Specialists from Northwestern University and California The University of Santa Barbara decided to check whether mobile applications really monitor users, eavesdrop and pee.
After studying the behavior of 17,260 Android applications, the researchers concluded that applications do not use camera access and microphones for hidden surveillance owners of gadgets. However, sometimes they can take screenshots and upload them to remote servers.
In total, experts analyzed the behavior of 15,627 applications taken from the Google Play Store and applications from third-party directories: 510 applications from AppChina, 528 applications from Mi.com, as well as 285 applications from Anzhi portal.
The researchers checked which applications and how often they are requesting access rights to the camera and microphone of the device. The code of which applications contains calls to API functions specific to the collection of multimedia data (access to the Audio API, Camera API, Screen Capture API). Also, it was determined whether these API references were written to the code by the authors of the application itself, or were the product of the work of third-party libraries that the application uses.
As it turned out, only a small number of applications really use their access to the camera and the microphone of the device by appointment. However, experts warn that the potential risk is still great, because developers at any time can update their product, and previously unused rights can take advantage of third-party code that was added to the application.
"Moreover, third-party code that does not have the rights to use multimedia in one version of the application, then may not use the rights granted to future versions of the application, "the researchers write.
Among the 17,260 applications examined, ish 21 application that record and transmit multimedia data externally. 12 of them either transmitted data in plain text (HTTP) or because of errors in the code they took screenshots of the device and downloaded them to the network. The remaining 9 applications downloaded images to cloud servers for editing, but they did not inform users about it, which is also considered a leak.
Although the specialists actually failed to detect applications that use cameras and microphones for shadowing for people, researchers warn that an equally serious threat is the use of third-party libraries. As already mentioned above, such libraries can begin to use the rights received by the application for their own purposes. Because of this, experts believe that Android developers should prohibit third-party libraries from using the functions of "parent" applications without permission.
"So, [сторонние библиотеки] can be used to capture the screen of the application into which they were built. For this they do not need separate permits. Applications often display confidential information, and such behavior threatens users with inconspicuous, hidden monitoring by third parties, "experts conclude.