Research claims that several Android apps have “alarming” privacy holes – enabling mobile apps to take and share screenshots and video of the phones’ app activity without users’ knowledge.

The research paper from June 2018, conducted by researchers from Northeastern University and published Wednesday, examined 17,260 apps from marketplaces Google Play, AppChina, Mi.com and Anzhi. While a large fraction of apps are not abusing this ability to record media on mobile phones, the researchers did discover a “few instances” of covert recording.

“Our study reveals several alarming privacy risks in the Android app ecosystem, including apps that over-provision their media permissions and apps that share image and video data with other parties in unexpected ways, without user knowledge or consent,” the researchers said in the report. “We also identify a previously unreported privacy risk that arises from third-party libraries that record and upload screenshots and videos of the screen without informing the user and without requiring any permissions.”

Researchers used a combination of static analysis (examining the code without executing the program) and dynamic analysis (testing and evaluation the program by executing data in real-time) on apps to discover if the apps were inappropriately collecting and leaking media, such as video or pictures. Research entailed examining whether apps request access to camera and microphone permissions, whether media APIs are actually referenced in the app’s code, and whether any potential API references are in code from the first-party develop or a third-party library.

App Issues

In one incident, the researchers found that an on-demand delivery app (GoPuff, available on Google Play), had leaked video to a third-party analytics platform provider’s domain. Upon decompiling the APK of the app, they found that GoPuff records the screen and sends a video of the interaction to a domain owned by the third-party analytics company, Appsee, as soon as the app starts.

“Screen recording, if adopted at scale and/or in apps that handle sensitive data, could expose substantial amounts of users’ PII, especially when the full burden of securing private information is placed on developers,” the researchers said. “Further, we argue that the recording of interactions with an app (without user knowledge) is itself a privacy violation akin to recording audio or video of the user.”

The researchers disclosed this to GoPuff, which in response pulled the Appsee SDK from their iOS and Android apps and updated their privacy policy. “Researchers from Northeastern brought to our attention the results of their study,” a GoPuff spokesperson told Threatpost. “Our original privacy policy disclosed all PII we collect which is used to improve our website. After speaking with the Northeastern researchers 4 weeks ago, we immediately acted to clarify our privacy policy to reference our use of Appsee. At that time, we further reviewed the utility of Appsee and as an added precaution, we proactively pulled the Appsee SDK from the latest Android and iOS builds.”

They also disclosed it to Google, which responded: “Google constantly monitors apps and analytics providers to ensure they are policy-compliant. When notified of our findings, they reviewed GoPuff and AppSee and took the appropriate actions.”

“The research tested dozens of apps that use Appsee, and only one of them (GoPuff) did not disclose this fact to their users, and it appears that GoPuff were capturing zipcode information with Appsee,” Appsee’s CEO and co-founder, Zahi Boussiba, told Threatpost. “In the same way app developers can send sensitive information to any 3rd party, Appsee cannot control the data we receive from our clients. In this case it appears that Appsee’s technology was misused by the customer and that our Terms of Service were violated.  Once this issue was brought to our attention we’ve immediately disabled tracking capabilities for the mentioned app and purged all the relevant data from our servers.”

Another app used the camera-taking abilities of a mobile beta-testing platform found on Google Play, TestFairy, to record users interactions through screenshots. This API screenshot method was used by a networking app for a conference, called SAHIC. The networking app used the beta-testing library to take 45 screenshots including a search for attendees, messages to contacts and a response to a survey.

“While this feature is typically used during beta testing, the app was not labeled as a beta version in the Google Play Store,” the researchers said. “The user is also not informed of the recording, nor is she offered the opportunity to consent to beta testing upon opening the app. Thus, any reasonable user of these apps would likely never expect screenshots of her interactions.”

Finally, the researchers found a disturbing trend where photo editing apps – including one called Photo Cartoon Camera – PaintLab – would send photos to their servers for processing (without notifying users) as opposed to performing the editing on the devices themselves.

The researchers found that up to six apps employ this method – including FaceApp, Prisma Photo Editor, and InstaBeauty – Makeup Selfie Cam. The privacy disclosures for these apps also are unclear – for instance, the app developer of two of the photo editing apps, Fotoable, provided a privacy disclosure that only made a general statement that personal data might be collected and used.

“This disclosure is arguably misleading as the app does not indicate uploading of a user’s photo while they are editing it,” they said.

Android Permissions and Third Parties 

Craig Young, computer security researcher for Tripwire’s VERT (Vulnerability and Exposure Research Team), told Threatpost that the flaw is not within Android as it should be common sense that an app is able to capture any data the user submits – but instead in Android developers sharing with third parties.

“The real risk here is that app developers are including third party libraries without an understanding of what data is being collected,” he told us. “This is a classic supply chain security problem which seems to have been magnified by the importance of advertising revenue within the mobile app ecosystems.”

Researchers pinpointed that unlike the camera and audio APIs, the APIs for taking screenshots and recording video of the screen are not protected by any permissions – and there is no disclosure to end-users if they are being leaked to third parties, the researchers said.

“Given that sensor data is highly sensitive, the Android and iOS operating systems include mandatory access control mechanisms around most sensors,” the researchers said. “However, existing permission models only partially mitigate multimedia privacy concerns because they are coarse grained and incomplete.”

Android app developers must list the permissions they plan to use in the AndroidManifest.xml file in all Android Packages (APKs), researchers said. Users, meanwhile, can accept or reject permission requests. However, when it comes to camera and audio APIs, they are not protected by any permission – meaning that apps can potentially record users’ screen interactions without them knowing.

Google’s personal and sensitive information privacy policy states that app must have a privacy policy that, together with any in-app disclosures, comprehensively discloses how the app collects, uses and shares user data, including the types of parties with whom it’s shared.

“We always appreciate the research community’s hard work to help improve online privacy and security practices,” a Google Play spokesperson told Threatpost. “After reviewing the researchers’ findings, we determined that a part of AppSee’s services may put some developers at risk of violating Play policy. We’re working closely with them to help ensure developers appropriately communicate the SDK’s functionality with their apps’ end-users.”

Prevention

The research highlights that users should always pay close attention to their app permissions, especially for apps handling sensitive data.

“Permission management has come to light as a problem for both leading mobile platforms, but Google and Apple have acknowledged and improved granularity, clarity and visibility in recent iterations of their operating systems so that users can have more control over what they are allowing the applications to access,” Alejandro Lavie, Flexera’s Director of Security Strategy, told Threatpost. “However, as that aspect improves, Flexera’s concerns are more focused on the many vulnerabilities in Android versions that are actively being used in consumers smartphones, but remain unpatched for the vast majority of users.”

Users, for their part, can access app permissions, open their settings app, click on the app they want to examine, and tap Permissions. From there, they will be able to see everything an app can access – and turn off certain permissions.