There is an age-old conspiracy theory that smartphones are covertly listening in on everything we do, for better ad tracking, and making companies more money. Now, a fresh research report has tried to debunk this theory. After a year of testing, folks from Northeastern University allege that smartphone manufacturers and apps installed on your phone are not listening into your conversations covertly, nor are they sending data to unknown remote servers without your knowledge. But don’t get too happy. The researchers suggest that the phones may be using your camera instead, to send screen recording videos to third parties. Of course, to be certain, the study doesn’t prove that no app listens to you – just, that they found none doing so in study. There might be apps that record audio without permission, and may be activated in conditions different from what the study simulated.
Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes from Northeastern University conducted an experiment for a year involving 17,260 Android apps trying to see if any of them use the phones’ microphone to record audio covertly. The most prominent example for this conspiracy theory is Facebook ads that show up mysteriously based on the things you might have conversed about recently. The study involved all the apps that Facebook owns, and 8,000 other apps that send information to Facebook. Researchers created a bot that interacted with these apps, and analysed the data and traffic generated. This is another limitation of the study, as the bot was not able to perform all human-level activity, like creating usernames and passwords.
Considering these limitations, these researchers found no solid evidence of snooping, and the apps never really acted shady and activated the microphone for recording audio without the user’s knowledge. From the total, 9,000 apps had permission to access camera and microphone, and they could all easily listen into private conversations learning about your needs and then showing relevant ads, but no such instances were found.
However, they found something equally dangerous. Several apps were seen taking screenshots and recording screen videos covertly of what people were doing in-app, and sending it to third-parties without any permission from the user. One such example listed was GoPuff – an app that delivers food at odd hours. It was seen that the app recorded a video of what the person was doing inside GoPuff and sent to a domain affiliated with AppSee. For those unaware, AppSee is a mobile analytics company, and the data in the video could be very useful for them. Being a delivery app, sensitive information like credit card details and pin numbers can be compromised, and this research case, the zip code was revealed in the screen video recording.
After GoPuff was informed by the researchers, it promptly added a disclosure stating, “AppSee might receive users PII (personally identifiable information)”. A spokesperson also informed Gizmodo that the AppSee SDK has been removed from GoPuff’s Android and iOS apps with the latest update. However, AppSee claims that GoPuff should have informed its end-users way beforehand that its data was recorded and sent to us for analytical and performance optimisation purposes. However, in this case, both are partly fault. Google Play clearly lists that apps must disclose how users’ data is collected.
Google responded to Gizmodo for a request for comment on the team’s findings, and said, “After reviewing the researchers’ findings, we determined that a part of AppSee’s services may put some developers at risk of violating Play policy. We’re working closely with them to help ensure developers appropriately communicate the SDK’s functionality with their apps’ end-users.”
Therefore, this study offers some respite to users who are paranoid that their microphones may be used to snoop into their private conversations. However, it brings along another bad news that screens are being recorded by apps instead, without the knowledge of users.