Harvard, Northeastern’s privacy tools flag apps that leak personal data


The Snapchat and Runkeeper apps for the iPhone share your location data with Apple. Boston telemedicine company American Well’s phone app transmits information about the medical terms you search from your phone to its servers. Until recently, when customers logged into their language training app Duolingo, the app would transmit their password in an unsecured way, allowing eavesdroppers on open networks to pick it out.

These are the latest findings from two independent analyses of how the 100 most popular apps for iOS and Android devices treat sensitive user data. App makers have been hauled up time and time again for collecting too much personal information and not adequately informing users when their personal information is being shared. The latest research projects, from Northeastern University and Harvard University, are hoping to empower smartphone owners to keep their data more secure by pointing out the leakiest apps on their device.

“Our devices have been black boxes — this is something that has frustrated me for years,” said David Choffnes, a professor of computer science at Northeastern University who led one study into app privacy.

In a bid to make privacy realities more visible to smartphone owners who aren’t techheads or security experts, Choffnes led development of a tool called ReCon that serves as an in-phone watchdog for sensitive information. After it is installed, it can recognize when sensitive information such as e-mails or passwords are being transmitted and flag the leaky apps to the owner.

“We saw some pretty impressive privacy violations that we were unhappy with and we figured this is something the public we should be aware of,” Choffnes said.

For example, he found that the United Airlines app shared his location with the app maker every time he opened it to conduct a transaction, even if the task he was asking the app to perform didn’t require United to know his location.

“We don’t know why they’re doing this — for the services that I access they don’t need to know my location,” Choffnes said.

At a presentation at the Data Transparency Lab conference at the MIT Media Lab Monday, Choffnes explained how some app makers transmitted sensitive information like passwords across networks in plain text, making them an easy target for network eavesdroppers. Language learning app DuoLingo and the Indian Bollywood streaming service Gaana were both guilty of this, but have since changed their protocols, Choffnes said.

A second team at Harvard University, led by noted privacy researcher and one-time chief technology officer at the Federal Trade Commission, Latanya Sweeney, found that 73 percent of the 55 most popular Android apps shared personal information such as e-mail addresses and names with third-party websites — chiefly advertisers and analytics companies — without notifying customers.

Apps for iOS in the Apple App Store had a better record keeping a lockdown on personal information, but nearly half the 55 apps tested shard location data without notifying their customers, the team explained in a paper published in the journal Technology Science on October 30.

Whether it’s health information or shopping information, websites freely share user data with third-party advertisers, data brokers, or analytics firms. That’s why an ad for colanders will follow you to your news page after you went on a home shopping spree on Amazon.com. The new study indicates that phone apps may be going the way of websites, sharing more and more often, said Jinyan Zang, a research fellow at the Federal Trade Commission and a research analyst at the Institute for Quantitative Social Science at Harvard University. Except, phone apps potentially have access to more sensitive data such location and biometric info.

The team found, for example, that the AmWell telemedicine app shared your birthday, e-mail, gender, name, medical info, and location with AmWell.com. Also, the Period Tracker Lite app on iOS shared medical info with the websites amazonaws.com and apsalar.com and shared name, e-mail and password info with the website gpsocialapp.com.

Both teams want to make it easier for consumers to see where their data is traveling. But transparency is just the first step — it’s then up to consumers to change their behavior to be smarter about leaks, said Joseph Hall, chief technologist at the Center for Democracy and Technology, a Washington, D.C., nonprofit. “People need to up what we call their ‘digital hygiene,’” he said.

Nidhi Subbaraman writes about science and research. Email her at [email protected]
Follow Nidhi on Twitter - Facebook