Research finds ‘pervasive’ privacy leaks from mobile apps

In the second of our Computer Science Seminar Series, David Choffnes shared the findings from his research team’s development of ReCon, a cloud-based system that runs on iOS and Android mobile devices, detecting and giving users con­trol of mobile ​​app infor­ma­tion leaks.

The simple summation of Choffnes’ study: Personally Identifiable Information (PII) leakage is pervasive.

Behind the scenes, many mobile apps send extensive information about users to their servers, and to advertisers and analytics companies that profit from users data. In an effort to better understand the extent of the leaks, Choffnes, an assistant professor at Northeastern University’s Col­lege of Com­puter and Infor­ma­tion Sci­ence, is working with researchers from universities around the world to develop a system that will track leaks and grant users control. The work is sponsored by Data Transparency Lab.

“OSes [Operating Systems], carriers and cell networks are very locked down. As researchers, there are few tools to allow transparency or visibility in what private information is being sent through mobile devices,” said Choffnes explaining the motivation behind the research.

The current study experiments with Meddle, which combines virtual private networks (VPNs) with middleboxes to tunnel the data traffic from mobile devices to a machine where users and researchers can exert control over network flows. Researchers learn the structure of PII leaks, build machine learning classifiers to identify potential breaches, and automatically surface information to users through Recon allowing users to manage and block unwanted leaks.

With 200 current users in the study and a lengthy waiting list, Choffnes said “People do care about privacy.”

Learn more about how to become a Recon user: http://recon.meddle.mobi

To date the study has found 20 different applications exposing users’ passwords in plaintext. Other information like email addresses, gender, location and full names are also being leaked frequently, often without any correlation to the app function.

The roaming nature of mobile devices – with users connecting routinely to public, unencrypted wifi – makes the plain text leaks all the more concerning as anyone could be listening, Choffnes said.

While not initially intending to become a privacy researcher, Choffnes’ has had to learn quickly as his team will responsibly disclose found leaks to the application creators and has been in talks with the FTC’s Consumer Privacy Division about found leaks.

Related Links:

• Read more about Choffnes and Recon at News @ Northeastern: Researchers develop system to control information leaks from smartphone apps
• Track Information Leaked by Apps
• Track Information Leaked by Mobile Web Pages