Protect Your Assets
Showing results for 
Search instead for 
Do you mean 

Should mobile device info be considered private? Some apps are pulling this data.

rayk ‎01-21-2014 08:16 AM - edited ‎07-22-2015 01:14 PM

It seems that people are more concerned than ever about what information goes where and when (and rightly so!).  And it certainly is not news that privacy is a hot topic right now, especially when it comes to mobile applications. 

 

Most users of mobile applications understand that apps gather certain types of information and use it for data mining or targeted advertising.  This includes messages, images, calendar info and even your personal profile information. But should (and why does) a mobile application need to know my battery-charge level or SD card free space on my device?  I was doing some research on the Android emulator with several apps installed and monitoring web traffic when I noticed a gigantic blob of data go to a popular mobile applications website.   I thought “what in the world was that?” and began to investigate.  

 

Request snippet to website from mobile application:

https://REDACTED.com:

....... "extra":{"features":{"persistent_mqtt":false,"multiprocess_experiment":false,"location":true,"background_location":false,"dash":false},
"features_extra_data":{"persistent_mqtt":null,"multiprocess_experiment":{"REDACTEDandroid_shared_preferences_providers_process":false},"location":{"providers":{"all":["passive","gps"],"possible":["passive","gps"],"enabled":["passive","gps"],"disabled":[],"user_enabled":["gps"],"user_disabled":[]},"wifi_info":{"enabled":false,"sleep_policy":"unknown"}},"background_location":null,"dash":{"homeapp_install":"NOT_INSTALLED","show_on_wake":true,"homescreen_mode":"HOME_DISABLED","status_bar_shown"
:false,"last_shown_
ts_s":0.0,"running_processes":", :providers, :dash, :nodex, ","running_processes_num":4,"running_services":"push.mqtt.MqttPushService, REDACTEDservice.service.DefaultBlueService, .service.BackgroundDetectionService, ","running_services_num":3,"dash_ever_enabled":false}},"process":"com.REDACTED."}},{"time":"1387557641.892","log_type":"client_event","name":"device_status","module":"device","extra":{"battery":"0.50","charge_state":"charging_ac","battery_health":"good","wifi_enabled":"false","wifi_connected":"false",
"screen_brightness_
raw_value":"102","connection":"mobile","connection_subtype":"UMTS","free_mem":"26","total_mem":"48","analytic_counters":{"mqtt_bytes_sent":1200,"filecache_writing_internal_count":17,"download_contacts_full_next":7,"graph_sent":50025,
"filecache_writing_
internal_time":80,"mqtt_bytes_received":1769,"filecache_writing_internal_size":204592,"download_contacts_full":
1,"api_sent":5659,"download_
contacts_full_first":1,"graph_text_received":177284,"api_application_received":11394,"download_contacts":1,"cdn_sent"
:2317,"cdn_image_received":208589},
"process":"com.REDACTED."}},{"time":"1387557641.892","log_type":"client_event","name":"device_info","module":"device","extra":{"carrier":"Android","carrier_country_iso":"us","network_type":"UMTS","phone_type":"GSM","sim_country_iso":"us",
"sim_operator":"Android","locale":
"en_US","app_locale":"en_US","image_external_cache_enabled":"false","keyguard_type":"DETECTION_FAILED","device_type":
"sdk","brand":"generic",
"manufacturer":"unknown","os_type":"Android","os_ver":"4.1.2","cpu_abi":"armeabi-v7a","cpu_abi2":"armeabi","unreliable_core_count":"1","reliable_core_count":"1","first_install_time":"2013-12-20T11:05:50.000-05:00","last_upgrade_time":"2013-12-20T11:05:50.000-05:00","install_location":"internal_storage","density":"1.50","screen_width":"480","screen_height":"800","front_camera":
"false","rear_camera":"true",
"allows_non_market_installs":"1","android_id":"1Lbldk782ff982f499d","preferences":{},"opengl_version":"0","google_play_services_installation":"SERVICE_MISSING","google_play_services_version":"-1",
"device_free_space":"133013504",
"device_total_space":"203423744","sd_free_space":"534689792",

"sd_total_space":"534761472","cache_size":"204592","external_cache_size":"0 .....................

 

 

I found that the request contains ALL sorts of information about the device.  Here are couple of items that really grabbed my attention:

 

  • Battery charge
  • WIFI info
  • Running services
  • Screen brightness
  • Free disk space on the device and SD card
  • Camera information
  • Device screen lock settings

 

So while the information that was sent to website does not contain what we typically consider PII (personally identifiable information), the question becomes, do you consider this type of device information private?  We want to hear your opinion!

 

About the author:

Ray Kelly is the Mobile Security Team Lead for Fortify On Demand at HP

On Twitter: https://twitter.com/vbisbest

0 Kudos
About the Author

rayk

Events
Aug 29 - Sep 1
Boston, MA
HPE Big Data Conference 2016
Attend HPE’s Big Data Conference on August 29 - September 1, 2016 to learn from peers in every industry and hear from Big Data experts and thought lea...
Read more
Sep 13-16
National Harbor, MD
HPE Protect 2016
Protect 2016 is our annual conference on September 13 - 16, 2016, and is the place to meet the world’s top information security talent, discuss new pr...
Read more
View all