A few weeks ago I warned that mobile applications may not behave the way that users expect them to. (See “App Happy Downloaders May Get More Than They Expect.”) As a follow-up to that post, I talked more in-depth with Domingo Guerra, president and co-founder of Appthority. Guerra’s company has analyzed hundreds of thousands of mobile apps to discover what they do, not just on the surface but under the hood as well. It turns out that most mobile apps are pretty busy collecting as much information as possible about the device owner and off the device itself. For example, an app may harvest all the information from a person’s contact list on his smart phone.
Guerra didn’t necessarily say this is a bad thing. In fact, he said his company doesn’t focus on whether the data collecting is right or wrong. He’s more concerned that consumers should know what information is being collected and that they should have a choice and be able to opt into the practice of apps doing their behind-the-scenes data collecting.
I agree. It’s primarily ad networks that are collecting this information, and there are beneficial uses for advertisers to have good information about prospective shoppers. However, like Guerra, I think that app developers need to be completely transparent and honest about what data they are collecting, and for what purpose. What’s more, given that so many consumers also use their personally owned devices for work (i.e., BYOD), there are frightening implications for enterprise security and privacy when data is harvested off personal devices that also contain corporate information. Enterprise security professionals need to be aware of the risk and factor this into their BYOD policies and security measures.
The following discussion is an excerpt of my interview with Guerra:
Musthaler: What are some of the things that mobile applications do in the background that users may not be aware of?
Guerra: I’m going to provide some background information before answering that question directly. Mobile apps behave differently from traditional PC software, and it’s largely because of the business model for monetizing the apps. With traditional software, the developer sells a CD or a software download and perhaps a support contract. There may be recurring revenue as the user purchases upgrades or renews an annual license. All of these things allow the developer to make decent money on the product. In the mobile app world, consumers want free or very cheap apps for their devices, so the developers are relying on ad networks and different analytics frameworks within their apps to help them make money. What this means is that a lot of times mobile app developers have multiple incentives. They want to make an app that solves a pain point and is engaging and users like to use it, but the second part of it that is often disconnected is how to monetize that app, and that’s working with the ad networks or the analytics frameworks.
Bringing the interests of the ad networks into the equation presents an interesting problem. The ad network will pay the developer more money based on being able to collect more information on the user of the app. That’s why we’re seeing games or even business applications requesting information. They want to be able to collect more data that might not be directly related to the app. It’s more to serve the purpose of monetization. What that leads to is the developer looking for more ways to get more information.
For example, a game app might ask to use the device owner’s current location, even if it’s not important to the game. Location is, however, important to an ad network that wants to be able to serve a promotional offer to a user based on where he is or where he goes.
Musthaler: I have seen apps that request permission to use my current location.
Guerra: Yes, we see some apps where, for example, they’re going to use the phone’s GPS in order to track a user. iOS and Android have required the developer to ask the user for permission to use the device GPS. Obviously some users don’t want to share that permission. However, that’s not the only way to get a person’s location.
Developers have been finding ways around the permission model, or they find loopholes in the permission model. They are still able to track a user’s movements without getting a user’s permission. We see that with banks that sometimes do it, maybe for security purposes to make sure that you’re not logged in to online or mobile banking in two places and trying to place a wire transfer. That would raise alerts for fraud.
Another way they can get the phone’s location is to use geotracking of the IP address, cell phone triangulation, or Wi-Fi network recognition. They can figure out where the Wi-Fi locations are and be able to track users that way. Those are three different methods that developers are already using to track users without using the permission model.
Musthaler: What other kinds of unobtrusive actions have you discovered mobile apps taking?
Guerra: Another example we see very often is the mismatch between what the users perceive they are giving permission to and what permission is actually being granted. Even if you actually read the long list of permissions, which most people don’t, the details typically say the permission is being granted to the app itself. People don’t realize that that permission is grandfathered in, being offered to any of the ad networks or third party code that happen to be part of the application, such as analytics. For example, if you trust Rovio, the company that makes Angry Birds, and you are willing to share your contact list with them, you should be aware that you are also sharing your contact list with every ad network that might be present on the Angry Birds apps.
Another thing that we are seeing is that the permissions are written so generically that it’s not explicit what the user is granting access to. There are apps that say they are going to work in the background but what they really mean is that the app will be on all the time and therefore collecting data all the time, even when you’re not necessarily using it. It affects your network usage, it affects the battery life of your device, and it affects your privacy as well, if it’s an act that is allowed to track your location and it’s allowed to operate when you’re not directly using it. Then it’s something that’s tracking you for the purpose of getting information 24 x 7.
Musthaler: How are these techniques helping the application developer monetize his application?
Guerra: A lot of times the app purchase price may be as low as $.99, and it’s a one-time fee. We’ve done studies and we’ve learned that there are more paid apps than free apps overall, and that there are very few apps that allow for an ongoing revenue stream from the user. Every update on the app is free as well once you’ve purchased an app.
Let’s say you are a developer and you sell an app for $.99. That’s all the money you’re ever going to make on the user. However if you are working with an ad network you are able to make money as long as your application is still on the user’s device, even if the user isn’t actively using the app because a lot of apps are still able to collect data as they operate in the background. So as long as the app remains on a person’s device, it’s a revenue stream for the developer. And, the app developer is not constrained to working with just one ad network. We’ve seen apps with more than 15 ad networks in them. This means they are just trying to get more coverage and as much money as they can from each user beyond the initial sale.
Musthaler: How are the ad networks using this information?
Guerra: One way is, because the ad networks are associated with multiple apps, they can track your usage from app to app, not just from within an app. Most devices use the device ID number to identify you as a user. They might not know this user is Linda, but they know that the person is user number 1234, and this individual is using Angry Birds, using a Bank of America app, and using other apps. They know that the user is traveling in certain areas, the user browses certain websites, or he goes to certain stores. From there the ad networks are able to provide more targeted information. A lot of times you are not seeing the ad itself, but that information collected on you can be used to sell even more, perhaps to a different third party.
To give you an example, one of our customers was walking through a mall and he passed the Louis Vuitton store. Later that day he got an email from Louis Vuitton saying, “since you like shopping at our store, here are some special offers for you.” This happened even though the person never shops in that store. Just by being in the mall and in proximity to the store, the ad network used the location tracking device, either through the Wi-Fi or the geo-positioning, and was able to send a targeted message to that person. Note that the ad also had to have the user’s contact information in order to send the offer via email or SMS. This is enabled through the collaboration of the different ad networks throughout the apps. It just takes one app that has just one ad network that knows your email address, and then that ad network can use your email address across all apps or anywhere you are using your phone.
Musthaler: I can see two sides to this story. A device user might be alarmed that he’s being tracked and his privacy is being violated, and he’s receiving unsolicited offers via his phone. However, the retail and financial services industries are looking at this kind of capability and thinking how it can encourage more shopping and monetize mobile transactions. It’s very intriguing from a business standpoint.
Guerra: Our focus is not whether it’s right or wrong; it’s whether consumers should have a choice and be asked to opt into these kinds of things. Government is starting to get involved. In Europe, the laws are a lot stricter in terms of privacy, but in the United States we’re seeing involvement largely around child protection. Tablets, especially, are often shared in the household. The app itself doesn’t know if it’s a child using the tablet or if it’s an adult, but the type of data the app developer can legally collect is different based on the age of the user. If a minor is using the app, then the developer is not supposed to collect any data from the app without explicit permission from an adult. The law is called COPPA, the Children’s Online Privacy Protection Act. This law kicks in this July and it makes developers liable.
There’s a lot that can be enabled by collecting information, but there also are risks in how this information is being collected, how it is being stored, and whether or not the user knows this information is being collected. From a technology perspective, it’s great when it helps us find out about new offers or improves our life in certain ways, but it probably should be opt in and there probably should be some oversight to make sure that this data collection is not being abused.
Linda’s closing comments: There have been more than 65 million app downloads just from the Apple and Android marketplaces. Each market has close to a million unique apps available. If even a small percentage of those apps collect data without complete disclosure to the users – with or without their permission – then there is an awful lot of information that is being harvested, used and stored improperly. This gives food for thought to the corporate security experts charged with finding a secure way to enable BYOD in the enterprise. Consider these possibilities:
- A worker’s entire corporate contacts list is harvested from his phone via a data collecting app
- A company’s sales people are being geo-tracked as they call on customers
- Promotional offers sent to employees’ phones contain phishing attacks
I’d like to thank Domingo Guerra of Appthority for his insight on this topic. I encourage enterprise security professionals to contact his company to learn how Appthority can help mitigate the risks of information exposure through mobile apps.