NEW BRUNSWICK, NJ—The Wireless Information Network Laboratory (WINLAB) at Rutgers University developed an application for smartphones that can track which other applications are trying to access a user’s location data.
The Rutgers Privacy App was developed as a part of a March 2013 field study.
Two groups of smartphone users participated in the study. One group was given the Rutgers Privacy App and the other relied solely on the standard operating system. The study found that the people in the standard group were mostly unaware of accesses to their data.
“Smartphone users are increasingly using apps that can access their location. Often these accesses can be without users’ knowledge and consent,” reads the report.
According to WINLAB, Android and iPhone operating systems have different methods of disclosure. Android notifies users “by providing installation-time app capability disclosures” while iPhone provides “first-time usage requests.”
This means Android apps come along with a blanket permission request that most users don’t read, and the iPhone only asks users if they approve of the access the first time an application tries to obtain the data.
Pew Research Center found in April 2012 that more than a third (35%) of smartphone users disable location services on their cell phones for fear of being monitored, when in reality they may have already given applications permission to access their data.
Janne Lindqvist, a WINLAB researcher and assistant professor of electrical and computer engineering, said this practice may be irrelevant because some apps will just access the user’s location by identifying the nearest cell tower.
“There are a lot of apps that take your location…to show you location-based ads,” Lindqvist said.
“You get [the app for free] but then you are shown these ads and the app developer gets money from that.”
Lindqvist said the Android OS doesn’t allow applications to gather data on other apps activities, but by exploiting a loophole in the system that allows the Rutgers Privacy App to do exactly that.
“I discovered what is called a side channel,” he said. “It is a feature of the operating system that is designed for a different purpose, but it also gives us information for our purpose.”
The Rutgers Privacy App collects this information and notifies the user when one of their apps has accessed their location data, and compiles an archive of when the data was accessed.
“You cannot regulate [data access] with the Rutgers Privacy App,” Lindqvist said. “It will just tell you when it’s accessed and also the history of location access coming from the app.”
According to the report, “participants appreciated the transparency brought by our run-time disclosure method. They wanted to continue receiving the notifications after completing the study.”
Lindqvist said the Rutgers Privacy App was undergoing testing for public release still, but would soon be available to install for.
The app comes at a time when disclosures about intelligence agencies’ exploitation of so-called “leaky apps,” like the game Angry Birds, have added to the discourse over privacy expectations.
On January 28, The Guardian published documents turned over by former National Security Agency (NSA) contractor Edward Snowden detailing the operations carried out by the NSA and its British counterpart GCHQ.
“The data pouring onto communication networks from the new generation of iPhone and Android apps ranges from phone model and screen size to personal details such as age, gender and location,” The Guardian reported.
While the Rutgers Privacy App was developed in March 2013, prior to even the earliest leaked NSA documents, Lindqvist said these revelations highlight the importance of knowing where user data is going.
“I feel people need to think more about what they’re actually doing with user data and how it may expose them,” he said.
“We hope our work helps people become more aware of what is going on with their phones and make better decisions.”