Many smartphone owners love installing and experimenting with new apps, and the two major app stores where users can download apps are wildly different environments, with distinct selections of apps on offer. Apple’s App Store carefully vets apps to determine which are allowed to be listed, while Google’s Play Store exercises a lighter touch in vetting apps, rejecting only those that are obviously malicious.
But as MIT’s Technology Review reports, the Play Store’s open nature means that the apps you can download for Android span a much wider range of quality. And many of the apps of more dubious quality share some unsavory secrets: many connect to ad-related sites and tracking sites — or even to sites that are associated with malware — without the owner of the smartphone being aware of what’s going on.
Security researchers Luigi Vigneri, Jaideep Chandrashekar, Ioannis Pefkianakis, and Olivier Heen at Eurecom in France have developed an automated system for detecting Android apps that secretly connect to these ad and user-tracking sites by checking the apps uploaded to the Google Play Store and monitoring the websites to which they connect.
As reported by their study, titled “Taming the Android AppStore: Lightweight Characterization of Android Applications” (PDF), the researchers began to examine the behaviors of typical Android apps by downloading more than 2,000 free apps from all 25 categories of the Google Play store. They then launched each app on a Samsung Galaxy SIII running Android version 4.1.2, which was configured to channel all of its traffic through the team’s server. The server, in turn, recorded all of the URLs that each app attempted to contact.
The researchers then cross-referenced the URLs contacted by each app against a list of known ad-related websites from a database called EasyList and a database of user-tracking sites called EasyPrivacy. Both of these databases are compiled for the open-source AdBlock Plus project. Then, the researchers counted the number of matches on each list for every app; they found that the apps tested connect to 250,000 different URLs across almost 2,000 top-level domains. And while most individual apps connect to just a few advertising and tracking sites, some connect to many more.
Vigneri offers an example, an app “Music Volume Eq,” which is designed to control volume (a task that doesn’t necessitate a connection to any external URLs). Nonetheless, “We find the app Music Volume EQ connects to almost 2,000 distinct URLs.” The team says that approximately 10% of the apps they tested connect to more than 500 different URLs. And nine out of ten of the most-frequently-contacted ad domains are run by Google.
Technology Review notes that the user-tracking sites that apps connect to are less pervasive, and more than 70% of the apps tested don’t connect to user-tracking sites at all. But the apps that do connect to them can be “extravagant” in doing so, with some connecting to more than 800 user-tracking sites. Many were created by organizations that Google’s designated with “top developer status,” which Google explains on its Android developers site recognizes “established, respected developers for their commitment to launching high-quality and innovative apps on Android.”
While the single comforting fact to come out of the report may be that only a small number of Android apps are designed to connect to suspicious websites associated with malware, the research exposes a discomforting problem with Android. And most users of any of the apps that connect with advertising and user-tracking websites will have little knowledge of what the apps are really doing.
So Vigneri and his colleagues have developed an app that can monitor the behavior of the apps installed on a user’s smartphone, and reveals exactly which external sites the apps are connecting with. They call the app NoSuchApp, or NSA, “in honor of a similarly acronymed monitoring agency.” The researchers plan to make the app publicly available on the Google Play Store. The goal is to give Android users confidence in the apps that they install and use. The researchers explain, “With this application, our goal is to provide a mechanism for end users to be aware of the network activity of their installed Android applications.”