The Smartphone Privacy Fallacy

When performing quarterly assessments of Android AVs and doing the necessary research to keep ourselves up-to-date, we keep an eye on the trends in mobile application security. Personal privacy, ad personalisation based on user tracking and profiling particularly have gained a lot of momentum in recent years.

Data is power

User privacy and the importance of conscious decisions on personal data have never been more relevant. Since Edward Snowden’s famous posts on WikiLeaks on how US government agencies (mis)conducted mass internet-based surveillance on a daily basis; the subsequent Cambridge Analytica scandal with its effects on the 2016 US presidential elections and the highly targeted pro-Brexit campaigns on social media, an undeniable trend emerges.

Data is power.

Aggregated mobile device usage statistics provide a deep insight into a person’s lifestyle, motivations, backgrounds, interests, and fears. This information allows advertisers and organisations to achieve many things, from ad clicks to votes.

In fact, data is power for anyone, as the collected data is usually for sale to anyone that wants to buy it. Data aggregation is a multi-billion dollar ecosystem with many branches into many industries.

Understandably, data aggregators defend their practices by applying data anonymisation and other aggregation techniques that are supposed to prevent the deduction of the personal data of any particular person in the bulk.

However, there are reports of anonymisation techniques failing and, once the image of the “evil greedy data aggregator” has gotten hold and a user mistrusts aggregators, it is hard to believe their claims of conducting business in an ethical and privacy-aware fashion. For many, it seems to be wiser to stay away from data collection as much as possible.

As a logical consequence, more and more users try to shy away from using “privacy-invasive” services such as Facebook, Twitter and Instagram to name a few. Many go to the lengths of closing their accounts altogether.

However, contrary to the obvious, using a “Facebook app-less” Android phone does not help in stopping Facebook from collecting data. According to a recent excellent talk in CCC, any app that uses the Facebook SDK, either for ad delivery or just as a straightforward app telemetry solution, will provide a lot of data to Facebook (and consequently, to any data aggregator down the line). This can be used to track the user, regardless of whether or not they have a Facebook account.

To further complicate matters for the privacy-aware, it is impossible to find the presence of Facebook Analytics (or any other analytics library for that matter) without actually reverse-engineering the app installer, which is clearly beyond the technical capabilities of an everyday user.

In our experience, app EULAs and privacy statements do not help either. At the end of the day, a non-tech savvy user has little chance to maintain their privacy and not have their data aggregated when using a smartphone.

The Fallacy of Privacy-Friendly Tech Giants

As users became more and more aware of these issues, privacy became a buzzword and, ironically, became a lucrative selling point for mobile devices – a recent example is Apple’s 2019 “Privacy. That’s iPhone” campaign.

On a side note, Apple masterfully used user paranoia to sell more devices, resulting in a vengeful “see you guys in court for denying us the user data we sell” Facebook/Apple clash upon the introduction of App Tracking Transparency (ATT) in iOS14.5.

What that feature essentially did, is allow users to have a per-app tracking ID which, in people’s minds, disallowed applications and ad frameworks to find out which device they are running on, essentially stopping user tracking altogether.

However, this idealistic thought is not true.

ATT is surprisingly ineffective in realistic scenarios. As a genius marketing magic trick, Apple can stand in the spotlight, taking the beating from evil user profilers for being a “privacy-friendly tech giant”, while at the same time maintaining a nice revenue for selling user profiles through their mandatory and unavoidable payment solution in their locked-in app ecosystem.

Apple has benefitted enormously from their privacy changes ensuring that other ad networks get less data on consumers, impairing their ability to track devices and target people. In fact, Apple Search Ads has now displaced Facebook as the best ad network for mobile marketers on iPhone and iPad, according to a new performance index from AppsFlyer.

Google was quick to follow Apple’s bold claims, and Android 12 gave us some truly head-turning headlines on how privacy-positive Android is with the update. However, taking a closer look at the promised features, we see a handful of welcome improvements on how the OS designers try to limit the attack venue for a piece of malware, but the fundamental problems are still present and are not likely to be addressed anytime soon.

For instance, Google also maintains a feature that can be used to change advertising ID. However, there are a million other ways to fingerprint a device – just like in Apple’s case. In practice, the user can see a change in the ad offering after a change of the ID, but the fundamental tracking mechanism and the associated problems remain.

As a result, it is still commonplace for data aggregators to profile individual users through ad libraries and app telemetry systems, and then to sell the data to the highest bidder. Despite all the claims and hopes, mobile device-related user privacy has not really improved with the addition of these newly introduced changes.

What Can a User Do to protect their privacy?

So what can the end-user do? Of course, going off the grid is always an option (and no, this does not mean that we have to exchange mobile phones for a stone axe. There are usable, though sweaty solutions in between).

When taking a look at the Android AV market, it seems that no 3rd party AV is able to change the basic user tracking behaviour. True, there are solutions that promise to upgrade the overall user privacy level, but that usually means a kind of subscription-based VPN with an active blocking of popular 3rd party ad tracker domains.

TLS termination and HTTPS interception are mostly out of the equation for the security-conscious user, since they require introducing a 3rd party CA as a central trusted authority, which is probably not the wisest thing to do when trying to up the privacy game.

Nevertheless, there are products on the market that claim to guard the user’s privacy in many aspects.

Conclusion

As a result, we see a clear demand and a gaping market of privacy concerned users. Ideally, an app should alert the user whenever a new API request is issued for privacy-sensitive calls and fields, and users should be able to deny the request (or at least, be informed). At this point, there is no product that can carry out this seemingly simple concept, therefore, we see this feature as a path to the next step of user privacy.

In order to investigate this topic further, we are conducting privacy testing and research in addition to our Android 360° methodology.

Get in touch to find out more about our 360° Android testing, or read our latest Android Efficacy report here