The report by MIT looked at the data transferred to and from the 500 most popular Android apps. It found that the majority make “covert” communications with servers but the majority of these transfers “make little or no difference” to the functionality of the app.
Around half of the data is information used for analytics and tracking. This goes to recognised ad servers which may be used by the developer to make revenue and monitor how people use their app. More interestingly, the other half of the data “cannot be attributed” to simple analytics and instead makes communications to servers that have no connection with the app’s purpose.
An example of this hidden data flow can be observed in Walmart’s app. Whenever a barcode is scanned, Walmart talks to eBay, even though it doesn’t appear to do anything with this data and the app continues to function when the connection is broken.
The MIT team, led by Julia Rubin of MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL), modified 47 of the top 100 Android apps, severing the communication channels that they identified as being used for covert transfers. The repackaged apps were then tested to compare the performance of the original, with the outside data connections, and the isolated modified one.
30 of the 47 applications showed no discernible difference at all. They continued functioning as normal with all of their covert communication channels disabled. A further three apps experienced “minor” differences but kept functioning, such as in the case of a flashlight app that offers people paid functionality upgrades. One icon was missing when covert communications were disabled.
Five of the apps completely stopped working, suggesting they were reliant on the covert communications to operate. One of the five had protections in place designed to prevent reselling of its software which were triggered by the modification of the code but it is unclear why the other four stopped working. The team is now calling for app developers to tell their users which servers their products communicate with and why.
Rubin said: “There might be a very good reason for this covert communication. We are not trying to say that it has to be eliminated. We’re just saying the user needs to be informed.”
The researchers singled out hit casual gaming title Candy Crush Saga for praise. In the past, the app has been criticised for questionable privacy policies but MIT found it engages in no covert communications at all, making it one of very few Android apps in the top 100 to be a “model citizen.”
The team analysed the communication channels of the apps in the study by mapping out the ways in which data could flow through them during execution. They were able to work out when a given command would result in a control signal to a hardware component and use this to ascertain when an app was connecting to the outside world.
The study concludes that the covert communication isn’t necessarily a security risk but is something that developers need to become more transparent about. It warns that most of the activity is likely nothing to worry about but notes that more open communication channels give hackers more potential access points to a device.
