On Mobile Apps, Who Can See Your Personal Data?

A new report co-authored by Mozilla Fellow Rishab Nithyanand explores the opaque realm of third-party trackers

The apps on our smartphones possess an intimate view of our lives. Mobile apps are privy to reams of personal data, from what news stories we read to what videos we watch to our current location.

This comes as little surprise to many of us: We regularly skim privacy policies and click “I Agree.”

But what may come as a surprise: Many apps rely on a network of third-party services — often invisible to the user — that provide analytics, social network integration, and monetization. Often, these mobile advertising and tracking services have an intimate view of our lives too, and are eager to harvest personal data.

New research co-authored by Mozilla Fellow Rishab Nithyanand explores just this: The opaque realm of third-party trackers and what they know about us. The research is titled “Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem,” and is authored by researchers at Stony Brook University, Data & Society, IMDEA Networks, ICSI, Princeton University, Corelight, and the University of Massachusetts Amherst.

“This is the start of a long project to uncover all the hidden data collection and data dissemination practices on the internet,” Nithyanand explains.

“There’s a huge lack of transparency around how mobile applications behave,” adds Narseo Vallina-Rodriguez, a co-author and researcher at ICSI. “People install software, but don’t know what that software is doing.”

The paper’s introduction lays out a troubling scenario: “Third-party services inherit the set of application permissions requested by the host app, allowing them access to a wealth of valuable user data, often beyond what they need to provide the expected service.”

To study this scenario, the researchers used Lumen Privacy Monitor, an Android app they built themselves over a two-year period. The tool, available in Google Play, allows users to observe the traffic of their other mobile apps — and determine whether trackers are scooping up personal data.

Over the course of several months, the researchers observed mobile app traffic from about 11,000 anonymous Lumen users based in the U.S., India, Germany, and scores of other countries. The app traffic was from a wide range of software, including free apps, paid apps, and apps pre-installed by mobile OS vendors. Seventy-one percent of the apps involved are listed in the Google Play Top-50 charts in various countries.

In all, the team identified 2,121 trackers — 233 of which were previously unknown to popular advertising and tracking blacklists. These trackers collected personal data like Android IDs, phone numbers, device fingerprints, and MAC addresses.

Read the full report here. Below, some high-level findings:

» Most trackers are owned by just a few parent organizations. The authors report that sixteen of the 20 most pervasive trackers are owned by Alphabet. Other parent organizations include Facebook and Verizon. “There is a clear oligopoly happening in the ecosystem,” Nithyanand says.

» Mobile games and educational apps are the two categories with the highest number of trackers. Users of news and entertainment apps are also exposed to a wide range of trackers. In a separate paper co-authored by Vallina-Rodriguez, he explores the intersection of mobile tracking and apps for youngsters: “Is Our Children’s Apps Learning?

» Cross-device tracking is widespread. The vast majority of mobile trackers are also active on the desktop web, allowing companies to link together personal data produced in both ecosystems. “Cross-platform tracking is already happening everywhere,” Nithyanand says. “Fifteen of the top 20 organizations active in the mobile advertising space also have a presence in the web advertising space.”

» Tighter regulation may not be a panacea. Various laws, like Europe’s General Data Protection Regulation (GDPR), aim to better protect users’ personal data. But hurdles remain, like the transnational flow of data and the marked opacity of how companies collect personal data from end users, how they store it, and how they share it with each other. “Regulations are ineffective if we can’t understand the ecosystem,” Nithyanand says.

What’s next for the researchers? The team wants to enable Lumen Privacy Monitor to thwart certain trackers, if the user so desires.

“Our vision is not blocking or modifying any tracker flow by default,” Nithyanand says. “Instead, we want to give users the knowledge and the power to make informed decisions by themselves to prevent abusive practices. Our goal is to empower mobile users, and not to weaken the developers’ position.”