Free Android apps are getting a bit promiscuous. That, at least, is the conclusion of a group of security researchers, who find that poorly vetted apps on Google Play are connecting to a massive number of ad and tracking sites—without users being any the wiser.
While Apple rigorously vets everything that appears in its app store, Google Play is much more open, only excluding apps that are obviously malicious. Many of us love the wild west app environment Google has cultivated, but a wider quality range can leave room for apps that play fast and loose with their users. That’s why security researchers at Eurecom in France have conducted a massive sweep of free apps, monitoring the sites they connect to unbeknownst to their users. MIT Tech Review describes their recent study:
Vigneri and co began by downloading over 2,000 free apps from all 25 categories on the Google Play store. They then launched each app on a Samsung Galaxy SIII running Android version 4.1.2 that was set up to channel all traffic through the team’s server. This recorded all the urls that each app attempted to contact.
Next they compared the urls against a list of known ad-related sites from a database called EasyList and a database of user tracking sites called EasyPrivacy, both compiled for the open source AdBlock Plus project. Finally, they counted the number of matches on each list for every app.
All in all, the 2,000 apps in question connected to a whopping 250,000 urls across almost 2,000 top-level domains. Most of these apps were minor offenders, only trying to connect to a handful of ad or tracking sites, but roughly ten percent of the apps studied connected to over 500 different urls. (Unsurprisingly, 9 out of the 10 most frequently contacted ad-related domains are run by Google.) Top offenders include “Music Volume EQ,” which connects to over 2,000 distinct urls, and Eurosport Player, which hooks up with 810 different user-tracking sites.
Thankfully, the researchers are also working on a solution: A new Android app, called “NoSuchApp” that monitors outgoing traffic from a user’s phone, revealing exactly which external sites your apps are attempting to contact. Keep an eye out for NoSuchApp in the Google Play store—this NSA, at least, promises it won’t spy on you. [MIT Tech Review]
Read the full study on arXiv.