Android Apps: What are they doing with your precious Internet?

Increasing numbers of people use mobile devices to transmit personal information. Privacy consequently becomes an important issue. With the current Android permissions system, users may grant broad Internet access to an application, but are unable to see how exactly that access is used. We define a “well-behaved” application as one that: 1. only uses necessary resources, 2. contacts only necessary parties, 3. keeps personally identifiable information (PII) confidential. We installed the application Meddle [1] to track mobile traffic. The client sends traffic through a VPN through the Meddle server. Meddle then logs the packets for later analysis. A preliminary study following three users over 50 days showed that only 56% of users’ traffic used HTTPS, while 40% is unencrypted HTTP. Additionally, we discovered that one user with 20 apps contacted more than 100 different organizations. As a result, there are hundreds of points of access where an attacker could find unencrypted information. Doing an app-by-app analysis on 20 applications, we also discovered deviant, but not outright ma- licious behavior from certain applications. The WeatherBug app leaked unencrypted geolocation coordinates, allowing an eavesdropper to pinpoint the user’s current location. Pinterest contacted an excessive number of CDNs (7), exposing data to an unnecessary number of parties. Generally, the applications considered in the study do not abuse their privileges, but may still affect users neg- atively. Indeed, of the applications considered in our study, only 35% were well-behaved according to our criteria defined above, indicating there is scope for further improvement. BODY The majority of Android apps are not malicious, but use internet access in ways that are not compatible with the user’s interests. REFERENCES [1] Meddle. http://meddle.cs.washington.edu. Volume 2 of Tiny Transactions on Computer Science This content is released under the Creative Commons Attribution-NonCommercial ShareAlike License. Permission to make digital or hard copies of all or part of this work is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. CC BY-NC-SA 3.0: http://creativecommons.org/licenses/by-nc-sa/3.0/.