When you start on a smartphone app (music player, clothing store, video game, news, or anything else), it almost certainly quietly connects to the server, which you do not suspect, and gives them some information: your gender, age, birthday, location, device information, phone number, email, login and/or password.

In 2018, scientists from Oxford University

published

the results of a study of 959 thousand apps from the Google Play store for Android smartphones. It turned out that 90.4% of programs built into the counter at least one company, and 17.4% — more than ten meters. “[But] we cannot say that if the app has one connection, instead of 30% it better: nothing prevents the owner of this application to transfer data, first for themselves and then to their partners. It is impossible to verify,” explains the head of the Department of system solutions Group-IB Anton Fishman.

Apps on iOS in the University of Oxford is not checked, but the indicators for programs from the App Store, most likely, comparable, because neither Google nor Apple does not forbid developers to build counters.

Who and why needs data?

The part of the recipients data at all on hearing, for example, the same Google, but some of the name — AdMobius, Infolinks — you’ve never even heard of. Mostly these mysterious firms and the giants like Google Facebook, among other things, that they do advertise. They want to learn about the variety of information to resell or use themselves to offer you some product or service. The stakes are high: according to the consultancy Emarketer, in 2018 the turnover of online advertising amounted to

$283,4 billion

is almost seven times more than the global box office of all American films (
$41.1 billion

According to the Director of the nonprofit organization “Information culture” Ivan Begtin, the user information is required not only for display advertising. If you know consumer profiles, they can be persuaded to spend more, for example, exposing a different price for the same service: a taxi ride, flight, etc.

Other information needed by the creators of apps and websites to better understand your audience. For example, many media outlets will know the number of pageviews, traffic sources, etc. via Google Analytics. A service Firebase Crashlytics, owned by the same Google helps developers identify and resolve application issues — and to do this it must send the information to the Firebase servers Crashlytics.

Even when you just go to the site, your data is somewhere else. In some browsers, including Chrome and Safari, and built-in alert system on dangerous pages, which does not allow to upload them. In October because of her almost scandal.

The documentation of the operating system iOS 13 found the record that to check the pages in the Safari browser uses the service of the Chinese company Tencent, which in the US do not trust links with the Chinese authorities. In Apple developing Safari,

said

the journalists of The Verge that the service Tencent is used only on smartphones in mainland China (for all other verification is performed by Google), the history of users browser is not transmitted to remote servers, and the check can be disabled in settings.

Professor Matthew green, a cryptography specialist from Johns Hopkins University, in his blog

wrote that it was only half the truth. When checking website data is sent only at the first stage — if in the internal database Safari is a match to a dangerous website, the browser goes to the Google server for a more thorough check and at this point sends the IP address of the smartphone and address of the suspect pages in a modified form. Hypothetically, this allows to identify a person, although no one has yet proved that it is indeed possible.

In short, browsers, and apps that send user information to a third party, and to track the flow of information is not always.

Is it legal?

Usually in data transmission, there is nothing criminal. In different countries there are laws on personal data (in Russia, it is No. 152-FZ). “When you check in or begin using the product the user gives consent, where indicated, for which the company collects the data and what to do with them. And there is often writing that provide the user the requested service, the company may transfer data to its partners. And the user confirms this,” explains Anton Fishman. According to him, if people posted information about themselves on social networks, on forums or anywhere else on the Internet, that is, made them public, then you consent to their use is not necessary, and to anonymised data, such as IP address, does not apply no requirements.

Transmission of information to a third party is not contrary to the rules of the platforms, despite the fact that people are increasingly outraged over violations of privacy. In the end, the technological giant companies, which largely depends on what is happening on the Internet, also collect data. “When we talk about using information from websites or mobile devices, the same Apple, Google sometimes include microphones, recording and analyzing everything you say. This is done to improve user experience. These functions can be disabled, but still I as a user hate that this happens while the phone is in your pocket,” says Anton Fishman.

From the consumer point of view, it is a necessary evil in free apps and sites need to recoup — that their creators and sell data on customers (however, for paid services it can also be an additional source of income); they want a personalized service — tell us something about yourself, even if you are not asked directly.

So which is better: browsers or apps?

“I can’t say that one is better than another: let’s all enjoy or browser, or applications. And that and the other have their pros and cons,” — says Anton Fishman. Applications access data by requesting permission when it is required the first time or when you first start. The permit is valid until the person withdraws it. Only if it is revoked, the application often stops working.

The browser can also ask permission, but only at the time when this page is open. But browsers, unlike apps, you can disable in the settings, script execution, data transfer (or install extensions that do this), use proxy servers that replace your IP address. Some browsers block unwanted counters by default and to present it as a competitive advantage.

In 2016 a group of researchers from northeastern University in Boston tried to figure out what to use: web browsers or applications. They
found that via the web page often funneling the names and location information, and data on the mobile — only app. Overall, researchers believe, almost always better to choose the app, not go to the site using the browser. “[But] it all depends on the service and what information is more valued employees,” — said in a letter to TASS first author David Shofni. However, for the past three years he and his team have not re-tested. Perhaps the new built-in protection would have covered them in favor of browsers.

By itself, the data transmission is not necessarily a threat. Often, companies get information that allows to identify a specific person, and only develops in an impersonal profile for targeted display advertising or adding in a large array of data for analysis. Other information, such as username and password, in the wrong hands can hurt. Developers can send to other people, and on their servers, but to do it carelessly — over unencrypted channel. Then they can intercept the attackers. The browsers here advantage: access most web pages using the HTTPS Protocol is encrypted and if the channel is not protected, this is clearly written in the address bar.

But people don’t always pay attention to warnings from browsers, unlike apps, a much higher risk of fraud. They create a page, exactly-in-exactly similar to the websites of banks, postal services, etc., where do you enter information that will never receive any advertising Agency or analytical service: for example, credit card information.

In comparison with applications browsers have less deep access to the device, in addition they have additional privacy settings and built-in protection mechanisms. But if analytical and promotional counters often do not represent real threat, the web page may be fraudulent, and therefore really dangerous.

It is also worth remembering that the browsers and applications run in the operating system. If you configure the system using the built-in tools or special programs, both the method of use of the services will become more reliable. In the end, privacy protection is a responsibility of not only developers, but also the person.

Tips Group-IB
“Update the device”. This refers to upgrading the operating system and applications: they close the gaps that can be exploited. For the same reason you should not use unofficial firmware for smartphones: sometimes people install them to get access to the hidden functions, but as a result of becoming victims of fraud.

“Only install applications from official stores”. For iOS is the App Store, the largest store for Android — Google Play, but y Samsung, Huawei and other manufacturers also have their own trading platform. They check whether the application, if there are no undocumented functions. However, sometimes hackers or just unscrupulous developers are able to pass the test, and it becomes immediately.

“Use those applications that are trusted by as many people as possible”. Although there are exceptions, popular apps are usually not fraudulent.

“Don’t install this app just to try it”. If almost all apps give your details to the side, there is no need to open the smartphone another stream of information. And in the worst case you will encounter criminals.

“Be sure to see what permissions the app requests. If it requires more than I need in functionality, for example, access to call history or SMS, is an occasion to reflect and not to put it.” People become more cautious — more and more developers just write, why do they need a permit. For example, the online store may need access to the SMS to notify the courier.

“Paranoids do so: for such [suspicious, but we need] applications to buy a second phone and close access to all (GPS, Wi-Fi), so that the application could not physically collect data”.

“Seal the chamber and turn off the phone for confidential conversations, to take him to another room — this is also a good approach.”

Marat Kushaev

Read more •••

The porn star did not forgive the betrayal of his lover

LEAVE A REPLY

Please enter your comment!
Please enter your name here