Android Apps: What are they doing with your precious Internet?

Increasing numbers of people use mobile devices to transmit personal information. Privacy consequently becomes an important issue. With the current Android permissions system, users may grant broad Internet access to an application, but are unable to see how exactly that access is used. We define a “well-behaved” application as one that: 1. only uses necessary resources, 2. contacts only necessary parties, 3. keeps personally identifiable information (PII) confidential. We installed the application Meddle [1] to track mobile traffic. The client sends traffic through aVPN through the Meddle server. Meddle then logs the packets for later analysis. A preliminarystudy following three users over 50 days showed that only 56% of users’ traffic used HTTPS, while40% is unencrypted HTTP. Additionally, we discovered that one user with 20 apps contactedmore than 100 different organizations. As a result, there are hundreds of points of access where anattacker could find unencrypted information.Doing an app-by-app analysis on 20 applications, we also discovered deviant, but not outright ma-licious behavior from certain applications. The WeatherBug app leaked unencrypted geolocationcoordinates, allowing an eavesdropper to pinpoint the user’s current location. Pinterest contactedan excessive number of CDNs (7), exposing data to an unnecessary number of parties. Generally,the applications considered in the study do not abuse their privileges, but may still affect users neg-atively. Indeed, of the applications considered in our study, only 35% were well-behaved accordingto our criteria defined above, indicating there is scope for further improvement. BODYThe majority of Android apps are not malicious, but use internet access inways that are not compatible with the user’s interests.REFERENCES[1] Meddle. http://meddle.cs.washington.edu. Volume 2 of Tiny Transactions on Computer ScienceThis content is released under the Creative Commons Attribution-NonCommercial ShareAlike License. Permission tomake digital or hard copies of all or part of this work is granted without fee provided that copies are not made ordistributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page.CC BY-NC-SA 3.0: http://creativecommons.org/licenses/by-nc-sa/3.0/.