Buckle your seat belts because things aren’t as safe as you might think…
At one time or another, I think we’ve all wondered whether Facebook or some other big tech company is watching our every move or recording what we say, without us knowing. For the longest time I paid little attention to it because all the arguments that I came across didn’t really provide proof of it happening. But, how could they? If there was any data collected it would be sent over an encrypted connection and stored on some server sitting behind an impenetrable firewall.*
Getting proof is difficult but perhaps we should look at this differently and ask whether it’s actually possible for apps to record us without our knowledge and if so, how? Fortunately, as an Android App developer I find myself in a pretty good position to answer this question — and I won’t lie, the answer is pretty damn scary.
Security on Android
Before we get into the juicy stuff, we need to discuss how security works in Android apps. When any App wants to use your camera, location (GPS), microphone etc. they have to ask for your permission. Before Android Marshmallow (6.0) you’d have to accept all the permissions an app requested up front, to be able to install it. This was problematic to say the least, because it gave app developers free reign to ask for any permission they wanted without giving you any kind of context as to why it needed it, and you couldn’t opt in/out for certain permissions. In other words it was all or nothing.
Things got a bit better in Marshmallow (and after) because apps couldn’t ask for permissions all at once, before installation. Instead they have to ask for permission to access data (contacts, call log, etc) or resource/sensors (e.g. camera, location, microphone etc), when the app is installed and open (aka runtime permissions). Google also encourages (but doesn’t strictly enforce) that apps should only ask for permission when the permission is actually required to do something first time.
The goal of this was to give the user some context for why an app needed a permission and allow them to use an app even if they opted out of some of the permissions.
Caption: A) Permissions must be all be accepted before installation on Android phones older than Marshmallow B) Below: If an app requests access to a resource/sensors/data which is considered dangerous, it must ask for permission to access, the first time the app needs it and the user can either opt in or out.
This sounds a lot better, right? But I’ll discuss why a bit later why it’s still pretty problematic.
What happens in the shadows?
I know that you might be getting impatient to get to the juice of this article, but there’s one more thing that needs to be discussed — services. Explained simply, a service is some code that can run in the background without you having to open the app. Services can access the internet, your location, listen on your microphone and use the camera (on older devices), all without you opening the app. Their ability to access these sensors combined with the fact that they run in the background (without your knowledge) makes them hugely powerful.**
Two years ago (Android Oreo), Google finally realised that this was too much power and decided that if an app wanted to access your location, microphone or perform CPU intensive tasks that they would have to show a notification that couldn’t be swiped away (aka a foreground service). This sounds like a great security upgrade but there’s a catch… the text contained in the notification is at the complete discretion of the app developer. In other words, an app could show an innocent seeming notification (like the one below), but still be tracking your location and recording your voice while uploading it all to a server and you’d be none the wiser.
Back to permissions…
So here’s a little something that you might have known, but probably weren’t fully aware of its implications. To use a dangerous permission, an app only needs to ask once and can then use it indefinitely***. Let’s look at an example that illustrates just how problematic this is:
Let’s say you’re on Facebook and you want to tag your current location in a photo. Facebook will ask your permission to access your location and you grant it. It makes sense given the context that you’ve been asked so all good, so far, but a permission only has to accepted once and never again so now Facebook can track your location anytime the app is open (in the foreground) without having to tell you shit. To do this in the background they only have to tell you if you have a phone running Oreo or newer, so for the the other 78.5% of Android users they don’t have to tell you anything!
The crazy thing is that this isn’t even hypothetical! Facebook just released a feature to disable background location updates (4 days ago at the time of writing). Here’s an article about it.
Even crazier is that it’s not just big companies like Facebook, Instagram and WhatsApp that can track us like this — it’s all app developers.
So what can you do to protect yourself?
- Clap and share this post so that more people become aware of Android’s security shortcomings
- Uninstall any apps you don’t use often
- In `Setting→ Apps` go through every app and disable any permission you think an app shouldn’t have. Games are generally the most guilty of this.
- Get a phone running Android Oreo
So what could Google do better?
1. A tool that tells you what permissions or sensors an app is using at any one time.
Even as a developer, it’s actually a non-trivial task to find out which app is currently using which permissions. This is truly messed up in my opinion. Any user should be able to see a summary like the one given below, so that you empower everyday users to call out apps that do things that the shouldn’t.
A permission usage summary for a specific app could look like this:
App Specific Summary
- App X
- Used the internet 11 times in the last hour
- Tracked your location for 1 hour today
- Last used the microphone yesterday.
- Permission usage for a specific permission
Permission Specific Summary
- Location Permission
- App X — 14:01 21 Feb
- App Y — 13:11 21 Feb
- App Z — 12:33 21 Feb
2. Prescribe and enforce what should be written in a notification of a foreground service.
Don’t just leave it up to the discretion of the developer.
3. Split location permission
Split location permission into two separate permissions A) while the app is open B) while the app is closed, like Apple does.
4. Tighten the entrance requirements for getting apps onto the Play Store
Especially if they use dangerous permissions.
I’d like to congratulate you for bearing with me and my not-so-tin-foily hat. We really do live in dangerous times… you never know what nefarious things apps could be doing with your data. Lastly please do share this post so that we can get the word out and put some pressure on Google to do something about this. I’ll hang out in the comments and answer any questions you might have.
** There are many legitimate reasons why services are necessary (e.g. playing music when other apps are open, retrieving new messages, showing notification etc).
*** Unless you go into setting → apps → select app → permissions → disable. I’m willing to bet that very few people know that they can do this and even fewer have disabled a permission they’d previously granted.
*** There are some caveats here — any big tech company’s apps are likely to be disassembled by security researchers from time to time and nefarious activity runs a high risk of being discovered. However, this is a non-trivial task and there are only a handful of people who know how to do this. As a result, it is fairly easy for smaller apps and games to get any collecting your data without your knowledge.