How to stop phone apps from spying on you

New tool helps spot apps that collect data they don't need but can sell to advertisers

People are willing to download plenty of phone apps, especially free ones, without thinking about whether they might pose any risk to their privacy. A new study finds that’s dangerous, but it also has a way to search for signs an app threatens your privacy.

Highwaystarz-Photography/iStockphoto

Many smartphone apps don’t cost anything to download and use. But don’t be fooled: There’s still a price. “Your privacy is what’s paying for it,” says Brian Krupp. He’s a computer engineer at Baldwin Wallace University in Berea, Ohio. Behind the scenes, he says, apps are “leaky.” They may deliberately collect more data than they need. Then they send those personal data to advertising companies — without a user’s knowledge — generating money for the app’s maker.

Krupp wants people to know where their data go. He recently led the development of a new online tool that does just that. He and his students call it SPEProxy. It tells people when their apps are sending data, which can help spot misuse. It also offers ways to better protect personal data. It gives phone users control over where their data go, and which data are shared.

The computer code that directs how data are used often is buried deep in an app’s software. The new tool developed by Krupp and his team acts like cyber “tweezers.” It can find that buried code, says Selcuk Uluagac. He did not work on the new tool but can appreciate its value. As a computer engineer at Florida International University, in Miami, he studies security for smart devices and other computer systems.

“We need such tools,” says Uluagac. Even though users click “I Agree” to let apps collect data, they have no way of knowing where those data go. They don’t know if or when their data are being misused. Krupp’s online tool can help raise a person’s awareness of all that sharing and selling, he says.

Behind the screen

Smartphones store a lot of personal data. Those devices know our names, the names of our friends, our address — and where we are, right now. Some apps use those data to do their job. A weather app needs to know where a person is to report the local forecast, for example. But those same apps may often send such data on to advertisers as well. Those advertisers will pay well to know how people behave and live.

Krupp agrees that it is important for phone and tablet users to know where their data go. Once data leave a device, “you can’t get it back,” he says. And that data theft may not be harmless. Those data may reveal when someone leaves home and when they get back. They can show how — and where — people spend their days. Social media sites often have access to a user’s images and posts.

Researchers have begun building smartphone programs that track the misuse of such data. However, those tools require someone to “jailbreak” their phone. That means they have to take the phone apart and change the way its computer or software works. Most people don’t know how to do that. And many of the others would not be comfortable breaking into their phones. Why? Jailbreaking may void a phone’s warranty.

“We wanted to find a solution that doesn’t require a jailbreak,” says Krupp. SPEProxy identifies the misuse of data using an approach that has already been used in medicine to diagnose illness. That medical software collected data from a patient’s blood samples and from other measurements. Then it compared them to those typical of many possible illnesses to make a diagnosis.

Krupp’s group has now built a new computer program that tracks how apps leak data. It allows users to see what data are leaked, and where they go. It also lets a user limit what type of data an app can access from the phone.

Krupp presented SPEProxy to other engineers and computer scientists at a meeting in October 2017. People in the audience immediately reached for their phones to check on their apps, he says.

Right now, people can only track data with the new tool by going to a website. That means it’s limited. It’s also a bit awkward to use. People may not want to go to the trouble of getting online to track their data. Krupp and his team want to make using it easier. They’re working on a version that people could install on their phones.

He’s also planning to run a study this spring on how people might use the new tool. Participants will get to download and install it on their phones to learn which of their apps may be misusing their data. Krupp wants to know what happens next: “Will users act differently if they’re informed?”

He hopes so. His goals, he explains, are to “provide awareness and protect information.” The new tool has already changed the way he uses his phone. Using the tool, Krupp has seen programs like Facebook and Twitter collect data about where he is, and when — even though that information didn’t affect how he scrolled through his friends’ feeds.  As a result of what he’s learned, he says, “I greatly limit my social media [use].” 

Stephen Ornes lives in Nashville, Tenn., and his family has two rabbits, six chickens and a cat. He has written for Science News for Students since 2008 on topics including lightning, feral pigs, big bubbles and space junk.

More Stories from Science News for Students on Computing