Where is personal privacy security going? A large number of apps secretly collect and track personal information

Researchers said at the IEEE European Parliament last week that they found 234 Android apps in a recent study that would ask users to "allow the use of the microphone" in order to track user information through ultrasonic signals. Ultrasonic Cross-Device Tracking (uXDT) is a favorite of many marketing and advertising companies.

Ultrasonic audio beacons can be embedded in TV ads or web ads, and mobile apps equipped with receivers can collect these beacons. As a result, advertisers can use this technology to track user information across devices, create personalized user profiles, and understand user interests by analyzing data collected by devices, so as to recommend ads that interest each user.

More and more apps are starting to use uXDT technology

In this study, researchers analyzed millions of Android apps on the VirusTotal service and found that a small number of apps used ultrasonic audio technology called Shopkick and Lisnr. Many other apps used SilverPush SDK, an SDK that allows developers to track users across devices. SilverPush, Lisnr and Shopkick are SDKs prepared for developers, and all three SDKs use ultrasonic beacons to send information to mobile devices.

Developers can use SilverPush to track user information across multiple devices, while Lisnr and Shopkick are used to track user locations. After analyzing a large number of Android applications, researchers found that there were not many manufacturers using Lisnr and Shopkick SDKs, but there were many using SilverPush SDK. The report also mentioned that among the 35 German retail stores visited by researchers, 4 stores had ultrasonic beacons.

As early as 2015, a study showed that 6-7 apps in the sample used the SilverPush SDK, and the company monitored approximately 18 million smartphones, but this number is constantly increasing.

At the 2016 BlackHat hacker conference, researchers demonstrated the uXDT technology and pointed out that this technology can expose the real information of Tor users through anti-anonymity. (For example, under normal circumstances, users do not leave real identity information when trading through Bitcoin, but a malicious website can track the real identity of the user, or reveal the identity of the user browsing the web through an anonymous network such as the Tor onion network.)

Where will privacy and security go?

Although the application of uXDT technology has not yet "gone astray", it still raises many privacy concerns - the app can track activities simply by receiving ultrasound through the microphone without any mobile network or wireless network. The research report mentioned:

"The existence of SilverPush actually narrows the gap between surveillance and legal tracking. SilverPush and Lisnr use similar communication protocols and signal processing methods. Even if users instruct Lisnr to perform geolocation tracking, SilverPush will not disclose the name of the application that uses this tracking function."

After the Snowden incident was exposed in 2014, the leaked documents mentioned how the US intelligence agencies obtained the movements of foreign travelers between different cities: the airport would collect the MAC addresses of the devices used by these people, and the WiFi hotspots in cafes, restaurants and retail stores across the country would also identify the MAC addresses, and the intelligence agencies would then compare the two. Foreign media believe that ultrasonic technology will be even more effective in tracking user movements with devices.

How to protect yourself?

Since we cannot prevent ultrasonic signals from being transmitted around us, the best way to reduce the risk of smartphones being monitored is to strictly limit the "requests" initiated to the device through the APP.

In other words, we just need to use our common sense here. For example, if Skype asks to "use the microphone", it is obviously reasonable because this function will be used in Skype. But if a beauty or clothing app sends this request, what will the result be? As a user, you should strictly reject the request.

In order to cancel these unnecessary APP requests, some Android phone manufacturers, such as OnePlus, provide users with a feature called "Privacy Guide" (Privacy Guard), through which users can prohibit some requests that are not related to the basic functions of the APP. Android 7 and iOS 10 users can also achieve this operation through settings.

[This article is an original article from the 51CTO column "Kelish Information Security". Please contact the original author (WeChat ID: JW-assoc) for reprinting.]

Click here to read more articles by this author