unjustified

Summary: Network security company Juniper Networks investigated 1.7 million mobile apps. It concluded that free apps cost us our privacy, expose us unnecessarily, and most app permissions are unjustified.

By Violet Blue for Zero Day | November 6, 2012 -- 01:30 GMT (17:30 PST)

Juniper Networks Mobile Threat Center (MTC) analyzed over 1.7 million apps on the Google Play market from March 2011 to September 2012. Juniper found that most app users are being tracked, surveilled and put at risk for exposure, and this activity is disturbingly unjustified by the majority of app makers. Juniper wrote, "We found a significant number of applications contain permissions and capabilities that could expose sensitive data or access device functionality that they might not need." Free apps, in particular, Juniper said, "are 401 percent more likely to track location and 314 percent more likely to access user address books than their paid counterparts." Most smartphone owners download lots of applications, and the number of downloads is expected to reach upward of 45 billion in 2012 (21 billion going to Apple apps).

It's widely believed that free apps take and collect more data - such as tracking user location - than users are comfortable with. Many users aware of this may feel that boundary-pushing data collection is an acceptable trade-off for apps that, because free, must compensate their revenue through advertising (conventional wisdom is that free apps need detailed user information for targeted advertising partnerships). It has been revealed that most apps tracking location and accessing private user permissions - upward of 90% of free apps - do not use the data for ad partnerships. Upon examining the results of researching permissions use of 1.7 million mobile apps, Juniper Networks is now openly wondering just exactly what that user information is being collected for. The state of user privacy across the app ecosystem, exposed

Juniper cautions that users are presented with a list of permissions they must agree to when downloading apps - but few people understand what they're agreeing to. Most don't know what how much over their phone (or how much private information) that they're giving to the companies behind the apps, or how easy it is for the private info these companies collect to be exposed. Juniper focused on the facts that both free and pay for play apps:

Some (like Facebook) require permission to access your camera, and have permission to record you Juniper explains, Possibly more concerning are the other permissions being requested from applications like the ability to clandestinely initiate outgoing calls, send SMS messages and use a device camera. An application that can clandestinely initiate a phone call could be used to silently listen to ambient conversations within hearing distance of a mobile device. Similarly, access to the device camera could enable a third party to obtain video and pictures of the area where the device is present, as was recently presented with the proof-of-concept Spyware PlaceRaider. MTYH: Free apps need your info for advertisers, which is how apps can be free Most people think that apps tracking users' location to better serve ads and thereby "pay" for free apps. It's part of the conventional wisdom behind statements such as "you're the product." Juniper found that the percentage of apps with the top 5 ad networks was much less than the total number of apps tracking location - meaning that most apps tracking your location are not serving ads. The researchers found that only between 0.32 (AdWhirl) and 4.10 percent of over half a million apps that run tracking (ostensibly for ad targeting). well known ad network AdMob is only featured on 0.75 percent of apps that track and collect user location data. Juniper categorically stated, This leads us to believe there are several apps collecting information for reasons less apparent than advertising. The permissions required by apps are not justified Popular game categories such as gambling (cards/casino) and racing caused the most concern for Juniper's researchers. For instance, 94% of both gaming and racing apps that force users to give the apps permission to make outbound calls don't say why the apps require this capability. Meanwhile, nearly 84% of the apps force permission to use your phone's camera function but don't describe why or provide any justification whatsoever for such non-trivial access.

Track your location Access your address book Silently send text messages Can clandestinely initiate calls in the background

Keep in mind that Juniper endeavored to make a distinction between an app's legitimate use of permission, and determine when the permissions were being taken from users without justification. Juniper's researchers examined cases where data was being collected and permissions taken when the immediate use of the data and permissions was not readily obvious. Juniper also contacted devs to fully understand if there was justification, and if, so what that justification was. What this meant was that researchers dug a little deeper so they could stand behind their statements of justified and not-justified forced permissions. In an instance with one gambling app they examined, the researchers couldn't find the justification for the app to access the users' camera - until the developer explained the premium version of the app, which used the camera to allow users to make custom icons. Installation equals consent - but for what? Juniper's report revealed no small amount of alarm and concern on the researchers' part - especially about the pervasiveness of mobile tracking - as well as some unexpected insights. According to Juniper Networks, most free smartphone apps cost users their individual privacy and control over personal, sensitive and private information about everything from where they live and where they go (location tracking), to who they talk to (address book access), what they say (listening to calls), and potential impersonation or interception of transmitted communications (making clandestine SMS or calls as the user). The problems emerging from apps accessing - and potentially exposing - personal information about you not required to run the app could be solved by apps doing a better job of disclosing specifically why they need permissions to use address books, track user location and access phone functions that could put the user at risk of impersonation, surveillance or exposure. Juniper concluded, Helping people understand what is actually occurring on their device and with their data has considerably more value than a list of permissions. More educated users means they are more comfortable installing apps and less likely to uninstall once they see the number of permissions being requested without explanation. One thing is true: free apps definitely 'cost' us more than we know, and app users have no control over the data and permissions being claimed on their devices by app companies. In my opinion, the naive hope for best practices in the app ecosystem for consumer safety is a childish fantasy. It's time for concrete action to protect our privacy. #

10:09 p.m. | Updated SAN FRANCISCO The address book in smartphones where some of the users most personal data is carried is free for app developers to take at will, often without the phone owners knowledge. Companies that make many of the most popular smartphone apps forApple and Android devices Twitter, Foursquare and Instagram among them routinely gather the information in personal address books on the phone and in some cases store it on their own computers. The practice came under scrutiny Wednesday by members of Congress who saw news reports that taking such data was an industry best practice. Apple, which approves all apps that appear in its iTunes store, addressed the controversy on Wednesday after lawmakers sent the company a letter asking how approved apps were allowed to take address book data without users permission. Apples published rules on apps expressly prohibit that practice. But in its statement about the issue, Apple did not address why those apps that collect address book data had been approved. In that statement, Tom Neumayr, an Apple spokesman, said: Apps that collect or transmit a users contact data without their prior permission are in violation of our guidelines. Were working to make this even better for our customers, and as we have done with location services, any app wishing to access contact data will require explicit user approval in a future software release.

The Federal Trade Commission regulates the use of consumers data on the Internet, and in the past it has sanctioned big companies like Facebook andGoogle over privacy issues. It said Wednesday that it would make no comment about the app makers practices. While Apple says it prohibits and rejects any app that collects or transmits users personal data without their permission, that has not stopped some of the most popular applications for the iPhone, iPad and iPod like Yelp, Gowalla, Hipster and Foodspotting from taking users contacts and transmitting it without their knowledge. Google, which makes the Android operating system software, forces developers to ask users for permission to access any personal data up front. The app makers collect the data to help quickly expand the network of people using their program. The practice of taking address book information without permission first came to light last week, when a developer noticed that Path, a mobile social network, was uploading entire address books to its servers without users knowledge. The company has since said it will stop the practice and destroy the data it has collected. But Path is hardly the only mobile application that collects address books. Last February, Lookout, a mobile security company, found that 11 percent of free applications in Apples iTunes Store had the ability to access users contacts. And on Tuesday, VentureBeat, a technology blog, reported that dozens of applications for Apple devices were taking users address books without permission. The findings shed more light on how technology companies sift through peoples personal and private information

without their knowledge. Last year, users were shocked to find out that Color, a mobile application, could activate users microphones on their phones without their permission. And in December, Carrier IQ, a mobile intelligence company, was accused of privacy violations when a programmer discovered that its tracking software was recording keystrokes made, phone numbers dialed, text messages sent and even encrypted Internet searches, on some 140 million smartphones. Its time for app developers to take responsibility for ensuring that users know what theyre doing, rather than leaving it to the platforms to play a game of Whac-A-Mole, said Jules Polonetsky, director of the Future of Privacy Forum, in an interview Wednesday. Some developers are following that advice and changing their apps before Apple and Congress step in. Path and Hipster updated their apps late last week so that they warn users about the information collected. The updates also give users the ability to stop sharing address book information. After Path and Hipster drew scrutiny, Instagram, another popular photo-sharing app that gathers users contacts, added a prompt asking users for permission to do so. Within the Twitter app, when users choose to Find Friends, the company can store their address books for as long as 18 months. The company said Tuesday that it planned to update its app to change how it tells users what it collects. In our next app updates, which are coming soon, we are making the language associated with Find Friends more explicit, Carolyn Penner, a spokeswoman for Twitter, said in an e-mail. We send and store data securely. Address book information is encrypted when we send it from the mobile phones to our

servers. The data is secured within Twitter in the same way that we secure other account information. On Tuesday, a developer discovered that when a user signs up for a Foursquare account, the company transmits their address book without warning. In response, Foursquare said it was adding an update to its app that warned users that it accessed their contacts. In an e-mail, Erin Gleason, the companys director of communications, said that the company did not store users contact information. When a person searches for friends on Foursquare, we transmit the address book information over a secure connection and do not store it beyond that point, she wrote. VentureBeat reported that the worst offenders seemed to take shortcuts and did not properly protect the data they were collecting from smartphones. It reported that Foodspotting, a mobile app that allows users to share photos of their meals, transmitted users address books over an unencrypted connection where it could be easily intercepted. In an e-mail, Alexa Andrzejewski, the chief executive of Foodspotting, said the risk of not encrypting users contact information has always seemed relatively low, especially for a site that doesnt deal with credit card or other sensitive information. Ms. Andrzejewski also said Foodspotting would be updating its app to include additional security features. Google has tools built into the Android platform that forces developers to notify people what data, if any, they plan to access. Once they have users permission, Android developers can access everything from a phone owners call logs to their text messages. But users of many apps including Hipster, Locale, Uber, Yelp, Taxi Magic, Picplz, Scrabble and Waze

are often not told how the information will be used or how the company plans to store it. What separates malicious use from legitimate use is the element of surprise. If a user is surprised, thats a problem, said Kevin Mahaffey, Lookouts chief technology officer, who said that in many ways, standards and rules for data on smartphones were still being debated. Its a new industry and its still in many ways the Wild West out there. The iron is still hot.

companies collect data on us so what?

Written by Hagai Bar-El

It is very common among security people to take privacy issues seriously. When we hear that a particular service collects personal data on us, we get extremely anxious. We will not use services that collect personal data that are not necessary to render the service. Sometimes we will forgo using a useful service, just because it requires that we feed in personal data, or because we do not like the wording of the privacy policy, of its lack of... To us, security people, having a company collect personal information on our shopping habits, surfing habits, reading habits, or eating habits, is just wrong. Technologists like Cory Doctorow call to treat personal data like weapons-grade plutonium, because data that is collected never vanishes. Others, like Bruce Schneier, write essays on why the average (that is, non-criminal) citizen should not agree to being watched, although he did nothing wrong. All is true, and having governments collect too much data on individuals is risky. Such data, if available, is likely to be abused at some point in time, a point which is probably closer than it appears.

It is easy to explain why one would not like the government to have too much data on himself. I would like to discuss another type of data: the commercial data that privately held companies such as Amazon, Google (on Google apps users), and Facebook, collect. Why should I care about having my personal data on-line? As a security person, I just don't like having my data available where it shouldn't, even if this data is not something that can get me behind bars, or that can make me lose money. However, when discussing this with a non-security-oriented person, I found myself having to seek explanation for my behavior. Why do I care that Google reads my personal e-mails? Why do I care that adware traces the websites I visit? Fact is, some people, when being told that they leave traces on-line and that these traces allow various companies to generate a profile for marketing purposes, simply reply that they don't care: So they know I like motorcycles; so what? and I get tons of spam anyway, it may just as well be better tailored to my interests. Governments, politics, and surveillance aside why do we, sane security people, care about marketing groups collecting private data to tailor their campaigns better? I care. Here is why: First, I treat it as an axiom that, for the most part (sorry for the generalization), advertisements are bad for the public. They mostly involve benefiting a few at the discomfort of many. The cost-effectivity of advertisement campaigns is often thanks to externality costs costs that exist, but which the advertiser does not bear, and thus does not care about. Telemarketing phone calls are annoying, spam mail is annoying and costs bandwidth and maintenance of filtering machines, and mailed paper ads harm the environment. There are exceptions: there are a few cases where you knowingly agree to receive advertisement material in exchange for something else (e.g., TV content). You agree to pay the price because you like what you get in return. However, when dealing with unsolicited proposals, such as spam, this is obviously not the case. You get nothing in return for receiving spam mail and paper brochures. I therefore take it as an axiom that being exposed to proposals you did not ask for is bad, from your perspective. It is something you do not want more of. By allowing advertisers to collect personal data on you, and by allowing advertisers to build a profile on you, you allow for better targeted campaigns. Better targeted campaigns create more sales, and as such they are more valuable to the advertiser. If a product vendor is willing to pay $0.0001 for every nontargeted promotional message that gets sent, he will be willing to pay $0.1, or more, for each welltargeted message that gets sent (expecting higher return on investment with these messages). Compare the amount paid for a single spam message to the amount paid for a keyword-targeted click in Google Adwords, for example. Companies pay $5 per click on an ad when the ad is known to be displayed only to potentially interested surfers. By allowing spam to be targeted effectively, and thus increasing its value, you encourage the flow of more money into a system that eventually harms you (see above). By significantly increasing spammers revenues, you increase their resources, and these are exactly the resources that you will need to counteract later. The money generated by the well-targeted campaigns will eventually be routed into research and development of technologies for bypassing spam filters, for development of anti-virus-evading adware, and for finding yet more creative means for forcing you into being exposed to content you never asked for.

We are lucky that spam today is largely ineffective. As such, its value to advertisers is limited, and so are its revenues high enough to allow it to exist and be annoying to some, but not high enough to be able to defeat corporate grade filters. The last thing we want is to boost spammers' revenues by empowering their products. It will cost us a lot to counter the monsters that this money will buy.