With recent revelations about the kind of data that was taken from Facebook for the election campaign of US President Donald Trump, people are becoming a little more sensitive about the kind of private data that's being put out on the Internet. And of course, we've long talked about just how well Google knows us. All your photos, where you've been, which sites you visit, and much more is known to these companies. But beyond the selfies and the status updates, there's a wealth of data that's being tracked by almost every app on your phone.
"There are two categories [of data collection] - one is the sort of covert data collection, and the other is overt, where you are giving them the data," says Abhay Edlabadkar, founder and CEO of Redmorph, a company that has released an app for both Android and iOS which blocks trackers on your phone. "Like on Facebook, you're the one that is actually giving them the data. The thing is that is something that at this point we can't do much about because once you take that selfie and post it, there's nothing anyone else can do about it."
However, through the use of third-party platforms for analytics and other functions, most apps on your phone are also scooping up as much of your data as possible, and they're doing this without ever clearly explaining this to the user, he contends.
"When you're looking at analytics - this is giving the app developers a lot of information," Edlabadkar explains. "But what's required is to raise the awareness from the end user perspective. But the second piece of it is - how do I turn it off. These are the two missing components over here. I should be able to say, this operation I'm doing is completely private."
"That is the thing where it starts to get really important, but it also becomes very cumbersome from an end user perspective, because you have to know what permissions you're giving to every app on your phone, and how do you regulate that. So we're trying to work out how to regulate that for the end user," he adds. "One of the features that is coming soon [to the Redmorph app] is [showing users] which app is using your mic, camera, and storage in real time, and then you can regulate this.”
App developers create apps that take a plethora of permissions from the end users, sometimes taking a powerful permission such as reading all your text messages, just to be able to more easily read an OTP once to log you in, rather than having you type in the four digits. Both iOS and recent versions of Android present this information to users in one form or the other, though it seems that most people either don’t know about the ability to control apps’ permissions, or they just don’t care. We're geared to choose convenience, and at this point, many people treat app permissions like EULAs on computer programs; complicated legalese you don't really need to know - whether apps like Redmorph can change that remains to be seen.
Redmorph shows users which apps are using trackers and data brokers.
"When you start using any third party analytics platform, these analytics platforms are quite hungry for our data and monetising it," says Edlabadkar. "The more data they get, the more useful it is. Within the limits that your app has asked for, it can collect and scoop up as much data as it can. If you look at the permissions given by the app, you can be pretty sure that the analytics firm is collecting all of that. What utility it is providing is a different question.”
Before talking to Edlabadkar, we tested out the app, running it on an Android phone. The app, which is also available on iOS, isn't free - you have to pay a Rs. 50 monthly subscription (though the first month is a free trial) but this enables it to be completely ad-free. Edlabadkar confirmed that the app works locally on your phone, connecting to the Internet only once a day at midnight to update its list of trackers.
"Everything is happening locally on your phone - our goal is to not connect any data on your phone," he says. "When you download the app, everything is done locally. It scans every app that you have and gets the profile and locks them down. And then once a day, at around midnight, it goes online to update itself and get the latest trackers and policy. Everything else is happening locally on your device."
"How do you detect malware of phishing without knowing a signature? What sort of abnormal behaviour and resource consumption are they doing in the background," Edlabadkar adds. "Basically looking at every app and what permissions does it have, what data does it need, when does it use it? So for example, if you have a flashlight app, there's absolutely no reason for it to have a network connection.”
The Redmorph app itself is pretty easy to use, and its homepage shows a list of the top apps whose trackers are being blocked (Slack, in our case, in case you're wondering, but there's more to be said about that) and you can even switch to a live view to see which URLs your apps are sending your data to, which can lead to some interesting insights. Of course, for an end user who isn't savvy enough (and is therefore going to benefit from something like Redmorph), actually making use of this information is also a challenge - though Edlabadkar says the goal is to make protecting your data an automated function, so the user could, for instance, have Facebook, and "when you want to use Facebook, you can use Facebook, and in the background, it can't monitor other apps."
But there is a question about how useful the data generated by the app could be. As mentioned earlier, the top offender on our phone, as per Redmorph was Slack. Over the course of a day it blocked "data broking trackers" nearly 500 times from the app. These are coming from a service called Crashlytics, which is an app analytics service (acquired by Google from Twitter last year), which aims to make it easier for developers to understand why an app crashes, and improve the app for all users.
Isn't this kind of a platform is beneficial for all, and should not be considered a threat? "It's something that we also used for our beta product," says Edlabadkar. "It was acquired by Google recently. It gathers a whole lot of data from your device. It's not an innocent thing - for an app developer it's great because it gives you the exact line of code where your app crashed, but it gathers a lot of data."
"If apps were upfront that would be something the user could turn on, but that's not what's done," he continues. "Or for example you take Google Analytics. If you go on Google Analytics dashboard, you know the device, the device information, the account linked, what apps exist, you know the location, it's a lot of data. That is the data that you can see from GA, but beyond that it is known to collect a lot more information about the user. These platforms are geared towards giving some utility, but they're collecting far more information because they have the capability to collect a lot more."