Image: MIT

Many people know that apps shift data to and from the cloud in the background. But researchers have now found that about half of that chatter is of no apparent benefit to the user.

The question raised by new research from MIT is: why would apps establish covert communication channels that offer the user no benefits and yet expose them to privacy risks, suck up bandwidth and drain the battery?

"Our analysis shows that 63 percent of the external communication made by top popular free Android applications from Google Play has no effect on the user-observable application functionality," researchers at MIT wrote in a new paper analysing covert communications in mobile apps.

The researchers probed 500 popular free Android apps from Google Play for background chatter with remote servers and found that disabling many channels left the experience "completely intact". Since disabling them has no noticeable impact on the app, the researchers deem them to be covert.

The researchers found that 46 percent of connection statements encoded in these applications are covert.

Twitter, for example, covertly collects information about videos followed by users in tweets. Pandora and Spotify use Facebook's social-graph services and transmit data about app usage.

A curious component of Walmart's app is a barcode scanner that connects to an eBay server. That's perhaps not surprising since, as the researchers explain, the scanner's library was created by eBay-owned Red Laser.

"Yet, blocking that release of information does not harm the scanning capabilities," the researchers note.

"There might be a very good reason for this covert communication. We are not trying to say that it has to be eliminated. We're just saying the user needs to be informed," Julia Rubin, one of the contributors to the paper from MIT's Computer Science and Artificial Intelligence Laboratory (CSAIL), told MIT News.

Google services and various mobile advertising and analytics services were the main source of covert communications.

The top 10 covert communication callers included background services from Google, Gameloft, InMobi, Millennial Media, Mopub, Mobileleads, Tapjoy, Facebook and Flurry.

Essentially, most mobile apps fail to meet the report authors' ideal for transparency and trust since the "the system should continuously inform the user about what it is doing".

More on Google and Android