A Northeastern University research team has found “exten­sive” leakage of users’ information — device and user iden­ti­fiers, loca­tions, and passwords — into net­work traffic from apps on mobile devices, including iOS, Android, and Win­dows phones. The researchers have also devised a way to stop the flow.

David Choffnes, an assis­tant pro­fessor in the Col­lege of Com­puter and Infor­ma­tion Sci­ence, and his col­leagues devel­oped a simple, effi­cient cloud-based system called ReCon. It detects leaks of “per­son­ally iden­ti­fi­able infor­ma­tion,” alerts users to those breaches, and enables users to con­trol the leaks by spec­i­fying what infor­ma­tion they want blocked and from whom.

The team’s study fol­lowed 31 mobile device users with iOS devices and Android devices who used ReCon for a period of one week to 101 days and then mon­i­tored their per­sonal leak­ages through a ReCon secure webpage.

The results were alarming. “Depress­ingly, even in our small user study we found 165 cases of cre­den­tials being leaked in plain­text,” the researchers wrote.

Of the top 100 apps in each oper­ating system’s app store that par­tic­i­pants were using, more than 50 per­cent leaked device iden­ti­fiers, more than 14 per­cent leaked actual names or other user iden­ti­fiers, 14–26 per­cent leaked loca­tions, and three leaked pass­words in plain­text. In addi­tion to those top apps, the study found sim­ilar pass­word leaks from 10 addi­tional apps that par­tic­i­pants had installed and used.

The password-leaking apps included Map­MyRun, the lan­guage app Duolingo, and the Indian dig­ital music app Gaana. All three devel­opers have since fixed the leaks. Sev­eral other apps con­tinue to send plain­text pass­words into traffic, including a pop­ular dating app.

“What’s really trou­bling is that we even see sig­nif­i­cant num­bers of apps sending your pass­word, in plain­text read­able form, when you log in,” says Choffnes. In a public-WiFi set­ting, that means anyone run­ning “some pretty simple soft­ware” could nab it.

Apps that track

Apps, like many other dig­ital prod­ucts, con­tain soft­ware that tracks our com­ings, goings, and details of who we are. If you look in the pri­vacy set­ting on your iPhone, you’ll see this state­ment:

“As appli­ca­tions request access to your data, they will be added in the cat­e­gories above.”

Those cat­e­gories include “Loca­tion Ser­vices,” “Con­tacts,” “Cal­en­dars,” “Reminders,” “Photos,” “Blue­tooth Sharing,” and “Camera.”

Although many users don’t realize it, they have con­trol over that access. “When you install an app on a mobile device, it will ask you for cer­tain per­mis­sions that you have to approve or deny before you start using the app,” explains Choffnes. “Because I’m a bit of a pri­vacy nut, I’m even selec­tive about which apps I let know my loca­tion.” For a nav­i­ga­tion app, he says, fine. For others, it’s not so clear.

One reason that apps track you, of course, so is so devel­opers can recover their costs. Many apps are free, tied in with tracking soft­ware, sup­plied by adver­tising and ana­lytics net­works, that gen­er­ates rev­enue when users click on the tar­geted ads that pop up on their phones.

ReCon

Using ReCon is easy, Choffnes says. Par­tic­i­pants install a vir­tual pri­vate net­work, or VPN, on their devices — an easy six- or seven-step process. The VPN then securely trans­mits users’ data to the system’s server, which runs the ReCon soft­ware, iden­ti­fying when and what infor­ma­tion is being leaked.

To learn the status of their infor­ma­tion, par­tic­i­pants simply log onto the ReCon secure web­page. There they can find things like a Google map pin­pointing which of their apps are zap­ping their loca­tion to other des­ti­na­tions and which apps are releasing their pass­words into unen­crypted net­work traffic. They can also tell the system what they want to do about it.

“One of the advan­tages to our approach is you don’t have to tell us your infor­ma­tion, for example, your pass­word, email, or gender,” says Choffnes. “Our system is designed to use cues in the net­work traffic to figure out what kind of infor­ma­tion is being leaked. The soft­ware then auto­mat­i­cally extracts what it sus­pects is your per­sonal infor­ma­tion. We show those find­ings to users, and they tell us if we are right or wrong. That per­mits us to con­tin­u­ally adapt our system, improving its accuracy.”

The team’s eval­u­a­tive study showed that ReCon iden­ti­fies leaks with 98 per­cent accuracy.

“There are other tools that will show you how you’re being tracked but they won’t nec­es­sarily let you do any­thing,” says Choffnes. “And they are mostly focused on tracking behavior and not the actual per­sonal infor­ma­tion that’s being sent out. ReCon covers a wide range of infor­ma­tion being sent out over the net­work about you, and auto­mat­i­cally detects when your infor­ma­tion is leaked without having to know in advance what that infor­ma­tion is. You can [also] set poli­cies to change how your infor­ma­tion is being released.”

A demo of ReCon is available here.

Choffnes presented his find­ings in an open-access paper Monday Nov. 16 at the Data Trans­parency Lab 2015 Con­fer­ence, held at the MIT Media Lab.

Abstract of ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic

It is well known that apps running on mobile devices extensively track and leak users’ personally identifiable information (PII); however, these users have little visibility into PII leaked through the network traffic generated by their devices, and have poor control over how, when and where that traffic is sent and handled by third parties. In this paper, we present the design, implementation, and evaluation of ReCon: a cross-platform system that reveals PII leaks and gives users control over them without requiring any special privileges or custom OSes. ReCon leverages machine learning to reveal potential PII leaks by inspecting network traffic, and provides a visualization tool to empower users with the ability to control these leaks via blocking or substitution of PII. We evaluate ReCon’s effectiveness with measurements from controlled experiments using leaks from the 100 most popular iOS, Android, and Windows Phone apps, and via an IRB-approved user study with 31 participants. We show that ReCon is accurate, efficient, and identifies a wider range of PII than previous approaches.