Privacy And Smartphones: Applications, Our Best Enemies?

The smartphone, with all the personal data it contains, is a prime target for those looking for this type of information. Faced with more and more intrusions from applications, how can we protect users’ data? The collection and use of data hosted on our smartphones is a subject that regularly returns to the headlines, as with Whatsapp and its following change in terms of use.

Essential everyday objects for most of our fellow citizens contain a large part of their user’s personal and confidential data: photos/videos, SMS, travel history, emails, games, etc. These are all particularly interesting from the point of view of advertisers because they highlight consumption habits.

The final goal? Serve the proper advertising at the right time, in the right place, to encourage the act of purchasing. A good way for a developer to monetize their application’s audience is to set up advertising banners in their application. For this, companies offer ready-to-use toolboxes called SDKs ( Software Development Kits). Concretely, SDKs are programming assistance tools for developers to design a mobile application, which is presented in the form of code fragments.

These advertising SDKs make it easier to display ads, track user clicks within an app, and also collect phone data. Although the majority of applications are equipped with SDKs, which do not pose a problem, you must nevertheless be vigilant with regard to the data processing carried out by this software.

When SDKs Become Malicious

Some of the features are legitimate for a developer because they make it easier to improve their application or its monetization part. However, the issue of aggregated data is often overlooked. More and more applications use SDKs to retrieve – without clearly asking for the user’s consent – the location, the list of applications used, or even data, which is then used for advertising targeting.

If these data are of little interest when taken one by one, they become all the more interesting when they are correlated. In some cases, these SDKs can also turn out to be malicious: recently, Snyk, an American cybersecurity company, revealed the harmfulness of an advertising SDK used by more than 1,200 applications [1]. In this case, the company publishing the SDK, under the guise of a legitimate activity, practiced advertising fraud by favoring advertisements from their network rather than another.

In addition to these fraudulent activities, the company, via the SDK, tracked application users by collecting specific browsing data. While this example illustrates an extreme case, it clearly demonstrates the collection capacity of these SDKs. In response to these increasingly common abusive practices, Apple recently decided to tackle user tracking through in-app advertisements.

The new iOS 14 system limits tracking of users’ movements and actions when they open an application. This update is obviously different from the taste of advertising agencies who tracked users across other devices (smartphones, tablets, computers) and thus collected thousands of pieces of personal data.

The Interest Of Attackers In Advertising Management

SDKs are an attractive target for potential attackers. Indeed, a code error can lead to a vulnerability that a malicious person could exploit if it is discovered. An SDK is present in several applications. For an attacker who seeks to install his malware on as many smartphones as possible, looking for a flaw in an SDK rather than in a single application allows a much larger number of users to be affected.

In the same way, an advertising network is an exciting target because, in the event of hacking, it allows the interception of confidential information and data as well as the possibility of reaching millions of targets at once. In the case of a state attacker, he will be able to choose his targets according to their interests or remotely spy on journalists, for example.

For other attackers, the objective will be to collect as much personal data as possible. Indeed, the mass of data will facilitate the correlation of information and the possibility of subsequently using it for social engineering attacks, for example, or of reselling it on the black market. In summary, the SDK or control system makes it easier for a malicious individual to amplify their attack to reach more people.

How To Protect Your Data On Your Phone

As the famous adage goes, “If it’s free, you’re the product.” And even if many believe they have “nothing to hide,” the personal data collected deserves that everyone pays particular attention to it. For a long time, education on the protection of personal data was ignored not through negligence but because the extent of Facebook’s or Google’s impact on the privacy of Internet users was not clearly understood. How many times have we created an account on a site or application accepting all the terms of use without regard to the data collected?

Today, education must continue. To limit the collection of personal data on the phone, some best practices should be adopted. Thus, each time an application requests access to personal data, the user must ask themselves whether it will really be helpful or whether it is a way of recovering as much personal information as possible. Respect. For example, does a gaming app really need access to the contacts directory? Other measures can be effective: sort through installed applications, delete those that are not used, regularly clear browsing history, and deactivate geolocation by default.

The more users adopt these reflexes, the more it will allow everyone to become aware of the extent of the collection of personal data. But the user only reaches the end of the chain. It is up to the entire ecosystem to be particularly vigilant. First of all, application developers are encouraged to carry out in-depth audits and verify that the SDKs used do not contain any security breaches. Then, obviously, the developers of the operating system are responsible for implementing security measures.

Smartphones contain a considerable amount of personal and confidential data. Regardless of the user’s identity, activity, photos, or files, it is always possible to find a way to misuse them by reselling them or impersonating the person concerned. It is only through general awareness that it will be possible to respond to the challenges of protecting personal data.