/ Technology

How much do smartphone apps know about you?

App data

From dating to fitness, travel to cooking – I bet you have a wealth of apps on your smartphone. But every tap, swipe and download, creates a mass of data that’s sent back to the app’s HQ.

We wanted to know what happens to this data, so we asked security experts First Base Technologies LLP to test 40 popular Android and Apple apps.

Data dive

First Base monitored the communication between the app, phone and internet to see exactly what information is being collected, how often, whether it’s encrypted correctly and who it’s being sent to.

We discovered that apps are not as well-behaved and security-conscious as you might expect.

For example, we found that photo app Instagram sends photos without using encryption (a means of scrambling the data so that it can’t be deciphered) – even those from accounts that are marked as private.

We asked Instagram about this and it said it would be rolling out encryption to all photo URLs, so in future all your images should be secure.

We also found some very nosey apps which ask for permission to access lots of information and features on your phone.

While some permissions are necessary for the app to do its job – Google Maps isn’t much use unless it knows your location, and you wouldn’t be able to upload your photos to Facebook without granting access to your photo album – we did find some apps asking for permissions that seem somewhat unnecessary.

And it certainly seems a step too far that MyFitnessPal needs to know who I have saved in my contacts. It’s there to monitor the size of my waistline, not my friendship circle.

Over to you

So how do you feel about sharing information with your apps? Are you happy to share your information to help support the app’s service?

Comments

I do not have a cell-net phone but I am in complete agreement with the Convo . People come onto Which very irate about their personal details being known and they daily without thinking give them all away if not from a “smart”-phone then by normal use of a computer . The public have no conception about the massive gathering of your data and I dont mean GCHQ I mean nearly every commercial business in existence for profit . As I said on another Convo in the US its now into many Trillions of $$$$ for businesses ,it was $650 Billion in 2002 in the US according to their official figures . What it is in the UK I havent found out yet but must be at least the US,s old figures .

Bianca Schmitz-Culbert says:
30 May 2016

I only use Apps, which are free, and if I give something else (in this case, data) in return, that sounds a fair transaction to me. HOWEVER, I want to be really clear from the beginning re what data the app is going to access, so I can make a fully informed decision whether or not to enter this transaction.

Tom Wills says:
30 May 2016

I think the situation with Android app permissions is way out of control. It’s bad enough that some apps ask for unnecessary permissions. What makes it worse is that there’s no option to be selective about which permissions you grant. On several occasions I’ve been uncomfortable about granting apps access to my address book, but the only alternative seems to be not to use the app at all.

At least on iPhones and iPads you’re asked which permissions to grant to each app. But then Apple seems to be much more aggressive when it comes to keeping you (and your data) locked in to their services – for example, my parents had to download iTunes on their PC just to transfer photos to their iPad.

I have a higher regard for the privacy of my contacts (friends, GP, other organisations I may use) than for data-gathering apps.
A simple expedient is to keep those details in a file rather than any built-in known location(s). It is still quickly accessible for any use you may have for it but not available for nosey-parkers.
An inexpensive shielded smartphone holder prevents communication and in conjunction with “flight-mode” allows varying degrees of restricting to times it is convenient to you to use.
There is no other way to restrict radio access to a radio device and any “security” procedures can be circumvented by a reasonably competent “cracker” until end-to-end encryption is universal. That should be pursued quickly to frustrate 1984 legislation.

There was an interesting Which? Conversation called “Which apps make you ‘appy?” [08/03/2013] that showed that although there are countless numbers of apps available most people only use a small number. Unfortunately the Conversation has only attracted six useful contributions to date, the last one being two and a half years ago. Most contributors seemed to have three or four favourites [like travel info, Skype, i-player, weather, and hobby/pastime related] and the entire spread was only a couple of dozen. It is possible that people are using many more apps than they will own up to.

This convo is over 2 years old but the same warning now applies even more .
Although I said back then I did not have a smartphone the pressure from posters complaints made me spend the intervening time “getting up to speed” with the technical issues .
Its been an eye opener . Progressive digitization of public communications progresses quickly as far as info gathering for profit benefits big businesses .Entitled- What restaurant apps are tracking you on Android smartphones ( and iPhones ) .
Phones are very traceable, as the New York Times expose on ad tech companies and consumer privacy proved this week. But in fast food, restaurants are even more reliant on location data and
personally identifiable information (PII) to offer customers a wide range of services.

Its how chains run loyalty programs, manage delivery orders, and even market limited time offers (LTOs). What many users dont know about are the ancillary benefits restaurants and chains gain from customer app downloads.
Fast-food operators can request to view other apps users interact with on their devices. In Android jargon, this permission is called retrieving running apps,and it cant be turned off for ad targeting purposes. If granted location access, chains can also track customers every move, and see how often they dine at a competitor. By default, all fast-food apps request location access via GPS and mobile networks for the best user experience upon installation.
Burger King used its customer location data to offer a new promotion, the Whopper Detour, earlier this month. Up until this week, customers within 600-feet of a McDonalds location could order and buy a Whopper sandwich for just one penny.
In a statement about the campaign, Burger King said it was geofencing McDonalds locations across the country.Guests inside one of the aforementioned geofenced areas using the Burger King App on their device would unlock the limited time offer, according to the company. The app permissions users give Burger King in order to get this offer will exist past the promotional period, giving the chain more details about what other restaurants they visit, for instance.

Burger King declined to comment on this story.
It goes on about app “discrepancies ” and the use of Google Play Store working in conjunction with many USA fast food outlets.

DerekP says:
19 December 2018

With a total of 7 posts (including this one) in two and a half years, this convo topic doesn’t seem to be a major concern for those on W?C.

In contrast, the convo about patchy phone reception has received over 1500 posts in a month.

I can’t help thinking that a lot of app users don’t know and/or don’t worry about the issues mentioned here.

Also, for a lot of young folk growing up with smart phones, I think they just take the capabilities, benefits and disbenefits of smart phone usage as fundamental facts of life.

In particular, I think a lot of them prefer to suffer the risks and consequences from things like cyberbullying rather than risking social exclusion by not having a phone and thus being off the net and out of touch with their besties.

It would be useful to have regularly updated information about which apps are best avoided because of security risks or users’ information being exploited. Which? press releases can generate a great deal of publicity and social media has the potential of going further.