Normally, advertisers keep tabs on consumer behavior by tracking cookies in browsers. Unlike the Internet tracking community, which has had years to work through security bugs, the mobile market tends to make its mistakes along the way and in some cases, tracks your every move in the physical world. For instance, if you download certain apps, you could be giving away your location to third party ad networks. Some apps can see your photos if you allow them to access your location information.
After looking at how marketers spy on consumers, independent security researcher Ashkan Soltani uncovered that many apps were transmitting precise GPS location and device identifiers to third parties.
Soltani worked with the Wall Street Journal's What They Know series, a series of articles that looked at tracking files installed on people's computers after they visited popular websites. For that project, he demonstrated what data leaks off your phone to third party networks, entities that you don't have a relationship with. Working on that project inspired him to create Mobile Scope a tool that would give consumers control over their privacy.
We spoke to Soltani about why he believes that consumers should be given tools to control how much data is being transmitted off of their phones. As Apple cracks down on developers for bad privacy practices, there may be a better way to filter out which apps respect privacy. It may be as simple as informing consumers about the data that gets transmitted off their phones after they download apps and by giving them the tools they need to decide what they are comfortable sharing.
BYTE: You said that the WSJ wanted to create tools that would let people see and control their personal data. So they held a hackathon. Can you tell me what you did at the hackathon?
Ashkan Soltani: A bunch of coders and hackers developed tools around privacy and security at the hackathon. My colleagues got together and decided to build Mobile Scope. It automates what we were doing for the WSJ. It lets you see what information your apps transmit. One of my favorite examples is when you run an alarm clock app. The alarm clock accesses your location to tell you what the weather is like in your area. It transmits that and your phone identifier to a bunch of third parties. When your alarm clock goes off, these third parties are able to know where you are. They use this information to serve you ads. But a lot of people might not be comfortable with third parties tracking their location.
We built a tool that allows you to see the information as it flows to third parties. You can block transmission of this information. If you want to run a location app, you can block information from parties you don't have a relationship with and go as far as blocking ads themselves. You can see what portion of your mobile data cap is advertisement. We saw 5 to 10 percent of mobile data cap came from ad networks.
We built a bunch of tools that give you control over what data leaks off of your devices.
It's a cloud-based service. By the end of the month, we want to have it out in limited beta. There are costs associated with running it [and we are still working it out].
BYTE: Can you show me the app? What is certificate of pinning?
AS: We created a concept of certificate of pinning, which allows you to specifically say you only want to trust this certificate. When you buy your Sprint phone, [the security update is] dictated by your carriers and the operating system like Apple and Google. The carriers are much slower than Apple and Google to make updates. Even though you might have Ice Cream Sandwich, your carrier may only give you the previous version because they haven't rolled it out. As a result, security is very slow to get out to your phones. There are tons of people walking around with an older [version] that is vulnerable to some of these [security] bugs that I described. There's no way for those users to secure them until their carrier rolls out a security update.
BYTE: Tell me more about the app that you built.
AS: It's a one click install, it's no different than installing an app. You specify things that you find sensitive or you can lock down certificates. We also added "do not track" support. The ad industries support "do not track." [Using Mobile Scope], you can add "do not track" for mobile, which I don't think anyone no one else does. We plugged in Collusion, the Mozilla project that lets you see how your data is flowing. We plugged in the ability to see what where your data is being transmitted [to show how] third party ad networks get your data. What portion of your ad traffic is apps? We can give you the ability to block sensitive data.
For instance, when you run an alarm clock, it sends your UDID with your lat/long to Admob to DoubleClick.
BYTE: Did you say developers use the identifiers because they are lazy?
AS: It's not that they are lazy. The common problem in security is [developers] use identifiers as authentifiers. We saw this growing up in high school. People would ask for our security number to authenticate ourselves to prove we were who we are. Anyone can get access to your social security number if they pretend they are you to get your grade. It is a poor authentifier. [Same goes for apps]. Instead of asking users to log in and conformation dialogue, engineers will use the UDID. For example, if you use [dating sites such as] Grindr or Blendr, both contain sensitive information. If you sign up for a dating profile, submit photos and submit information about yourself. These apps use this UDID as the authenticator. What that means is if you install the app and delete the app or format your phone, when you sell your phone, a person who buys it can get that info the moment they download the app. I can spoof your UDID and come up with your UDID and get your photos. The tools we built can block this stuff. If you don't want your UDID to be transmitted to third parties, you can make sure only Grindr/Blendr will get your UDID.
BYTE: Can you talk about how this is similar to the your bring your own devices movement happening at work?
AS: Typically, there are these solutions that are evolving.. which existed for enterprise for corporate machines. Now they want to expand these devices for personal phones. The idea is that the IT department doesn't want people to have to deal with having a Blackberry and an iPhone. They want to allow consumers to bring their iPhones and use it at work. It's a huge headache. The IT department can't secure the platform. You can download any app you want. Take pictures of sensitive information at the office. There's this whole movement to build technologies to allow consumers to use their personal devices at work. The impact of that is you allow your IT department to monitor traffic off the device and to encrypt your traffic. The users use it in a way that IT policy allows.
BYTE: What do you plan on doing with your hackathon project?
AS: We might want to build an app reputation system, so consumers don't have to do the testing. So as you're trying to decide on which app to install, this app is better in regards to privacy than this other app. This app provides privacy controls and respects transmission of data. The thing with Path is that it accessed your contact list. It would be helpful to know it before.
BYTE: Apple has started to reject apps that use the UDID and are in the process of reviewing apps currently in the App Store. Android and Google are more straight forward and require the developers to ask users for permissions since it is an open platform. Is there an issue with Android phones?
AS: What's funny about the Android marketplace is they also forgot to ask permissions for photos. The thing with privacy is engineers aren't good at deciding what your privacy tolerances are. They build protections, but forget to add permissions for photos. These kinds of things will come up time and time again.
BYTE: What worries you about apps having accessing to too much data?
AS: Any app that you give access to location data to has access to photos. How do you feel about that? What kind of photos do you have on your phone? Do you want anyone to have access to them? Do you have anyway to tell that the app that you installed has access to your photos? Technically any app has access to your photos through your raw image, even without location information. If you want the photo and the metadata, Apple provided a setting that if you hit okay to location information, apps get access to photos. Down the line, these will definitely be things that will be fixed.
BYTE: Why is it that can you block cookies on your computer, but why can't you do that on the phone?
AS: The app ecosystem of the phone and app market place is really new compared to the browser. The browsers, only after 5 to 10 years, did they build controls to block third party cookies. If you use an iPhone, you can block or delete cookies on Safari. You can't block these super cookies on apps. So when you run Angry Birds or use apps, there's a third party like Flurry, which can track your activity between those two apps.