Beware-Your Food Delivery App Might Be Spying on You

By:  |  Category: Blog, Security Tuesday, July 17th, 2018  |  No Comments

Ever feel like someone is watching you? Maybe they are.

Researchers from Northeastern have concluded that certain popular apps on your phone may be secretly taking screenshots of your activity and sending them to third parties.

Scared yet? You should be…

The researchers found that these screenshots—and videos of your activity on the screen—could include usernames, passwords, credit card numbers, and other important personal information.

“We found that every app has the ability to record your screen and anything you type,” said David Choffnes, one of two computer science professors who supervised the study. “That includes your username and password, because it can record the characters you type before they turn into those little black dots.”

The research, conducted largely by two students—undergraduate Elleen Pan and doctoral candidate Jingjing Ren—was intended to investigate a persistent urban myth that phones are secretly recording our conversations and then selling that information to companies so they can pepper you with targeted advertisements.

While the researchers discovered no evidence of recorded conversations, they did find suspicious activity that could be even more dangerous.

“We knew we were looking for a needle in a haystack,” said Choffnes, “and we were surprised to find several needles.”

First, they discovered that some companies are sending screenshots and videos of user phone activities to third parties.

“This opening will almost certainly be used for malicious purposes,” said Christo Wilson, another computer science professor on the research team. “It’s simple to install and collect this information. And what’s most disturbing is that this occurs with no notification to or permission by users.

“In the case we caught, the information sent to a third party was zip codes, but it could just as easily have been credit card numbers,” he added.

The researchers reviewed more than 17,000 of the most popular apps on the Android operating system, implementing an automated test program designed by the students. Have an iPhone and think you are safe? Not so fast…Pan and Ren suggest any phone is vulnerable.

While conducting the research, Wilson said the team was quite surprised as the results came in.

“There were no audio leaks at all—not a single app activated the microphone,” he said. “Then we started seeing things we didn’t expect. Apps were automatically taking screenshots of themselves and sending them to third parties.”

In all, 9,000 of the 17,000 apps had the potential to take screenshots.

“In one case, the app took video of the screen activity and sent that information to a third party,” said Wilson.

That app was GoPuff, a fast-food delivery service, which sent the screenshots to Appsee, a data analytics firm for mobile devices. All this was done without the awareness of app users.

Both Wilson and Choffnes emphasized that neither company appeared to have any nefarious intent. They said that web developers commonly use this type of information to debug their apps and improve the user experience.

But that doesn’t mean a malicious company couldn’t use this privacy window to steal personal information for profit.

“That has the potential to be much worse than having the camera taking pictures of the ceiling or the microphone recording pointless conversations,” said Choffnes. “There is no easy way to close this privacy opening.”

Northeastern notes that GoPuff has changed its terms of service agreement to alert users that the company may take screenshots of their use patterns. Google issued a statement emphasizing that its policy requires developers to disclose to users how their information will be collected.

But Wilson said this shields the companies from lawsuits while doing little to protect the privacy of users, who rarely read these long, legalistic agreements.
Both said the privacy window will not be closed until the phone companies redesign their operating systems, which isn’t likely to happen anytime soon.

If you need assistance with cybersecurity initiatives for your business, give EnhancedTECH a call at 714-970-9330 or contact us at [email protected]

— Read more in Elleen Pan et al., “Panoptispy: Characterizing Audio and Video Exfiltration from Android Applications,” Proceedings on Privacy Enhancing Technologies 18, no. 4 (2018)

Leave a Comment
Read previous post:
cloud technology
Cloud Technology and Big Data Take on Severe Weather

Being able to communicate effectively is key to growing your business. At EnhancedTECH, we want to ensure that you can...