Many smartphone apps don't cost anything to download and use. But don't be fooled: There's still a price. “Your privacy is what's paying for it,” says Brian Krupp. He's a computer engineer at Baldwin Wallace University in Berea, Ohio. Behind the scenes, he says, apps are “leaky.” They may deliberately collect more data than they need. Then they send those personal data to advertising companies — without a user's knowledge — generating money for the app’s maker.
Krupp wants people to know where their data go. He recently led the development of a new online tool that does just that. He and his students call it SPEProxy. It tells people when their apps are sending data, which can help spot misuse. It also offers ways to better protect personal data. It gives phone users control over where their data go, and which data are shared.
The computer code that directs how data are used often is buried deep in an app's software. The new tool developed by Krupp and his team acts like cyber “tweezers.” It can find that buried code, says Selcuk Uluagac. He did not work on the new tool but can appreciate its value. As a computer engineer at Florida International University, in Miami, he studies security for smart devices and other computer systems.
“We need such tools,” says Uluagac. Even though users click “I Agree” to let apps collect data, they have no way of knowing where those data go. They don't know if or when their data are being misused. Krupp's online tool can help raise a person's awareness of all that sharing and selling, he says.
Behind the screen
Smartphones store a lot of personal data. Those devices know our names, the names of our friends, our address — and where we are, right now. Some apps use those data to do their job. A weather app needs to know where a person is to report the local forecast, for example. But those same apps may often send such data on to advertisers as well. Those advertisers will pay well to know how people behave and live.
Krupp agrees that it is important for phone and tablet users to know where their data go. Once data leave a device, “you can't get it back,” he says. And that data theft may not be harmless. Those data may reveal when someone leaves home and when they get back. They can show how — and where — people spend their days. Social media sites often have access to a user's images and posts.
Researchers have begun building smartphone programs that track the misuse of such data. However, those tools require someone to “jailbreak” their phone. That means they have to take the phone apart and change the way its computer or software works. Most people don’t know how to do that. And many of the others would not be comfortable breaking into their phones. Why? Jailbreaking may void a phone’s warranty.
“We wanted to find a solution that doesn't require a jailbreak,” says Krupp. SPEProxy identifies the misuse of data using an approach that has already been used in medicine to diagnose illness. That medical software collected data from a patient's blood samples and from other measurements. Then it compared them to those typical of many possible illnesses to make a diagnosis.
Krupp's group has now built a new computer program that tracks how apps leak data. It allows users to see what data are leaked, and where they go. It also lets a user limit what type of data an app can access from the phone.
Krupp presented SPEProxy to other engineers and computer scientists at a meeting in October 2017. People in the audience immediately reached for their phones to check on their apps, he says.
Right now, people can only track data with the new tool by going to a website. That means it's limited. It’s also a bit awkward to use. People may not want to go to the trouble of getting online to track their data. Krupp and his team want to make using it easier. They're working on a version that people could install on their phones.
He's also planning to run a study this spring on how people might use the new tool. Participants will get to download and install it on their phones to learn which of their apps may be misusing their data. Krupp wants to know what happens next: “Will users act differently if they're informed?”
He hopes so. His goals, he explains, are to “provide awareness and protect information.” The new tool has already changed the way he uses his phone. Using the tool, Krupp has seen programs like Facebook and Twitter collect data about where he is, and when — even though that information didn't affect how he scrolled through his friends' feeds. As a result of what he's learned, he says, “I greatly limit my social media [use].”
app Short for application, or a computer program designed for a specific task.
computer program A set of instructions that a computer uses to perform some analysis or computation. The writing of these instructions is known as computer programming.
data Facts and/or statistics collected together for analysis but not necessarily organized in a way that gives them meaning. For digital information (the type stored by computers), those data typically are numbers stored in a binary code, portrayed as strings of zeros and ones.
diagnose To analyze clues or symptoms in the search for their cause. The conclusion usually results in a diagnosis — identification of the causal problem or disease.
engineer A person who uses science to solve problems. As a verb, to engineer means to design a device, material or process that will solve some problem or unmet need.
media (in the social sciences) A term for the ways information is delivered and shared within a society. It encompasses not only the traditional media — newspapers, magazines, radio and television — but also Internet- and smartphone-based outlets, such as blogs, Twitter, Facebook and more. The newer, digital media are sometimes referred to as social media. The singular form of this term is medium.
online (n.) On the internet. (adj.) A term for what can be found or accessed on the internet.
server A term for a computer — and especially the software on it — that provides services (hence, the name server) to other computers. A server computer program, for instance, stands ready to fulfill requests by its clients (which are other computer programs). For instance, a web server pulls up website pages or other files upon request. The web browser that you use on your computer to find things on the internet is one type of client. It calls up files from a web server.
smartphone A cell (or mobile) phone that can perform a host of functions, including search for information on the internet.
social media Internet-based media, such as Facebook, Twitter and Tumblr, that allow people to connect with each other (often anonymously) and to share information.
software The mathematical instructions that direct a computer’s hardware, including its processor, to perform certain operations.
Meeting: B. Krupp et al. SPEProxy: Enforcing Fine Grained Security and Privacy Controls on Unmodified Mobile Devices. IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON), October 20, 2017. Columbia University, New York, N.Y.