If you’ve used the fitness-​​tracking app Map­MyRun, there’s a chance that your pass­word has been leaked.

And the pop­ular fit­ness app isn’t the only one. Other apps may also be putting your infor­ma­tion at risk.

A research team led by David Choffnes, an assis­tant pro­fessor in the Col­lege of Com­puter and Infor­ma­tion Sci­ence, has found “exten­sive” leakage of users’ information—device and user iden­ti­fiers, loca­tions, and passwords—into net­work traffic from apps on mobile devices, including iOS, Android, and Win­dows phones.

The researchers have also found a way to stop the flow.

Choffnes will present his find­ings on Monday at the Data Trans­parency Lab 2015 Con­fer­ence, held at the Media Lab at the Mass­a­chu­setts Insti­tute of Technology.

ReCon: Revealing and con­trol­ling leaks

In their lab at North­eastern, Choffnes and his col­leagues devel­oped a simple, effi­cient cloud-​​based system called ReCon with a com­pre­hen­sive trio of func­tions: It detects leaks of “per­son­ally iden­ti­fi­able infor­ma­tion,” or PII; it alerts users to those breaches; and it enables users to con­trol the leaks by spec­i­fying what infor­ma­tion they want blocked and from whom.

Depress­ingly, even in our small user study we found 165 cases of cre­den­tials being leaked in plain­text.
—David Choffnes et al.

Our devices really store every­thing about us on them: who our con­tacts are, our loca­tions, and enough infor­ma­tion to iden­tify us because each device has a unique iden­ti­fier number built into it,” says Choffnes.

A lot of net­work traffic that goes back and forth isn’t pro­tected by encryp­tion or other means,” he explains. Which may be OK when you submit your email address to an app to, per­haps, sub­scribe to its newsletter. But not when you type in your password.

What’s really trou­bling is that we even see sig­nif­i­cant num­bers of apps sending your pass­word, in plain­text read­able form, when you log in,” says Choffnes. In a public-​​WiFi set­ting, that means anyone run­ning “some pretty simple soft­ware” could nab it.

Alarming find­ings

A June 2015 For­rester Research study reported that smart­phone users spend more than 85 per­cent of their time using apps. But little research has been done on apps’ net­work traffic because mobile devices’ oper­ating sys­tems, as opposed to those of lap­tops and desk­tops, are so dif­fi­cult to crack.

Choffnes has changed that. His study fol­lowed 31 mobile device users—together they had 24 iOS devices and 13 Android devices—who used ReCon for a period of one week to 101 days and then mon­i­tored their per­sonal leak­ages through a ReCon secure webpage.

The results were alarming. “Depress­ingly, even in our small user study we found 165 cases of cre­den­tials being leaked in plain­text,” the researchers wrote.

ReCon gives you the ability to pro­tect your own pri­vacy: You can set poli­cies to change how your infor­ma­tion is being released.
—David Choffnes

Of the top 100 apps in each oper­ating system’s app store that par­tic­i­pants were using, more than 50 per­cent leaked device iden­ti­fiers, more than 14 per­cent leaked actual names or other user iden­ti­fiers, 14–26 per­cent leaked loca­tions, and three leaked pass­words in plain­text. In addi­tion to those top apps, the study found sim­ilar pass­word leaks from 10 addi­tional apps that par­tic­i­pants had installed and used.

recon_map-1_600

ReCon graph­i­cally shows users how their loca­tions have been tracked through their apps. Screen shot from recon​.meddle​.mobi

In addi­tion to Map­MyRun, the password-​​leaking apps included the lan­guage app Duolingo and the Indian dig­ital music app Gaana. All three devel­opers have since fixed the leaks. Sev­eral other apps con­tinue to send plain­text pass­words into traffic, including a pop­ular dating app.

Returning con­trol to you

Using ReCon is easy, Choffnes says. Par­tic­i­pants install a vir­tual pri­vate net­work, or VPN, on their devices—an easy six– or seven-​​step process. The VPN then securely trans­mits users’ data to the system’s server, which runs the ReCon soft­ware iden­ti­fying when and what infor­ma­tion is being leaked.

To learn the status of their infor­ma­tion, par­tic­i­pants simply log onto the ReCon secure web­page. There they can find things like a Google map pin­pointing which of their apps are zap­ping their loca­tion to other des­ti­na­tions and which apps are releasing their pass­words into unen­crypted net­work traffic. They can also tell the system what they want to do about it.

One of the advan­tages to our approach is you don’t have to tell us your infor­ma­tion, for example, your pass­word, email, or gender,” says Choffnes. “Our system is designed to use cues in the net­work traffic to figure out what kind of infor­ma­tion is being leaked. The soft­ware then auto­mat­i­cally extracts what it sus­pects is your per­sonal infor­ma­tion. We show those find­ings to users, and they tell us if we are right or wrong. That per­mits us to con­tin­u­ally adapt our system, improving its accuracy.”

11/13/15 - BOSTON, MA. -  Assistant professor David Choffnes poses for a portrait in West Village H at Northeastern University on Nov. 13, 2015. Choffnes research concerns personal identification leaks on mobile apps. Northeastern University on Nov. 13, 2015. Photo by: Matthew Modoono/Northeastern University

Assis­tant pro­fessor David Choffnes has devel­oped a cloud-​​based system, called ReCon, that gives users con­trol of mobile-​​app infor­ma­tion leaks. Photo by Matthew Moodono/​Northeastern University

That checks-​​and-​​balances approach works: The team’s eval­u­a­tive study showed that ReCon iden­ti­fies leaks with 98 per­cent accuracy.

Apps that track

Apps, like many other dig­ital prod­ucts, con­tain soft­ware that tracks our com­ings, goings, and details of who we are. Indeed, if you look in the pri­vacy set­ting on your iPhone, you’ll see this state­ment: “As appli­ca­tions request access to your data, they will be added in the cat­e­gories above.” Those cat­e­gories include “Loca­tion Ser­vices,” “Con­tacts,” “Cal­en­dars,” “Reminders,” “Photos,” “Blue­tooth Sharing,” and “Camera.”

Although many users don’t realize it, they have con­trol over that access. “When you install an app on a mobile device, it will ask you for cer­tain per­mis­sions that you have to approve or deny before you start using the app,” explains Choffnes. “Because I’m a bit of a pri­vacy nut, I’m even selec­tive about which apps I let know my loca­tion.” For a nav­i­ga­tion app, he says, fine. For others, it’s not so clear.

One reason that apps track you, of course, so is so devel­opers can recover their costs. Many apps are free, and tracking soft­ware, sup­plied by adver­tising and ana­lytics net­works, gen­er­ates rev­enue when users click on the tar­geted ads that pop up on their phones.

ReCon, alone among app sur­veil­lance tools, takes con­trol out of adver­tisers hands and gives it back to you.

There are other tools that will show you how you’re being tracked but they won’t nec­es­sarily let you do any­thing,” says Choffnes. “And they are mostly focused on tracking behavior and not the actual per­sonal infor­ma­tion that’s being sent out. ReCon covers a wide range of infor­ma­tion being sent out over the net­work about you, and auto­mat­i­cally detects when your infor­ma­tion is leaked without having to know in advance what that infor­ma­tion is.

Finally, which I really haven’t seen any­where else, is this ability to pro­tect your own pri­vacy: You can set poli­cies to change how your infor­ma­tion is being released.”