on the app but haven’t installed the root cert yet.

Graceful degradation of apps via permissions under android 6.0

Android 6.0 Marshmallow has a very nice feature, something I have been wanting to see more across all services and applications. Granular permissions, which can be applied and revoked by the user at anytime.

It was obvious that iOS had it right as far as transparent, granular app permissions were concerned, and Android Marshmallow admits as much, because it now has a very similar system. Permissions are asked for as and when they’re needed, rather than all at once during installation.

That gives you a better idea of what’s going on and also let’s you, for example, give Facebook access to your camera but not your contacts. If you want to check which apps have what permissions (and edit them), go to Settings: tap Apps then the cog icon, then choose App permissions.

Android 6.0 permission system
Why does BBC iPlayer Radio need access to my phone?

Since android 6.0 marshmallow, i’ve wanted to try out the app permission tweaker. I’m interested to see what happens when I block certain apps from key permissions. Will they explode will they gracefully handle it and still operate without it?
For example could I run facebook app and deny access to the internet, or local storage? OK that might be a little too far but what about facebook without access to the mic and camera? Surely that would work right?

So I tried it with the Amazon kindle app, which I always thought had too many permissions anyway. I mean why does the kindle app need access to my contacts and my telephone?!

Android 6.0 permission system

Haven turned them off, I thought I’d better see if the app still actually worked?

Android 6.0 permission system

It did! So I started revoking permissions from apps which I felt didn’t need the permissions. For example Fitbit, which I refused to upgrade in the past due to the permissions.

Android 6.0 permission system

Why does Fitbit need so many permissions anyway!

Android 6.0 permission system

Andorid warms me the app may break as its not written for Android 6.0. But it still works as I want it to., so this has to be a case of them over reaching with the data they want to consume?
Say hello to your new permissions Fitbit, and it works fine when syncing data from the Fitbit.

Android 6.0 permission system

Fitbit better get use to the sandbox I put it in, and they are not the only one!

Android 6.0 permission system
Android 6.0 permission system

This for me is a key part of the VRM infrastructure as Adriana said

If you cannot reject them, if you cannot actually say well, I’m fine with that but not with that, what’s the point?

Great to see it working as expected, graceful degradation of applications based on permissions. I might be able to install Facebook again.

Update

I installed Facebook messenger again with the permissions I felt comfortable with.

Then decided actually I want to break FB messenger as its meant to be written for Android 6.0, so denied it access to my location too.

Installing Facebook messenger under Android 6.0

I can say everything  works, and I haven’t seen any problems so far with my permissions. I did notice you can start to mess with the data usage too, which maybe a way to restrict network usage.?

What is Fitbit trying to do?

new fitbit permissions

For a while now, I have been declining the fitbit upgrade on my Android devices. I kept tweeting fitbit to ask why on earth my digital pedometer needs access to my SMS, Camera and Location?

I can imagine, Location is passable but SMS and Camera? Really? I voted with my feet and kept the upgrade on hiatus till I heard a reason why.

Finally I got a message from Fitbit support…

So basically fitbit is trying to break its way into the wearable market with phone and messages notifications?

I think I’ll hold off on upgrading even longer now. I’m sure you can turn it off but I’m just not interested, especially since I have the pebble smartwatch which already does this and so much more.