Monday, May 18, 2020
Started off with an article for this and ended up covering another article, so here’s take two.
This week we cover a few topics. First, that as people use more and more of their programs and apps on their smartphones, iPhones and tablets that we have to be even more vigilant of privacy and trackers violating your personal freedoms and escavating and spying on your data. Most people probably are pretty good with computers and either have a Windows, Mac, or Linux/BSD/Unix based operating system. There are great programs like WireShark you probably have heard of to help analyze your network. According to Alternative.to, which is a crowdsourced software recommendation site, WireShark can be used to capture and interactively browse traffic on your computer network. It helps analyze packets and can also do deep inspection and analysis.
The idea of crowdsourcing is basically getting a whole lot of people (basically the users of the Internet) to help get massive data and opinions about a particular subject… that is outsourcing to a crowd, so to speak.
And per popular opinion vote they found other similar programs like tcpdump, Intercepter-NG, CloudShark, Nethogs, Microsoft Network Monitor, Ettercap, Sysdig, SmartSniff, NetworkMiner, and HTTP Debugger as some of the top programs for packet and traffic analysis. It compiles votes and likes and comments and reviews to list programs by order of popularity. The site lists these programs and their various operating systems they are supported on and also whether they are considered dangerous, discontinued, or other alerts. For example Intercepter-NG had a warning saying it was blocked by some web browsers and discontinued by the Play Store.
These are all very interesting tools. Some of these are open source and some limited to one operating system platform while others supported on many.
While many people phones and love their convenience, they unfortunately largely let their guard down moreso than they would a computer. Computer safety and security protocols are readily drilled into employees and workers but often we overlook and forget about our phones. We forget about common things like phishing since our phones are so readily available and at our side and clickably entertaining.
According to The Guardian, a few antivirus sites, and likely US Cert (if I remember) apps are less secure than their website counterparts. Sometimes the apps have flaws or lack all the upgrades and updates on the phone.
There was an “Ask Jack” article entitled “Is it safer to use an app or browser for banking?” article from the Guardian written by Jack Schofield dated Thur 22 Jun 2017 05.55 EDT which talked about various pros and cons for using an app versus PC browser. An app user can encounter problems like fake malicious apps and malware. A PC browser user might have trojans as well but with too much access and the ability to run software from anywhere while apps often are simply downloaded from a store that has scanned and approved its apps. The article also mentions that using your direct data connection to your cellphone company is usually better than using public wifi and Bluetooth connections.
Other problems can be:
- Insecure settings
- Compromised hijacked devices
- Insecure badly programmed apps that didn’t use secure links and security certificates / SSL
- Vulnerabilities to cross-site scripting and MITM attacks.
- Sneaky permissions
A Possible Solution:
The article recommended a dedicated device to devote to only sensitive data like banking. On that device you only use the banking app and don’t download or have any other programs. This could be a computer for instance with a secure browser and all you do on that device is check your stocks and do nothing else and also enable encryption that is E2E.
Nowadays everyone is watching you. Just look at this article by NPR for instance which talks about work not only tracking you at work but also now with you working at home.
I even found this site that lists FB social media as having privacy issue. Don’t know how long the site will be up:
So we wanted to point out a few apps really quickly and tell you how you might be able to check your privacy. We tested this on an Android phone first of all and didn’t get a chance to try it out with and iPhone and also don’t know if there are equivalent programs. We also are not debating the security of the Android vs iOS platforms or the separate hardware as you can look that up.
But for this particular article you can find an app called Exodus Privacy that you can use to scan and look up permissions and trackers on your phone. First permissions are such that you are given them when you first download the app. These can be overly aggressive or permissions that creep up on you with successive updates or too many permissions that include unintended permissions.
- Read permissions in the app store and also pop up windows before installing the app.
- Also you can disable the permissions if you accidentally give permissions in your Settings. In some later more recent Android versions you can also select individual permissions. In older versions of Android it was an “all or nothing” option.
- Also you can get other apps to check permissions for you and group them or notify you if you missed it.
Secondly trackers are in apps. These are analytics and code that will interface with remotely and phone home certain data and statistics and information. Usually these are to help track interests like what kind of things you might buy or games or other personal preferences. But these can leak and be “aggregated” over time to form a profile of you and recently it caused a stir with big social media companies selling your data and /or allowing it to leak to 3rd parties.
For this article we used Exodus Privacy and some other 3rd party apps to analyze various apps and what we found was that some apps were safe and benign. The open source apps and FOSS apps tend to be safe. Although some did still have what appeared to be loggers of some kind. For example HashDroid, a program which calculates hashes and MD5 and SHA1 on programs did not appear to have any trackers or use any permissions. We used Exodus and a separate FOSS analysis program on this app or APK file. The Exodus Privacy confirmed this also but said the report was based on an earlier signature of the program. Signatures are like unique fingerprints of that program.
However the biggest offenders were texting programs or dating app programs which had a lot of trackers.
Here are some example readouts:
- 2ndLine (phone app)- 25 trackers, 64 permissions
- Badoo (dating app) – 15 trackers, 47 permissions
- Bumble (dating app) – 1 tracker, 38 permission
- Coffee Meets Bagel (dating app) – 11 trackers, 24 permissions
- Dingtone (phone app) – 27 trackers, and a whopping 85 permission requests
- Discord (gamer chat) – 5 trackers, 19 permissions
- Dust (privacy messaging) – 4 trackers, 14 permissions
- Edge (browser) – 5 trackers, 43 permissions
- Firefox (browser) – 3 trackers, 21 permissions
- Gmail (email) – 1 tracker, 55 permissions
- Mail.com (email) – 10 trackers, 34 permissions
- OfficeSuite (Word & Presentation) – 10 trackers, 43 permissions
- Okcupid (dating) – 11 trackers, 14 permissions
- POF (dating) – 11 trackers, 19 permissions
- ProtonMail (email)- 0 trackers, 14 permissions
- Riot.im (chat)- 1 tracker, 41 permissions
- Shazam (songs) – 3 trackers, 17 permissions
- Signal (E2E messaging)- 0 trackers, 65 permissions
- Skout (social & dating) – 32 trackers, 21 permissions
- Skype (video call) – 5 trackers, 53 permissions
- Slack (work chat) – 4 trackers, 19 permissions
- Snapchat (disappearing messages) – 3 trackers, 43 permissions
- Speedtest (bandwidth) – 10 trackers, 12 permissions
- Tinder (dating app) – 11 trackers, 24 permissions. This program was incessant and adamant about location tracking.
- Twitter (messages & news) – 2 trackers, 43 permissions
- VLC (media player) – 0 trackers, 17 permissions
- Waze (navigation) – 3 trackers, 34 permissions
- Word (text editor) – 2 trackers, 27 permissions
- Winzip (compression) – 4 trackers, 19 permissions
Obviously you would need to check the app as it goes into detail what permissions do. For example for the Word app which is a text writer program it has WRITE_EXTERNAL_STORAGE as a permission. You likely would be okay with that and modifying or writing a file to an external SD card.
But for an app like Dingtone which we found to have some of the highest permission requests and also seemed do be a bit intrusive. It had over 80 permissions requested. It asked for an “android.permission.FLASHLIGHT” and also to READ_CALENDAR which could possibly read confidential information and also GET_ACCOUNTS which could include any accounts created by applications installed.
Badoo also had some interesting permissions such as “REORDER_TASKS” and BLUETOOTH and USE_FINGERPRINT which is interesting for a dating app. I’m sure you could pair this with a bluetooth headphone or something but any apps with over 40 permissions caused us to do a double take.
While POF seems like it had quite a few ad trackers that included FB and G Ads / Firebase / DoubleClick, the permissions didn’t seem out of the normal too much. It was under 20 permissions.
Snapchat had a READ_PHONE_STATE permission which was according to Exodus was in the ‘Dangerous’ or ‘Special’ Google Protection level category. Some of the other previous apps had some of these elevated permissions denoted with an red exclamation mark. This particular one could allow the app to determine the phone number and device IDs, whether a call was active and if there was a remote number connected by a call. I certainly didn’t need this entertainment app knowing my phone number but understood it needed to know if my phone was in use or in the middle of a call sometimes.
We did some more research and found some other apps that were in a FOSS (open source) store called F-Droid with its own repository or repo for short. Here’s a small list of apps that didn’t contain any trackers. Do note that Exodus only scans apps that are in the offical Google Play start while the other apps we had to use another app to scan these other apps but could also cross check the Google Play information. (Although a scan of the Brave Browser app did crash our scanner almost every time using the non-Google Play version of Exodus)
Short list of no tracker apps as of this writing:
Note, not all the above are FOSS apps probably although many of them are. I think Titanium Backup for example is not one. Neither is Proton Mail and if there are other ones snuch in there, we’re just pointing out that these above apps don’t have embedded ad trackers as of this time of writing. And you can feel fairly confident your information won’t be used to send to an advertising company that ends up leaked. However we highly recommend open source and free or libre version as they are often comparable to their closed source proprietary counterparts. And their code can be inspected for flaws or data leaks and privacy concerns by anyone or researcher.
During my research I was surprised to see that F-Droid had a “tracker” that turned out to be an ACRA tracker to report bugs and errors or crashes and not to an add agency it appears per its website and its forum inquiries although we did try to get more information.
Some other apps with minimal “trackers” were FOSS options like:
Briar, FairEmail, Flowcrypt, Open Keychain.
Most of these only had 1 tracker or like Open Keychain it was one to a Matomo?
We would of course prefer most apps to not have a lot of trackers or permission requests.
We will do more research of course and work on possibly updating our list later.
In the meantime you too can analyze your apps. As always:
- Check your permissions periodically.
- Disallow unnecessary permissions.
- Uninstall apps if you don’t need them or don’t agree to their data collection policy.
- Screen your apps beforehand.
- Force stop or freeze your apps if you aren’t planning to use them or uninstall them entirely.
- Use a less permissive alternative
- Perhaps try a desktop version or use your browser instead of app for sensitive transactions.
Computing in this new era has changed everything for the faster, but not necessarily better. What we do is trade convenience often versus privacy and we need not do that. Have fun and stay sharp.