FONT

MORE STORIES


Are you aware of what information your phone is giving away?



COURTESY: CRAIG SPIEGELBERG - A screengrab of SpyAware in action, showing where data sent to the Drudge Report is going. The conservative news was an early adopter of web cookies and app permissions, but now overreaching  by apps is the norm. COURTESY: Craig SpiegelbergApps are fun, but they can be sneaky.

A Portland company aims to lift the lid on some of the unwelcome intrusions by apps on the smart phones which most people carry around like voluntary tracking devices.

SpyAware is an Android app that shows what the other apps are doing on your phone, where they are sending data and what permissions they are asking for.

It’s a classic distributed startup, with a staff of five working from home, coffee shops and garages across the Northwest.

Founder Craig Spiegelberg works out of his home in Camas, Wash., while two others, Josh Ricnews - More urban renewal money for affordable housing?h and Ryan Mitchell are in northeast and southwest Portland. Spiegelberg is founder of Location Sentry (location-sentry.com) and Privacy Sentry (privacysentrycorp.com).

What Spiegelberg wanted to build was software that would sit on a cell phone and alert users to when their data is being pirated. The app shows how much data is being uploaded by the phone, and which country the destination servers are in.

It also provides a data summary world map, live notifications of specific threats, and a connection type classifier (IE CDN, Cloud, Social Network, etc).

Getting to heart of smartphone

Phones are almost living, bleating things these days. With (usually) two cameras and two microphones (plus one on the Craig Spieglbergearbuds), GPS, Bluetooth, accelerometers, proximity sensors, Near Field Communication chips, thermometers and even some biometric readers such as pulse sensors, they are constantly taking measurements.

“The app takes a good look at all your sensors and radios and sees if there is something odd going on, is your data being sent to a place it shouldn’t be,” he says. Bogey places include China and Eastern Europe, according to Spiegelberg.

The app also passes on alerts from other parties. For example, Samsung had a swift key exploit that allowed criminals to access phones and put malware on the device. SpyAware users with that phone or that version of the operating system got notifications.

“The problem we’re attacking is that all two billion phones in the world leak data.”

The firm is adding a public database to which reports of leaks can be stored so people can look up their phone and network and see if they are vulnerable.

“We wouldn’t take your location but we would say ‘Spotify is taking your location, Facebook is recording your calls,’ that kind of thing.”

There is no evidence that Facebook records your calls, although it does save a lot, including things you type and erase and never post.

“The whole app ecosystem is designed to get you to discount the value of your privacy. When get down to it, the goal is to better target ads for you. Google is an ad agency, to simplify its business model.”

He sees the legitimate sale of data to advertisers is a gateway problem.

Spiegelberg has a problem with how many permissions apps ask for, and with the way people eagerly click “accept” without reading them.

“The worst was Super Bright Flashlight app. A flashlight app has no business mining your data (other than to control the flashlight.” A flashlight asking for location, recording audio and taking your contact list has nothing to do with turning the flashlight on. If you wouldn’t tell a stranger, why would you give it to an app with a sketchy feel?”

“I think it was Apple’s Tim Cook who said it, ‘If the app’s free, you’re not the customer, you’re the product. There are 1.6 million apps on Google Play right now and a very high percentage don’t adhere to basic security standards.”

This area of law is not well defined.

“Once you hit accept, that info is legally Google’s, Facebooks’s or Spotify’s, and you have signed a binding agreement. There are very few rules, but the FTC has started to get more interested, it’s started to exert some more authority.”

“With Windows 10, Microsoft bought into the concept of ‘We give it away free but preset it to share all your data,” he says. “It’s the rubric of ask for everything then no one can complain.”

“How many times does Facebook ask for the ability to take audio? Maybe never. But my phone said in 24 hours Facebook uploaded 6 MB worth of info. If they have a billion users that’s a whole lot of data. It’s sort of like paying to get your pocket picked.”

He estimates that half of all apps are designed without any kind of oversight or interest in security.

“Typically you’re told to go develop this app, do it fast and cheap!” So the developer goes to third party libraries. They don’t start from scratch. They get a mapping library, a monetization library, and a lot of those drag with them these permissions. It’s cheap and they don’t even look at them.”

[email protected]portlandtribune.com

Go to top
Template by JoomlaShine