Android

Does your flashlight app know where you are? Probing Android permissions

Android permissions are difficult to understand. Michael Kassner interviews a research team using the "wisdom of the crowd" to clarify what a permission actually does.

The doorbell rang. It's my neighbor. "Hey, what's up?" I asked nervously. It's only been a week since my article about the bomb threats at his granddaughter's college.

"Why would a flashlight need GPS?"

"In case it got lost?" He did not appreciate my humor.

"I want to load this flashlight app on my phone," my neighbor explained. "But, why in *&@#$ does it need to know where I am?"

"I don't know," was the best I had. I asked to see the phone; this is what was on the screen.

I was at a loss as to why a flashlight app needs to access GPS-location data. That, plus having to say, "I don't know" is not pleasant for me. I silently vowed to find out.

First thing I noticed was the incredible number of downloads -- 10 million. I wondered how many of the 10 million people were curious as to why the app asked for GPS info.

I texted William Francis, my go-to-guy for anything Android, asking if he knew why a flashlight app would ask permission to use GPS information. His reply, "There aren't any good reasons."

I was afraid of that -- time to get serious.

Side-tracked

I couldn't find either a good or bad reason -- probably why I got side-tracked by this paper, "Towards Scalable Evaluation of Mobile Applications through Crowd-sourcing and Automation". Damn intimidating title. Fortunately, I was familiar with two of the authors, Dr. Jason Hong and Dr. Janne Lindqvist.

I was pleasantly surprised once I started reading the paper. My neighbor is not alone. There are enough people confused about Android permissions to warrant the attention of an entire research team:

"As mobile apps have access to both mobile device sensors and also users' personal data, it is critical for users to know how mobile apps are using sensitive information and resources on their devices."

The research

I was disappointed to learn the team's solution, App Scanner, isn't finished. While I want to take a look at the cloud-based service, first some questions for the professors.

Kassner: Dr. Lindqvist, what can users do to better understand what each permission request is asking for? Lindqvist: Today, you can't do much. Most applications are not telling what they are using the information for. I might suggest trying to determine whether the application really needs each of the permissions. Also, check if there are equivalent applications that do not require the permission you are concerned about.

One rule of thumb here is everything costs. If you are not paying for an app, it will likely fund itself through advertising. Then your personally-identifying information could be revealed to third parties as well as the app developer.

Kassner: Dr. Hong, this Technology Review article quoted you as saying:

"The basic idea here is: How do you help people who are not experts in network and computer security understand what an app is doing?"

How would you help?

Hong: The Android Market (Play Store) has over 400,000 apps. The Apple App Store has over 550,000 apps. The problem, however, is how do we know what an app will do when it is loaded on a mobile phone? Also, how can we communicate what an app does to users?

For this project, we propose two major activities. The first is to build a system that can semi-automate the analysis of what an Android app is doing with respect to one's privacy. For example:

  • How often does this app share one's location?
  • What networks is it connecting to?
  • Does it upload part of one's contact list to a server?

The second major activity is to design a user interface that makes it easy for people to understand what the app will do. Currently, apps display a manifest that describes at a very coarse level what an app will do (for example, checks location, uses network, etc). We want to design and evaluate several different interfaces to communicate to people what an app does, based on our semi-automated analysis.

App Scanner

The slide below encapsulates the activities Dr. Hong referred to and -- you guessed it -- App Scanner. Squiddy is the semi-automated subsystem of App Scanner Dr. Hong also referred to above. William and I are working with Professor Landon Cox, co-developer of TaintDroid, a key ingredient in Squiddy. We are hoping to have that piece of the puzzle figured out in a few weeks.

The part of App Scanner I would like to discuss consists of:

  • CrowdScanner: Responsible for capturing people's perceptions of how an application is behaving.
  • Privacy Evaluator: Quantifies the personal information an app can infer, using the results from Squiddy's evaluation. The Privacy Evaluator will present its results through scenarios that are more understandable to users.
  • Privacy Summarizer: Provides end-users privacy summaries generated using output from both CrowdScanner and Privacy Evaluator.

The following slide is an example of a privacy summary. It just so happens to be about the flashlight app my neighbor asked about.

Notice the user percentages? They are the result of a rather unique aspect of App Scanner -- crowd-sourcing.

Crowd-sourcing

One problem facing the researchers is the sheer number of apps. If that's not enough, the researchers also realize some human interaction is required to create the summaries. After some head-scratching, the researchers came up with a solution for both challenges:

"Given the scale of participants available on crowd-sourcing platforms such as Amazon Mechanical Turk and the use of automated techniques, we propose that App Scanner is a scalable approach for analyzing mobile applications and providing large coverage of app markets.

Further, we conjecture that by relying on the wisdom of crowds, AppScanner can produce application behavior evaluations that would be close to expert analysis of the app behavior."

If I'm not mistaken, relying on the "wisdom of crowds" is a big shift in academia. At the same time, it's likely the only way to evaluate the million plus apps out there.

Final thoughts

I applaud the research team for trying to reduce the complexity surrounding Android permissions. Their wanting to focus attention on unexpected use of smartphone resources will keep everyone honest. Hopefully they will have App Scanner up and working soon.

I'd also like to thank Dr. Lindqvist and Dr. Hong for helping with this article.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

45 comments
hwburns
hwburns

I am looking at the Permissions for the Flashlight App referred to; https://play.google.com/store/apps/details?id=ganesha.quicols.app.flashlight.free I doesn't control GPS but it does have control of Camera & Network functions. Why???? I would rather pay a little for an app and have it only has access to what it needs to. An app should have to ask permission before accessing any info or function not specifically required for it to operate. Or at the vary least, notify the user everytime it does. I believe that there would be a lot of people deleting apps if this were to be implemented. HW

XavierRobin
XavierRobin

My flashlight app recently asked for new permissions (phone identity). I also wondered why a flashlight app would need full network access and read the identity of the phone. Is this not crazy? So I uninstalled it and looked for alternative apps. I found Search Light. This one needs only the permission to operate the flash. Proof that all the rest is useless. https://play.google.com/store/apps/details?id=com.scottmain.android.searchlight

vegesm
vegesm

The GPS permission is needed because of the ads. A lot of ad networks provide targeted advertising by GPS location. The 'Read phone state' permission is also needed by some networks. It enables developers to access a unique identifier of the phone which helps tracking. As a side note there are two permissions to access location data: access coarse loacation and fine location. The frist one uses wifi and Cell tower data, the latter one uses the GPS.

mikelane
mikelane

The flashlight app has to be able to use your GPS. How else will it know where on earth to shine the light;-)

manicmark
manicmark

I would rather be able to control what permissions an app had. Don't think it needs access to GPS? Revoke that permission for that app.

AnsuGisalas
AnsuGisalas

Would it be feasible for an OS like android to install and run the app, without giving it the permissions it asks for? With PCs we can do that, we can terminate a service run by a program for instance. If the service isn't crucial to the program functioning, then the program keeps running, and we can even disable the service or make it so that it starts only after we OK it. With an outgoing firewall, we can do the same with programs that wish to phone home. We can say No to that. Far as I gather, mobile apps are different: Either we take it (all) or we leave it. No crippling the spyware but keeping the functionality.

TrueDinosaur
TrueDinosaur

Was the app author contacted and asked why the extra info was needed?

magic8ball
magic8ball

And all I have is my phone, I just turn on the camcorder and the light from that without actually recording anything. Works just about as fast as any app would I imagine having to turn on the app then activate the flashlight. Pretty much the same steps. Turn on the camcorder and then its light. Voila no app needed at all and its already built in. This also works well if you need to read a wallplate for a network drop but its behind a desk or some other place you cant easily see but can reach. In that case then you actually record it then playback the video to see the wallplate info.

palconfunch
palconfunch

2 permissions one for the light and the other to take photos? What would it need access to my camera for at all ever ? Uninstalled!!. I agree no app is truly free someone somewhere is getting something. I wonder what, where and when all the photos are being taken with this app and where they are being stored.

Duranis
Duranis

The "App Scanner" is a brilliant idea and I look forward to seeing it launched. The biggest problem though (which is often the biggest problem in IT) is educating the users. The Android interface doesn't allow you to install these app's blindly. You get given a list of what the App is going to do and common sense should tell you that a flash light app doesnt need to have access to your location or address book. Of course though the majority of the users haven't been told about this and are so used to the whole "just hit next and install already" attitude they never even think about looking at the small print. Hopefully the likes of articles like this and the "App Scanner" will help raise awareness and get people to think about what they are letting App's have access to. It is scary though how some very popular app's collect massive amounts of data on you and nobody seems to care. A game called Tiny Towers for example recently did a stealth update outside of the marketplace without giving the user any option which completely blocked the game from running until you updated to the new version in the market place. The new version wanted access to GPS, Address book and SMS send&receive (as well as all the standard network access, etc you normally get on ad supported games). The scary part is the amount of people that seemed to update to this new version without even questioning it.

JohnMcGrew
JohnMcGrew

...and one day it wished to update itself. Curious as to why such a simple app would need an update, I did a bit of research. My proxy server wouldn't even allow me to download it, having found something objectionable in the code. If you google it, you'll find several discussions as to what it tries to do, including browser hijacking. Needless to say, I immediately deleted that one. I always tell my clients what the author says above: There's no such thing as "free". If the app isn't costing you anything to download and install, you have to assume that somebody somewhere is getting something in exchange.

Michael Kassner
Michael Kassner

I do not quite understand what you mean. I do find the subject fascinating, so your help would be appreciated. The professors mentioned in their paper that this was the first case of using crowd-sourcing for studying privacy.

Wirekat
Wirekat

"If I???m not mistaken, relying on the ???wisdom of crowds??? is a big shift in academia." Academia already subscribes to this, just look at Wikipedia.

cuttymarks
cuttymarks

@hwburns ... and that is why people are willing to pay for honest apps with cash rather than with their data.  Developers like http://stringfree.co.uk are setting the ground for rising trend in permission friendly apps.  No longer will my flashlight app know where I am and send premium rate SMS messages!

Michael Kassner
Michael Kassner

And I agree with you that some flashlight apps have ads running along the bottom. This particular one didn't, making it all the more confusing. As for the two types of location data, I also agree and if you notice in the article, I circled in red the area mentioning that the app wanted GPS information.

Michael Kassner
Michael Kassner

I have queried the developer, but haven't received a response yet. I am curious and you could be right.

Michael Kassner
Michael Kassner

That's a thought that hasn't occurred to me. If the app really needs it, it could then mention that when you disallow a certain permission.

james
james

This is exactly what I was thinking. I thought the whole point of Linux/Android/Open Source was to be more secure, but here this is obviously being broken by the service vendor. Shouldn't there be an area in the programs menu that let's you check off the various phone components that the OWNER wants them to have access to? Sure the app may not work if it can't get to something it insists (whether in truth or not) it needs to work, but then I can just as easily remove an app that has shown it has alterior motives that I don't approve. Seems to me that should be simple to do...

Michael Kassner
Michael Kassner

I'm researching an app right now that may just be the answer. Hopefully, I will have an article ready in short order.

Michael Kassner
Michael Kassner

And Professor Lindqvist said as far as he knew none of the team asked the developer.

AnsuGisalas
AnsuGisalas

I just activate the display. In actual darkness, the glare of the screen is enough to scrape by by (or to avoid the scraping, preferably).

Michael Kassner
Michael Kassner

Are you referring to the video feature of the Android camera app or a different app? I tried with the Android one and the light did not turn on. I was hoping it would as that is a great idea.

SeeSeeRockett
SeeSeeRockett

I read a developer's comments of one of those apps, and they explained that the permission was needed for accessing the flash of the camera or even to check if the camera has a flash. I could believe that Android permissions are not fine grained enough to say "I need access to only the flash of the camera". Now, the GPS thing is different, but maybe it adds a "Batman" symbol if you happen to be in Batman jurisdiction. I don't really care if they want GPS for a free app. The one I try to avoid is phone contacts because it is no longer just affecting my privacy but the people I have contact with. I would not want to subject someone else to unsolicited sms or phone calls because of a free app.

Michael Kassner
Michael Kassner

That's a new one on me. I'm not sure why a flashlight needs permission to access the camera

Michael Kassner
Michael Kassner

I have looked at Privacy Guard, and you are correct. It requires root, removing millions of users from the discussion.

Michael Kassner
Michael Kassner

Your comments ring true.Thanks for the information about Tiny Towers. I am not familiar with that app.

Michael Kassner
Michael Kassner

And thanks for the additional information on the app. My Android cohort, William, is an app developer and he knows of no app developer that likes the free model.

Michael Kassner
Michael Kassner

There is another problem. I am learning that many app developers are being vague as to why they need a specific permission. Look for my article on TaintDroid next week.

Michael Kassner
Michael Kassner

Then, I broke down and bought a flashlite app and big difference. My eyes need more light than the screen can provide.

magic8ball
magic8ball

Video feature of the phone itself. I have a Motorola Atrix. I have used the built in video tricks several times now. Sometimes I will just take a pic too if I cant see the port too easily or even if I can so I wont forget the port number when back in the server room.

Michael Kassner
Michael Kassner

I would love to learn your thoughts as to why it doesn't bother you that a flashlight app is sending your physical location to their servers. Particularly, when they can put together a pattern of your behavior.

Michael Kassner
Michael Kassner

My flashlight app allows me to do both...and I can change the color of the screen.

magic8ball
magic8ball

But if the auto brightness feature is turned on then in a darker environment then it might not light up as bright as needed.

Michael Kassner
Michael Kassner

I learned the picture trick myself. I used to carry a small dentist mirror. Not any more, as you I just take a picture. And, I always take a picture of my parking spot. I've been known to forget where I park.

Michael Kassner
Michael Kassner

I guess I tend to see the dark side. There is no real EULA, so who is privy to the data? I wrote an article where I described how an app that William wrote could turn on the GPS without the owner's knowledge.

SeeSeeRockett
SeeSeeRockett

I was responding to the ???pattern of your behavior??? bit. I think the advertisers associated with the apps think of GPS coordinates as just another piece of targeted advertising. If I live in Maine, they may want to sell me snowshoes, but if I live in Hawaii, that would be a tough sell. Of course, the advertisers would like to get even more fine grained and let me know "Hey, you're just around the corner from pizza!", and that's fine with me. My biggest problem with GPS on cell phones right now is that it drains my battery too fast so that I have to leave it off most of the time. If cell phones were a government device, I wouldn???t be using one. I would not want to see ???1984??? in the real world.

AnsuGisalas
AnsuGisalas

...for his efforts to feed the marketers' hunger for data. So, obviously, they do need to know where he is :p

AnsuGisalas
AnsuGisalas

How else will they know where to bring the motorcycle? :^0

Michael Kassner
Michael Kassner

I was more concerned about GPS location than targeted advertising. That is another subject that I have written about extensively.

SeeSeeRockett
SeeSeeRockett

I don't mind advertisers knowing what I like. I used to fill out the paper questionnaires in product literature of a new product if it had free postage. Now those are online when you register a product. I often answer feedback requests on websites that often want to know what I'm doing on the site and all that. I dont mind telling them I buy a lot of SciFi books and eat a lot of peanuts and chocolate. I guess I still have hopes that one day targeted advertising will actually work and I will no longer have to see another bra or feminine hygiene product ad ever again. Show me an ad about the next big SciFi hit instead. And heck, if someone wants to buy me a motorcycle, I'll give them my life's history (boring as it may be), a psychological profile, and a strand of DNA. Um, let me clarify that, a REAL motorcycle. :)

Editor's Picks