Getty Images

When you download an app, the permissions requests and privacy policy are usually the only warnings you'll get about the data it's taking. Usually, you just have to take the app's word that it's grabbing only the data you've agreed to give it.

Often, though, there's more grabbing going on than you were led to believe, security researchers have determined. More than 1,000 apps have been found to take data even after you've denied them permissions. For instance, menstrual tracking apps have shared sensitive info with Facebook, as well as with other companies you might not have expected. Similarly, apps designed to block robocalls have shared your phone data with analytics firms.

Anytime a device sends data, the traffic is captured and logged. Your location is used when you check the weather, but that same information can be sent to advertisers. Researchers have tools to see that log. Then they analyze it to figure out how much data gets sent and where it's going.

Typically, that sort of network traffic analysis was used to look outside, providing a window on what was happening on public Wi-Fi networks. In recent years, however, researchers have turned that scope onto their own phones to see what data the apps on their devices send out.

"If data is going from the phone, you can see it. It's that simple." Researcher Will Strafach

By taking a look under the hood, they've found that many apps are sending data that goes beyond what people agree to under privacy policies and permissions requests.

"In the end, you're left with a policy that's essentially meaningless because it doesn't describe what's accurately happening," said Serge Egelman, director of usable security and privacy research at the International Computer Science Institute. "The only way to answer that question is going in and seeing what the app is doing with that data."

Sometimes, the data is just headed to advertisers, who think they can use it to sell you products. Phone location data can be a gold mine for advertisers, who tap it to figure out where people are at certain times. But it may also be going to government agencies that leverage the technology to surveil people using data collected by apps that never disclosed what they were doing. Recently, The Wall Street Journal reported that government agencies were using such data to track immigrants.

These researchers are shining a light on a hidden world of data tracking, and raising concerns about how much information people are giving away without knowing it.

Location tracking

Will Strafach first started looking into network traffic in 2017, when he was working at Guardian, a mobile security company he co-founded.

The company made a software tool that businesses could use to analyze their customers' own apps, including network traffic. The amount of data coming from these different apps stunned Strafach.

Some apps gave away location data, sending as many as 200 records -- each one meticulously timestamped -- over a 12-hour span. Even when a phone's GPS services were turned off, Strafach found loopholes that allowed data tracking, like collecting location information when a phone connected to a Wi-Fi network.

Screenshot by Sarah Mitroff/CNET

The magnitude of the problem hit home when he discovered that AccuWeather, a popular weather app, was sending user location data even when location sharing was turned off. "When it was a real app where I used it, and I knew people who used it, that was an alarm," Strafach said. "That's when it became real to me. It went from, 'This is a problem' to 'This needs to stop, immediately.'"

AccuWeather didn't respond to a request for comment.

Strafach has found hidden location trackers like AccuWeather's to be one of the biggest privacy problems for mobile apps. People give permission to the apps for their intended purpose, like finding the cheapest gas nearby, but they don't realize that behind the scenes the information is being shared with data brokers.

Unlike malware, which Strafach also researches, these apps are allowed in Google's and Apple's markets, and in some cases they come preinstalled on devices. It's why researching these apps using the network traffic they generate has become a new focus for Strafach.

"Network traffic is simple," he said. "If data is going from the phone, you can see it. It's that simple."

Persistence

Bill Budington, a senior staff technologist at the Electronic Frontier Foundation, has been doing network analysis for more than a decade, building tools like Panopticlick to show how widely tracked your web browsing is.

In the last year, Budington has begun focusing on mobile apps. He quickly found an interconnected network of apps all sharing information about people.

Courtesy of Bill Budington

In January, he released a report about Amazon's video doorbell company, Ring, revealing that its Android app was packed with third-party trackers, sending personally identifiable information to advertisers and Facebook.

Often, it isn't a single app that's the concern. It's how they're all tied together, a data network hidden in the code that helps trackers build a comprehensive image of you and what you're doing.

Even if companies say the data is anonymized, little effort is needed to determine who a person is based on the location, time and activity, all of which can be collected.

"If one app is for watching ESPN, and it has a third-party tracker, and it also has one on the Nest app, then they have a pretty good view of you on your device," Budington said. "The more it happens, the more that third parties are able to figure out what you're doing on your device."

Budington's main concern with the trackers is a concept known as "device fingerprinting." That's when a tracker looks for a unique and persistent way to identify a user, even when the data is supposed to be anonymous.

This is an issue that tech giants have attempted to tackle. In 2018, Apple said it was going to start blocking device fingerprinting on its Safari browser.

Fingerprinting can work in many ways. Some trackers will gather data on your settings, fonts and apps to use as a fingerprint. It works because it's unlikely someone else would have the exact same configurations.

On mobile apps, it's even easier because Apple and Google provide advertising identification for their devices. You can often change this ID, but trackers can still get data. And because they already have your device's IP address or hardware number, it's fairly easy to match the device to the new advertising ID.

A team effort

At the University of California Berkeley's International Computer Science Institute, Egelman leads a team of about 10 researchers at a lab that uses multiple customized Android phones programmed to search Google's Play Store for new apps and figure out what data each app takes from devices.

He's been researching mobile privacy for the last eight years, and he started looking into network traffic analysis in the last five years.

Courtesy of Serge Egelman

His team modified a version of Android's open-source operating system so that it would log all the raw data being sent from a device and where it's being sent.

The custom version allows Egelman and his team to see everything an app does, not just its network traffic. In some cases, apps have tried to access location data but not send it out over the network. He's found instances of location data being collected but hidden before it was sent out over the network.

The tool searches for new apps and adds them to a database, which it checks every two weeks to see if any new trackers have been added to an app's code.

Like Budington, Egelman said the biggest concern he's found while researching mobile apps is persistent identifiers. In 2019, Egelman released research that described how about 17,000 Android apps were creating a permanent record of device activity by linking an advertising ID to unique identifiers that couldn't be changed, such as your device's hardware number.

More than a year later, he said, nothing has changed.

"It's utterly shocking, and nobody is taking it seriously," Egelman said. "Consumers are given a privacy policy and maybe some permission requests. The requests don't cover the persistent identifiers that are used. They have no way of knowing if and when it's occurring."

What you can do

There isn't much you can do to protect yourself from these trackers beyond not downloading problem apps to begin with. But unless you know which apps to watch out for, it's just a shot in the dark.

"That's the No. 1 thing," Budington said. "There's so much confusion in this space and not a clear answer for 'how do I protect myself.'"

There are ways to figure this out. But they aren't perfect.

Andrew Brookes/Getty Images

Egelman has taken his lab's research tool and turned it into a method that people can use to check for problem apps on their own devices.

He doesn't expect every single person to suddenly learn how to do network traffic analysis, nor does he want people to.

"If it takes a team of researchers writing their own tools and inspecting network traffic to figure out what apps are doing exactly, certainly it's not reasonable to expect the average consumer to do that," Egelman said. "Instead, we need watchdog groups and regulators. They should be doing this so that consumers don't need to."

He's offered his tools through a startup called AppCensus that lets you search apps and see what data is being sent, as well as where it's being sent. The team is also working on an app that would warn you whenever identifying data is being sent to trackers.

If you want to get more in-depth, you might have to learn some basics of network traffic analysis. For example, AppCensus' analysis of Noonlight, a safety app, found that it was sending data only to Crashlytics. A more in-depth look from a Gizmodo investigation found that Noonlight was sending data to advertisers.

Tools like CharlesProxy are available to download and intercept network traffic from your device. Learning how to use them, however, is more complex.

Guardian's Strafach said his company is working on an update to its firewall app that would notify people whenever an app is taking more data than it's supposed to be.

He doesn't see network traffic analysis as a mainstream practice. Still, some people with the technical capability to carry out the research might be interested.

"There's plenty of people that would like to be able to find this stuff, and find something easy out there to use," Strafach said. If that day ever comes, he expects people to be a lot more concerned about privacy.