Android apps have lots of secrets. They enjoy reaching out to ad-related, user-tracking, and even malware-hosting Web sites behind your back. Free apps are especially prone to these behaviors. Researchers believe such practices need to be exposed, so they've generated a plan to do just that.
There are a number of different ways to score apps for your smartphone. The two biggest are of course the Apple iTunes App Store for iPhones and Google's Play Store for Android phones. Microsoft and BlackBerry host their own stores for their respective platforms, too, but they are much smaller in scale.
Apple is famously strict in its app review practices in order to create a better experience for end-users. Google is more laissez-faire in its approach and (perhaps) places too much trust in app developers. The result leads to a wide range of apps with an even wider range in quality. Google weeds out truly malicious apps, but leaves many that exhibit questionable behaviors free and open to all.
"The lack of oversight in Android Play Store makes it all too easy for end-users to install applications of dubious origin, or those which silently carry out activity that might not be seen favorably by the user," wrote Eurecom lead researcher Luigi Vigneri.
Vigneri's team developed a system for tracking what apps do when no one is paying attention.
What they learned is discomforting.
The team downloaded some 2,000 free apps from each of the 25 app categories listed in the Play Store. The team ran the apps on a Samsung Galaxy SIII and monitored all the traffic generated by them on its own server. Specifically, the team wanted to see what urls the apps were reaching. The team then compared the contacted urls to those known to serve ads, track users, and host malware.
The top 2,000 apps reached out to 250,000 different urls. The researchers admit that most apps are connecting to only a small number of ad and tracking sites, but others apps aren't so shy about talking to anyone about anything.
Take an app called Music Volume Eq, for example.
This app helps users control the audio playback volume on their handset. Such an app has no need to use the Internet at all, let alone connect to ad servers, but boy does it ever.
"We find the app Music Volume EQ connects to almost 2,000 distinct URLs," according to the researches. This app is not a unique example. Of the top 2,000 apps, about 200 attempted to reach 500 urls each. Nine out of the top ten most-frequently-contacted sites are Google-run ad services. That says a lot.
[Read about Android for Work.]
A smaller number of apps connected to user-tracking sites. The researchers found fully 70% of apps don't contact tracking sites at all. The remaining 30%, however, make quite a show of it. Some connected to more than 800 sites that track users. Stunningly, Google said many of these 800 sites are those of top developers.
Even fewer apps connect to sites hosting malware.
"Our results underscore the need for a tool to provide users more visibility into the communication of apps installed on their mobile devices," according to Vigneri.
In other words, Eurecom's intentions aren't entirely altruistic here. The team hopes to release an app in the days ahead that lets users more easily track what their apps are doing in the background.
"With our application, end-users are able to understand the different domains the application is communicating with, which enables them to make informed decisions about the desirability of the applications they install," they said.
We've seen this type of pitch before: Create some FUD, then provide an app or service to dispel that FUD (Kaspersky, anyone?)
Businesses should maintain full control over what apps employees are downloading and installing on their handsets, which should be relatively easy given today's mobile device management tools.