There are two different ways to download apps. The first is the carefully curated Apple app store, which takes a notoriously tough review to have your app listed.
The second is via the Google Play store, which is more open because Google exercises a lighter touch in screening apps and only excludes those that are obviously malicious.
Google Play being more open also means that the apps it offers span a much wider quality range. Most connect to ad-related sites and tracking sites while a few even connect to sites that are associated with malware.
All these connections often take place without the owner being aware of what is going on.
It is something that most smartphone users would be appalled to discover, if only they knew.
Luigi Vigneri and colleagues from Eurecom in France revealed a clever solution that uses an automated way to check the apps in Google Play and monitor the sites they connect to.
The researchers downloaded over 2,000 free apps from all 25 categories on the Google Play store. They then launched each app on a Samsung Galaxy S3 that was set up to channel all traffic through the team’s server. They then recorded all the urls that each app attempted to contact.
Next they compared the urls against a list of known ad-related sites from a database and counted the number of matches on each list for every app
In total, the apps connect to a mind-boggling 250,000 different urls across almost 2,000 domains. While most attempt to connect to just a handful of ad and tracking sites, some connect to dozens or even hundreds.
“Music Volume Eq,” an app designed to control volume, a task that does not require a connection to any external urls connects to almost 2,000 distinct URLs. The privacy implications of this are not, as one can imagine, good.
The team say about 10 percent of the apps they tested connect to more than 500 different urls. Google's conflict of interest in the system shows as nine out of 10 of the most frequently contacted ad-related domains are run by Google.
To help users navigate this privacy mess they created a new app called NoSuchApp or NSA for short “in honor of a similarly acronymed monitoring agency.”
“With this application, our goal is to provide a mechanism for end users to be aware of the network activity of their installed Android applications,” say Vigneri.
The team will make the app publicly available on Google Play in the near future.
In the meantime it's important to carefully read the list of services each app is trying to access when installing it. Simple apps should require very few, if any permissions. If the app seems simple but requests access to nearly everything, your privacy is being compromised.