The article mentions that the required permissions are "very common permissions", and then in the next paragraph says that 179 apps on the Google Play store require those permissions. As of July 2014, there were 1.3 million apps in the app store [1]. That's ~0.014% of the apps on the store. Not exactly "very common" in my mind. Although the remark that they are "unlikely to raise suspicion" is valid, especially for the typical consumer, who probably isn't reading the permissions anyway.
I am ver surprised there is still no mass outrage over Android permissions.
1. They are not properly named or explained. And no, this shouldn't be on some obscure website. This should be right there, in the menu that asks for them.
2. There is no way to filter apps in the play store by permissions. This isn't just a privacy thing. Apps that require the least permissions are often least bloated and the most skillfully written.
It's obvious that both of these thing are deliberate, it's obvious that this is an issue, and no one cares.
Also, there's no way to download an app but deny it some permissions. iOS gets this right: apps don't get to ask for any permissions when you download them, they have to request them at runtime and the user can deny any of them (and the app is still expected to function)
The basic problem is likely that google is in the data gathering business. This to provide ever more targeted ads. Thus they can't have someone block all data going in or out of the device.
Possibly tiers of permissions then? I know apps I've written will not work without a network connection: they're useless without it so to put that as a "required" feature is necessary. However, I do like ease-of-use features like telling the person they don't have their wifi network enabled or something which requires a different permission but totally optional.
Lots of apps want access to folders of pictures and accounts which I assume to be for "sharing" and "social" features I never use. I'd love to disable those manually but currently don't have an avenue to do so.
Of course apps could still set everything to "required" but at least the option for consumer choice is there.
If you have root you can install XPrivacy, which allows you to deny (or provide fake data) for any app/permission combination.
You have to jump through some hoops to install it because obviously Google doesn't like to encourage this kind of control over your phone, but it's there and I can't imagine using an android phone without it.
It was a test tool and supposed to be hidden : you had to enter its Intent directly in order to launch it (if I remember well, they had also forgotten to hide it as a menu choice when creating a widget shortcut to the settings in one android subversion).
Even if they repackaged it as a proper app (it really showed that AppOps was a test tool, the interface was pretty primitive), I don't see the point. Permission revocation is not that useful against an app like Facebook that will use its permissions to access your private data as soon as it is installed.
What we need here is granular permission granting.
Apps start with only inoffensive permission (bluetooth access ? internet ? I guess some reflection on what these base permissions should be would be needed) and only gain access to your private data (mail, contacts, calendar, ...) if they ask for it and you grant it to them.
That way, apps can only collect your data if you let them.
It is possible to "activate" this functionality on some phones as well. I have it enabled on my Samsung Galaxy S4, which is rooted, but otherwise is running the stock ROM (though not by choice).
>They are not properly named or explained. And no, this shouldn't be on some obscure website.
Or worse, the developer might argue that he needs location via GPS for things like regional settings and time sentitive settings, but will also use them to sample your location to a T everytime you move to sell for advertisers. The permission system doesn't show me the difference. There was a report on those free flashlight apps on android. Turns out they were sampling your position thousands of times a day and selling it to advertisers. Not only is that horrific from a privacy perspective, but imagine how much that affects battery life. This is done completely behind the scenes. There's no iOS-like "Do you want this app to use your location." Its just does it - usually as a service in the background.
I have no idea what google is thinking nowadays. Android is pretty much a hand out to the advertising industry. I think this N5 is my last android phone. iOS is the only thing that remotely seems to respect my privacy. Perhaps Windows Phone is good enough now too.
>It's obvious that both of these thing are deliberate, it's obvious that this is an issue, and no one cares.
The typical FOSS coterie always reminding us that Apple and MS are the devil has performed a disservice here. Android seems to be the most hazardous OS out there and its owner is very much wed to the advertising industry and has major disincentives to take these complaints seriously.
> I have no idea what google is thinking nowadays.
Google's thinking hasn't changed. They've always wanted to vacuum up everything they could about you and your behavior.
> I think this N5 is my last android phone.
I don't trust Google either. But what about the 99% of smartphone consumers who just want a cheap phone and don't concern themselves about these things?
Google doesn't care about what you, part of the 1% on this issue, think. To update something that Lily Tomlin did many decades ago:
> The typical FOSS coterie always reminding us that Apple and MS are the devil has performed a disservice here
I agree, but I would also say that subculture has the least support for Google of any of them. I'm sure there are plenty of people out of touch enough to still rant about MS but the actual discussions are mostly about Google (Apple is an unstoppable opportunistic juggernaut, Google is an ideological enemy).
While I fully agree with your reasons for why there SHOULD be outrage, I think the reason for why there is still NOT mass outrage is pretty obvious.
In short: Consumers don't know and don't care.
If they get an app they just click through whatever screens are needed until they can install it. Odds are they don't know what the concept of "permissions" means, or why they should care. Nothing in their phone tells them they should care. It is only fairly recently that some mainstream publications have written about this overreaching and even then the reach is limited. Then you have Google itself that realized it would need to increasingly ask for new permissions in the future, so it basically just asked for EVERYTHING for their apps, so that future updates wouldn't flag anything.
So in short, there absolutely should be mass outrage and more granular, user-controlled permissions on Android. Will that happen? Unlikely.
Consumers have been trained to click on any 'yes' box for decades.
From 'do you really wish to exit?' to 'accept this licence', people have been trained to just click on the yes button.
Furthermore, it does not seem trivial to me to add a granular permission system to Android.
Beyond the permission system itself, retro-compatibility and implementation by third party apps seems really problematic to me (not impossible, just a lot of work).
I just hope that it does not stay in 'low-priority vs high difficulty' hell forever.
as a former apple user and now really happy android user this topic is such an utterly mess.
in a group of techs and lawyers we recently discussed the right of ones data.
i agree that data protection should allow people and companies to agree on whatever they want, but it should also be possible to revoke rights at any stage and this is not showing in the system especially of googles android but also other systems
it is a very bad sign that in our society people have higher awareness that somebody might send them a paper with some advertising (address) than that some applications will send all the data out of their contact list plus their movement profile
That's the problem with android. The 'typical user' has no control over individual app permission - it's literally all or none. If you install the app you give it access to the GPS, as long as it has specified that permission.
Rooted Cyanogenmod actually has privacy settings which enable you to restrict some permissions on a per-app basis. For example I don't allow Facebook Messenger access to GPS and Android asks me before Messenger gets camera access.
I honestly don't understand why this is a problem. Isn't it enough that the app says it requires my location when I install it?
If you don't like the required permissions no one is forcing you to install it.
Popular apps can essentially request any permission and you'll still download it — are you really going to forgo having Facebook on your phone because it asks for a couple of slightly-objectionable permissions?
On iOS, the average user has a chance to download that mainstream app and deny it access to their contacts.
It sounds to me like the question was supposed to read
> are [most people] really going to forgo having Facebook [...]
There will certainly always be people who do pay attention to permissions for privacy or security reasons, but they seem* vastly outnumbered by the people who don't.
* Just an intuitive sense, I have not looked for data to back this up.
The point is valid, but it still doesn't address the 'general population' problem - how do you get the users to care about their security/privacy? Giving fine-grain control over permissions is a fantastic idea.. but then you realize that the 'general population' that you made this for will never touch those settings, so it's no different than telling users what permissions an application will take.
Also, the development cost of 'does this feature exist?' for each permission is pretty high.
Google badly obfuscated permissions in a recent Play store update.
Where before it listed each permission, and required a manual approval of any was added in a app update, it now only list categories.
And it will only require manual approval if a new category is added.
And the categories are wide enough that someone can add an innocuous permission initially, and then push a update some time later that gives them virtually free reign of the user data.
Presumably this is an attack that would be targeted at an atypical user - someone security conscious enough to not give GPS permission to apps they install, and who would have switched off location services that would use wifi instead. In those circumstances you might assume that any tracking would be beyond the capabilities of anyone who didn't have direct access to the phone network. This proof of concept demonstrates that would be an incorrect assumption.
This is really selling a quite interesting intellectual effort on meaningless paranoia. Who would have any interest in tracking people in this manner?
Any government based group can grab the data much more conveniently via the phone towers. Anyone else? Well you've got to trick someone into downloading this thing, so it's probably not that good for targeting a specific individual.
If you can think up some nefarious scheme which involves grabbing lots of peoples locations, just get permissions to use GPS or cell location, way more apps have that privilege. I'm not sure what you do with it afterwards though.
New research reveals people can be tracked just by watching where they go...
Don't mobile devices store their battery usage over time (and also the per-app breakdown of energy usage)? I don't know what precision the stored data is in, but if it's precise enough, you could reconstruct past movements using it. E.g. when you arrive into a country, the border control could "track" your steps back for a day or so.
Meaningless paranoia? If you already have a popular app recording this data would be fairly simple.
And if this approach is practical then you've got personalized location data easily linked to identity. That's worth a lot of money to data brokers and their customers. Adding location information and especially long term movement patterns bumps up the price you can charge for a user profile. Selling everything you can get your hands on about your users to data brokers is a way to monetize a user base.
Obviously getting location permissions is way easier, but it's good to know that apps without those permissions could still be selling your location data.
Not sure if the "Who would have any interest in tracking people in this manner?" is really relevant. Based on the collect all, hoover all metadata etc that seems to be going on, _anything_ remotely possibly useful seems to be interesting.
And the big thing is that this data can of course (and will be) correlated with things like cell tower location, wifi hotspots all kinds of other metadata.
Yeah, exactly. This is just a back door to phone tower triangulation, something every nation state has access to and uses regularly and publicly as part of normal criminal investigations.
But phone tower triangulation is only readily available to nation states on their own soil. For tracking foreigners tracking signal strength might be a useful alternative.
This snippet (from the PDF) reveals the effectiveness of the technique:
"To evaluate the first algorithm for distinguishing routes we recorded reference profiles for several different routes. We used a dataset of 43 profiles for 4 different routes about
19 kilometers each. Driving in different directions along the same roads (from point A to B vs. from point B to A) is considered two different routes. We perform a leave-one-out
cross validation, each time using one of the profiles for testing. Figure 5 is a confusion matrix, which shows a high success rate in classifying the routes. The achieved successful classification rate in this case was 93%."
So, given a bunch of known routes (like a stretch of highway), this algorithm is able to match your phone's battery-usage signature to one of those routes, sort of like how a service like SoundHound is able to identify a piece of music based off of a few seconds' recording.
But that if the battery discharges exactly the same. I think that is not the case, for example the battery when is at 50% might discharge (doing the exact thing) differently than when is at 20%. Maybe the battery is not well calibrated or the internal part of the battery are more wasted than others.
Additionally batteries degrade over their lifetime and will lose charge faster, also different phones have different wireless radios and different antenna configurations which would mean some phones would use more or less battery for the same operations.
I would guess that even if the curve is different from say 50% to 40% than 20% to 10% for the same journey it would be easy enough to normalise the data after profiling a couple of phones.
This is a 'tour de force' study for sure, but has a very limited scope (and reliability)- First, it only works if the attacker knows both the route(s) ahead of time and the power consumption profile of the routes, which requires careful mapping of the region with a recording device. Second, its accuracy degrades drastically depending on the number of apps running -- they only tested with background apps, which already rendered the method only slightly better than a random guess, with an arbitrary app running in the foreground the power consumption goes bananas and so does their method.
Storm in a glass of water, if you ask me.. (But you wouldn't know this by reading that abstract alone ;))
Maybe I am a bit dense here, but how does battery drain map to a location? What would they be cross referencing to gather location?
All I can gather is that they would also need to know what tower you were talking to, and then based on the drain they could probably guess where you were based on some heuristic. Meaning, if you are talking to tower x, and the battery drain is high, you could guess that you are either far from the tower or indoors somewhere. It still seems to me that this is dubious at best. I get that technology is always changing, but wouldn't it just be easier to exploit a security hole?
As you move, your distance to the closest cell tower changes. You also move past signal obstacles, so the change in signal strength isn't linear. They claim that these changes are characteristic enough that you can track movement that way.
I get that part and to some degree understand. Maybe I am misinterpreting the "track your location" as something more accurate than "this person is in a 10 mile radius of this tower". For instance, wouldn't you need to know details of how different buildings are constructed? If you are in a busy downtown area, tracking with this method seems impossible. I could see if it was a remote area with few buildings to sift through.
Yes, it's not as trivial as just grabbing the data and running a generic algorithm. Ideally you would want to measure all routes where you want to track people. Kind of like how google knows where every wifi access point is and uses that for location information.
Also, you need people to move. Because you only have power data, you only know the aproximate signal strength if the person isn't moving.
That makes more sense. So to me, the headline reads as "Location can be tracked just by measuring battery usage" when in reality its "Location can be tracked if:
A) they know the tower you are speaking to
B) they have information on how buildings are constructed in this area
C) You move around
D) they have some other crowdsourced info about how much power is required to talk to the tower you are connected to."
I can see this "technique" being used in an episode of NCIS, CSI or similar cop show.
<plot> We need to find this guy, but all we have is his cell number.
Police tech #1 "Sure no problem, I will just connect to his phone and measure the battery drain..... Got him, he is Downtown at 5th and Main- lets go arrest him!!!"
</plot>
The article links the article where the authors suggest they don't need to know which tower you're connected to (in which case you could get a more accurate location from the towers themselves).They assume the only information you have from the phone is the power usage. However, they also assume the attackers have a general idea of your habits, and can therefore map out cell reception in the city where you live.
The "general habits" assumption seems implausible, but it isn't. Let's say you want to track all the citizens of the Bay Area. You know that, in general, ppl from the Bay area are in the Bay Area. Therefore, you map the cell reception in Bay area. You also take note of major transportation routes and patterns. Now, if you want to track a particular target, all you'll need is their power usage.
I don't know the specifics, but if I were to implement this I would start by constructing a signal map of an area, then comparing the signature of changes to potential routes.
By having a sufficiently accurate map, you could determine the likelihood of a route by the changes in signal. Even without pre-mapping there are some estimations that could be made: a signal that follows a clean sinusoidal curve with a certain rate of change could likely be modeled by rural highway driving.
Not at a simplistic level, no, but voltage you could derive from the discharge curve of a characterized battery (since we know fraction of charge remaining), and current could probably be approximated by looking at the rate of discharge.
What a sensasionalist headline...
The results of the study can only be achieved under a very controlled environment and even then they're not accurate. From a practical point of view this is irrelevant when there are other ways of getting a user location that are far more accurate and easy.
But from an academic point of view I can see the interest.
Seriously? Have you not heard of side channel and timing attacks? This is called information leakage and is a big deal. Because it is not common/easy now doesn't mean it won't be in the future. The nature of information disclosure (whether data or metadata) is that people find "impractical" methods of accessing information we might prefer they not have, then make them practical. It may also be the case that the researchers cannot make it practical, but that doesn't mean there aren't actors who can and possibly have already done this.
This is a very useful article OP, thank you for posting
Isn't the assumption that "the noise of playing music,social media, etc" is not correlated with the phone's location, pretty weak? I know I have distinct patterns of when I scroll up twitter or listen to music, which depend on where I am..
The first thing that popped into my head to get around this technique - and in one fell swoop would defeat all others - was : "Switch the phone off and remove the battery".
Of course, as soon as you turn the phone back on again, your adversary can pinpoint your location.
I guess the best overall solution would be to eschew having a phone at all.
[1] - http://en.wikipedia.org/wiki/Google_Play#Android_application...