This is how Android apps reveal our secrets without us being aware of it

Digital tracking was one of the short-lived successes of the Covid pandemic. In Spain, an app called Radar Covid meant to help users know if they’d been near an infected person crashed and burned quickly. The idea never quite worked, but what really killed it was the fact that, despite all the early promises of preserving users’ security and privacy, a Google error allowed data to escape from Android mobile devices through an unsuspected place: the app’s logs.

Now, new research has discovered that the private information of Android users continues to escape through this loophole, giving companies more access to it than they should have.

“This research uncovers a very important hole, which is not well regulated or studied,” says Carmela Troncoso, a researcher at the École polytechnique fédérale de Lausanne (EPFL) a public research university in Switzerland, where she heads the SPRING Lab, a department that works to understand and mitigate the impact of technology on society. Troncoso, who led a European group in charge of creating Covid tracking apps in 2020, warns about the shortcomings of the technology. “It’s a general problem, in tracking apps and everything. The bottom line is that you can’t do something private by design on a platform like Android, which is flawed by definition.”

Logs are like a long and exhaustive diary that collects everything that happens in an app. Its original and accepted use is to detect bugs (errors in the code) before releasing apps to the public. But in reality, that is not the only thing that happens. Google asks app developers to remove logs after apps are published, because they may contain sensitive information. But recent research shows that they are still there, and records of everything can be found in them.

“We found that logs do not contain purely technical information, but also, either through carelessness or intentionally, they can contain personal data or information that reveals the user’s activity,” says Juan Tapiador, a professor at Carlos III University in Madrid and a co-author of the study. “An example is the case of Microsoft Teams or Discord, or the pharmaceutical apps CVS and Drug Mart, which have activities that provide a lot of information. In the case of Teams, it is possible to know, for example, the exact moment the user made a call. In the case of CVS and Drug Mart, among other data, the product categories used to filter search results are stored.” So for instance, it records the type of pharmaceutical product that someone is looking for, from contraceptives to cholesterol pills.

Permission to access that large amount of personal private information on Android is limited to Google, the manufacturers of the devices, and the pre-installed apps those manufacturers have chosen to put there. Among these, there are companies that are engaged in advertising. The loot they have access to in the guts of Android mobile devices is difficult to calculate. All the apps run there, and there may be anything from our location to our interests or our love relationships.

Android is based on an open source project maintained by Google. But it is not a closed ecosystem like that of the Apple iPhone. “Any phone manufacturer can make changes to the operating system and apps from other organizations with which it has commercial agreements, including apps from companies that are part of the industry that commercializes personal data and advertising,” says Narseo Vallina-Rodríguez, a researcher at Imdea Networks and co-founder of AppCensus, which analyzes app privacy. “The big problem is that those pre-installed apps are part of the operating system and can privilege access to sensitive data and resources that a normal app can’t access. This is the case of the system logs from Android version 4.1.″

A jungle of hardware and software

It’s a complex balance in a chaotic landscape. Android devices live in a jungle-like environment, where dozens of companies are trying to extract data and profit from it without it being obvious. “Security and privacy risks arising from the supply chain are complex to resolve. Many parties are involved in the manufacture of a product and all the software that it includes, sometimes with complex relationships among them, where the risks of one entity can be easily inherited by others,” says Juan Tapiador.

To queries from EL PAÍS, a Google spokeswoman responded that they try to do everything at the same time: protect the user and also give app developers more possibilities. “User security and privacy is a top priority for Android. We really appreciate the research from the community that helps keep Android safe. We make constant improvements to Android features to ensure user data is secure and private, while enabling developers to create the best apps possible,” the spokesperson said.

Google said that all applications with access to a device’s records are apps that have been authorized by the device manufacturers, thereby shifting part of the responsibility for potential intrusions to other actors.

“I was genuinely surprised by the degree of sensitive data being logged by hardware device manufacturers,” says Serge Egelman, a researcher at the University of California at Berkeley and a co-founder of AppCensus. “If these devices are being certified by Google as official Android devices, there really needs to be some oversight that they’re following Google policies and basic best practices.”

But nobody monitors or ensures that this information is not accessible to actors who could potentially misuse it. Bart Preneel, a professor at the Catholic University of Leuven and technical director of the Belgian digital tracking app Coronalert, describes the problem in three points: “One, it makes it easier for developers to record a lot of information, and most of it contain sensitive data, particularly if logs from multiple applications are combined. Two, this information is useful for Google and for manufacturers. But many other applications authorized by them also have access, so the risk of abuse is very high: it allows the creation of user profiles by a large number of parties. And three, Google warns developers not to log too much, but developers do this anyway, and it’s not policed,” Preneel says.

An insufficient remedy from Google

In this case, the information that shows up in the logs should not actually be there. Android’s advice for years has been to avoid including private activity in those logs. But it is not controlled or monitored, and for app developers and manufacturers the problem is not directly theirs. It is a clear example that the worst consequence is borne by the user, who knows nothing of what is happening. It is software that is already there when it reaches your hands, inside your mobile device.

After learning about the investigation, Google introduced a warning for users in version 13 of Android: “The mechanisms that Google has introduced in Android 13 to improve transparency and inform users about access to logs for pre-installed apps are a good step,” says Vallina-Rodríguez. “They will allow users to control when and who can access this information. However, improving the permit system only mitigates this specific problem, and cannot address the general problems associated with the lack of control over the supply chain of digital products,” he adds. It’s an insufficient remedy, says Preenel: “It’s just a patch, most users don’t have the time or desire to control these types of settings.”

Google obviously doesn’t bear full responsibility. App developers should be more careful about what information they allow to appear in logs and remember that they are not the only ones who have access to that information: “The creators of apps could log less data,” says Joel Reardon, a researcher at the University of Calgary and co-founder of AppCensus. “Many apps use services like Crashlytics to collect error logs, which allows them to debug with the app already deployed. In the past, users of such software were called beta testers and participation was voluntary. If app creators don’t intend to look at the logs, there’s far less reason to log as much data as we’ve found.”

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition