Over the past few months, developers publishing apps on Google Play and App Store have been required to fill out a new section on data security. It's purpose is to increase transparency by informing users about how apps collect their data and for what purpose. Today, the content of this section is purely declarative and hides serious data exfiltrations. Far from its initial purpose, this section is currently being misused by developers to trick users and silently steal their data.
What are mobile applications doing with our data?
A smartphone is an endless source of personal and business information, which mobile applications manipulate throughout their activities. Data can be processed by a mobile application in different ways:
- The information is accessed by the application.
- The information is stored by the application in the file system, in a local database, shared resources, logs, clipboard...
- Information is sent out of the device via the internet or cellular network.
Unlike what one might think, mobile applications often collect personal data from their users even though they do not need it to perform their service. The collected information is then sold to global companies that perform profiling, or sometimes sent to servers belonging to malicious third parties.
Pradeo's engine analyzes millions of mobile applications each year to reveal their level of security and compliance. To establish a trustworthy status, these analyses identify all data manipulations performed by applications. By doing so, our tool identified for example that 20% of mobile applications send users' photos, videos and audio files out of their device, 14% do the same with contacts' information.
The extent of false statements on application stores
Since the implementation of the "Data Safety" section on the Google Play and "App Privacy" on the App Store, developers must declare when publishing their application if it collects data from its users, to what extent and if it shares it with third parties. However, the details provided do not always reflect the reality.
Pradeo's mobile security researchers have conducted a study that measures this concerning observation. On a sample of 5,000 iOS and 5,000 Android apps published online in May 2022 with a data security section filled in, 17% of Android apps claim that they do not collect personal data, while they actually exfiltrate it through the network. The percentage reaches 19% on iOS. Millions of users have been misled for now, and more continue to be tricked every day.
“Data safety” section of an application's page on Google Play
“App Privacy” section of an application's page on the App Store
These statistics show that this new source of information displayed in the application profiles is misleading and confusing. To be successful, this approach needs to be combined with applications' behavioral analysis to identify proven data manipulation and not declarative ones. As it stands, our experts advise mobile users not to trust these statements as a criteria for deciding whether to install an application and accept the permissions to access sensitive data that it requests.