How Android phones are watching you – eju.tv

A user buys a new Android mobile. No matter the brand. Open the box, press the power button, the mobile connects to the Internet and, without doing anything else, simply start the most sophisticated monitoring machine regarding your routines.

It does not matter if you download Facebook, activate your Google Account or give all permissions to a user. app Rare flashlight or antivirus. Before any action, your new mobile phone has started to share details of your life. The software pre-installed as standard is the most perfect resource of this mobile to know its future activity: where it is, what is downloaded, what messages it sends, what music files it contains.

"The the apps preinstalled are the manifestation of another phenomenon: the agreements between actors (manufacturers, data merchants, operators, advertisers) to bring, in principle, an added value but also for commercial purposes. The element of gravity is provided by the scale: we are talking about hundreds or thousands of millions of Android phones, "says Juan Tapiador, professor at Carlos III University and one of the authors, with Narseo Vallina-Rodríguez, from IMDEA Networks and ICSI (University of Berkeley), research that reveals this underworld, and Android phones represent over 80% of the global market.

The new study conducted by the two Spanish academics reveals the depth of the abyss. None of the findings in itself is radically new: we know that mobile phones play on the red line of permissions when it comes to collecting and sharing data. The novelty of the function of the the apps pre-installed is in its extension, lack of transparency and privileged position within the mobile: they badyzed 1,742 mobile phones from 214 manufacturers in 130 countries.

"Until now, research into the risks of mobile privacy was focused on the apps which are listed on Google Play or in examples of malware "said Vallina. Now, they have badyzed what mobiles bring as standard and it seems out of control. Due to the complexity of the ecosystem, the privacy guarantees of the Android platform may be in question.

The article, which will be officially released on April 1 and to which EL PAÍS has had access, has already been accepted by one of the world's largest conferences on cybersecurity and confidentiality, the IEEE symposium on security and privacy. confidentiality, in California.

Our personal information is sent to a vast network of destinations, which changes depending on the mobile, and some are controversial: mobile phone servers, companies usually accused of spying on our lives – Facebook, Google – and a world dark that goes from companies to start-ups They collect the personal information of everyone, pack them with an identifier linked to our name and sell them to the one who pays well.

Nobody previously had come into this abyss to investigate this project. The researchers created the app Firmware Scanner, which collected the software preinstalled volunteer users who downloaded it. For the study, they badyzed more than 1,700 devices, but they have more than 8,000. The open source of the Android operating system allows any manufacturer to have its version, as well as its the apps pre-installed A mobile may have more than 100 the apps pre-installed libraries and hundreds of other libraries, which are third-party services included in its code, many of which are specialized in user monitoring and advertising.

In total, an international panorama of hundreds of thousands of applications to common, dubious, unknown, dangerous or potentially criminal functions. This almost perfect definition of the term chaos has led researchers to more than a year of exploration. The result is only a glimpse of the precipice of mbadive surveillance of our Android phones without the user being aware of it.

More than one manufacturer

An Android phone is not the product of its manufacturer. The badertion is surprising, but several companies are involved in the production chain: the chip is a brand, operating system updates can be outsourced, phone operators or large companies selling mobile add theirs. software. The actors involved in making a mobile phone go far beyond the name that it puts in the box. The final control of all software placed there and which has privileged access to the user's data is indeterminable.

The result is an uncontrolled ecosystem, in which no one today is able to take responsibility for what is happening with our most intimate information. Google created the platform from free code, but now it belongs to everyone. And what belongs to everyone does not belong to anyone: "The Android world is very jungle, it's like the Far west, especially in countries where the regulation of the protection of personal data is poorly regulated, "said Tapiador.

"There is no kind of surveillance on what is imported and marketed at software (and to a large extent hardware"In the European Union," says Vallina, the result ?, a chaos where every version of our Android phones converse with your base from the first day, without interruption, to tell you what we're doing. It's not just what they tell us, but the mobile owner does not control what gives permissions.

The walled garden of Google Play

Companies that collect user data for, for example, creating profiles for advertisers already have access to user data via the server. the apps Google Play normal What interest then has a data trader to enter into agreements with manufacturers to be part of software pre-installed?

Imagine that our data is in a multi-storey house. The the apps Google Play are windows that we open and close: sometimes we leave the data out and sometimes not. It depends on the monitoring of each user and the permissions that he gives. But what this user does not know, is that Android phones come with the street door wide open. It does not matter what you do with the windows.

The software preinstalled is always there, accompanies us everywhere and in every corner of the phone, and can not be cleared without root the device – to break the protection provided by the system and do what you want – something that is not available to ordinary users.

The the apps that the user downloads from Google Play gives the opportunity to see the requested permissions: does he allow his new free game to access his microphone? Do you allow your new app to access your site for better productivity? If we think too much of permissions, we can delete it. Applications monitored by Google have their terms of service and must request explicit permission to perform actions.

The user, although not being fixed or having no choice, is ultimately responsible for his decisions. You give permission to someone to access your contacts. But the the apps pre-installed are already there. They live below the the apps indexed in store, without clear permissions or, in many cases, with the same permissions as the operating system. This is everyone. "Google Play is a walled garden with its cops, but 91% of the pre-installed apps we've seen are not on Google Play," said Tapiador. Outside Google Play, no one is watching in detail what ends up on a mobile.

Two problems added

The software pre-installed, two other problems were added: one next to the operating system, which has access to all the functions of a mobile, and two other the apps they can be updated and moved.

The operating system is the brain of the mobile. He always has access to everything. It does not depend on the app is running or the user can delete it. It will always be there and, in addition, it will be updated. Why are updates important? Here is an example: a manufacturer has given permission to a company to insert a mobile code to check something harmless. But this code can be updated and, two months later, or when the company knows that the user is residing in this country and works in such a place, send an update to perform d & # 39; other tasks. What ?, it does not matter: record conversations, take pictures, watch messages …

The the apps preinstalled are easy to update by its creator: if you change the country or the intentions of the person who has placed a tracking system, you receive a new software with new orders. The owner of your mobile phone can not stop it and no specific authorization is required: your operating system is updated.

"Some of these the apps They call home for instructions and send information about their location. This information is sometimes enormous: detailed reports with the phone's technical characteristics, unique identifiers, location, directory contacts, messages or messages. emails. All this is collected by a server and makes a decision as to the use of this phone. For example, depending on the country you are in, you may decide to install a app or other, or promote some ads or others. We discovered badyze the code and behavior of the apps"Said Tapiador.

The server that receives the information comes from the manufacturer, a social network that sells advertising, an unknown data trader or an obscure IP address which it does not know to whom it belongs.

A danger is that these dark the apps preinstalled, use custom permissions (custom permissions) for expose information to the apps of the Play Store. Custom permissions are a tool that Android offers developers of software so that the apps share data between them. For example, if an operator or a banking service has several, it is allowed that they can talk to each other and share data. But sometimes it's hard to know what data is shared by some software.

In a new mobile, there is for example a app preinstalled that has access to the camera, contacts or microphone. This application has been programmed by a guy named Wang Sánchez. He carries a certificate with his public key and his signature. Apparently, it's legitimate, but no one checks that Wang Sanchez's certificate is real. This app is always on, select the location, turn on the mic and keep the recordings. But he does not send it to a server because the application Wang Sanchez is not allowed to send anything on the Internet. What it does, it's declare a custom license that regulates access to this data: anyone who has permission will be able to get them.

One day, the owner of this mobile goes to the Google Play Store and finds a app magnificent sports What official permits do they require? Access only the Internet, which is perfectly common between the apps And also ask for the personalized permission of Wang Sanchez's application. But he does not realize why these permissions are not shown to the user. So, the first thing that app The new sportsman will say that the pre-installed is: "Oh, you live here? Give me access to the mic and the camera." It was apparently a app without risk, but the complexity of the permit system means that such situations can occur.

Governments and industry have known this framework for years. US federal agencies ask their phones to exploit their operating systems software pre-installed and adapted to your needs. And the citizens ?, they are afraid. Your data is not as secret as a department's.

"Having regulatory control over all possible Android versions of the market is almost unmanageable, which would require a very long and expensive badysis," says Vallina. This chaos allows sophisticated surveillance machines to live in our pockets.