Should mobile device info be considered private? Some apps are pulling this data.

devicelocksm.jpgIt seems that people are more concerned than ever about what information goes where and when (and rightly so!).  And it certainly is not news that privacy is a hot topic right now, especially when it comes to mobile applications. 

 

Most users of mobile applications understand that apps gather certain types of information and use it for data mining or targeted advertising.  This includes messages, images, calendar info and even your personal profile information. But should (and why does) a mobile application need to know my battery-charge level or SD card free space on my device?  I was doing some research on the Android emulator with several apps installed and monitoring web traffic when I noticed a gigantic blob of data go to a popular mobile applications website.   I thought “what in the world was that?” and began to investigate.  

 

Request snippet to website from mobile application:

https://REDACTED.com:

....... "extra":{"features":{"persistent_mqtt":false,"multiprocess_experiment":false,"location":true,"background_location":false,"dash":false},
"features_extra_data":{"persistent_mqtt":null,"multiprocess_experiment":{"REDACTEDandroid_shared_preferences_providers_process":false},"location":{"providers":{"all":["passive","gps"],"possible":["passive","gps"],"enabled":["passive","gps"],"disabled":[],"user_enabled":["gps"],"user_disabled":[]},"wifi_info":{"enabled":false,"sleep_policy":"unknown"}},"background_location":null,"dash":{"homeapp_install":"NOT_INSTALLED","show_on_wake":true,"homescreen_mode":"HOME_DISABLED","status_bar_shown"
:false,"last_shown_
ts_s":0.0,"running_processes":", :providers, :dash, :nodex, ","running_processes_num":4,"running_services":"push.mqtt.MqttPushService, REDACTEDservice.service.DefaultBlueService, .service.BackgroundDetectionService, ","running_services_num":3,"dash_ever_enabled":false}},"process":"com.REDACTED."}},{"time":"1387557641.892","log_type":"client_event","name":"device_status","module":"device","extra":{"battery":"0.50","charge_state":"charging_ac","battery_health":"good","wifi_enabled":"false","wifi_connected":"false",
"screen_brightness_
raw_value":"102","connection":"mobile","connection_subtype":"UMTS","free_mem":"26","total_mem":"48","analytic_counters":{"mqtt_bytes_sent":1200,"filecache_writing_internal_count":17,"download_contacts_full_next":7,"graph_sent":50025,
"filecache_writing_
internal_time":80,"mqtt_bytes_received":1769,"filecache_writing_internal_size":204592,"download_contacts_full":
1,"api_sent":5659,"download_
contacts_full_first":1,"graph_text_received":177284,"api_application_received":11394,"download_contacts":1,"cdn_sent"
:2317,"cdn_image_received":208589},
"process":"com.REDACTED."}},{"time":"1387557641.892","log_type":"client_event","name":"device_info","module":"device","extra":{"carrier":"Android","carrier_country_iso":"us","network_type":"UMTS","phone_type":"GSM","sim_country_iso":"us",
"sim_operator":"Android","locale":
"en_US","app_locale":"en_US","image_external_cache_enabled":"false","keyguard_type":"DETECTION_FAILED","device_type":
"sdk","brand":"generic",
"manufacturer":"unknown","os_type":"Android","os_ver":"4.1.2","cpu_abi":"armeabi-v7a","cpu_abi2":"armeabi","unreliable_core_count":"1","reliable_core_count":"1","first_install_time":"2013-12-20T11:05:50.000-05:00","last_upgrade_time":"2013-12-20T11:05:50.000-05:00","install_location":"internal_storage","density":"1.50","screen_width":"480","screen_height":"800","front_camera":
"false","rear_camera":"true",
"allows_non_market_installs":"1","android_id":"1Lbldk782ff982f499d","preferences":{},"opengl_version":"0","google_play_services_installation":"SERVICE_MISSING","google_play_services_version":"-1",
"device_free_space":"133013504",
"device_total_space":"203423744","sd_free_space":"534689792",

"sd_total_space":"534761472","cache_size":"204592","external_cache_size":"0 .....................

 

 

I found that the request contains ALL sorts of information about the device.  Here are couple of items that really grabbed my attention:

 

  • Battery charge
  • WIFI info
  • Running services
  • Screen brightness
  • Free disk space on the device and SD card
  • Camera information
  • Device screen lock settings

 

So while the information that was sent to website does not contain what we typically consider PII (personally identifiable information), the question becomes, do you consider this type of device information private?  We want to hear your opinion!

 

About the author:

Ray Kelly is the Mobile Security Team Lead for Fortify On Demand at HP

On Twitter: https://twitter.com/vbisbest

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation