Android Security Roundup - Threatwire Crosspost (Patreon)

by Shannon Morse, Threatwire 

It’s time for some Android security news! First, four Italian security researchers at Sapienza University in Rome Italy, discovered and built a proof of concept tool that could do “app de-anonymization” of Tor on Android phones. While Tor is widely used to anonymize traffic on the web, the researchers made clear that this POC would not deanonymize Tor in its entirety - so your real IP address or other identifying details would still be hidden. This could give away what websites you’re visiting while using Tor with an accuracy of up to 97 percent. The researchers were able to distinguish between TCP packet types - so they could tell if a user was browsing, using email, chat, audio streaming, video streaming, doing file transfers, VoIP, or P2P file sharing. They discovered patterns specifically used by Android apps in TCP packets and they used an algorithm with machine learning to learn the Tor traffic patterns overtime. They could then decipher ten test apps, including Youtube, Instagram, uTorrent, and more, even while a user was using Tor.

Luckily, it doesn’t work if there is background traffic on the device which can create a noisy channel, and using multiple apps at the same time creates confusion for the algorithm. Streaming services look similar, which can cause that 97% accuracy to drop as well. Since this is for a research paper, the parties involved do plan to release the code. And at this time? There is no fix in sight.

And lastly, way back in 2013, both Apple and Google made sweeping privacy changes to their mobile OS's, allowing users to opt out or limit ad tracking and interest based ads that appeared in their apps or on their devices. This was called the Ad ID, and it could be reset, which would reset the data shared to advertisers from the device. This would be like clearing cookies from a computer. Overtime, cookies start to grow again, but whenever you reset them, it resets that behavioral advertising you may see on your device or on your social media timeline. Since persistent identifiers like your device serial number, IMEI, wifi Mac, SIM serial number and more don’t change, the adoption of the Ad ID and user control over it were needed. But unfortunately, even though both Google and Apple have policies restricting app devs from retrieving the ad ID alongside other persistent identifiers, lots of apps were doing so anyway, and this means that they are undermining the very reason why these can be reset. While you can reset your Ad ID all day long, you can’t reset your IMEI for example. So if an advertiser is sent your IMEI and a reset Ad ID, they still know it’s yours because of the IMEI. 

Serge Egelman of the International Computer Science Institute explained that they found over 17,000 apps that were abusing this policy back in September. As of recently, that number grew to 18k who were sending the Ad ID alongside other identifiers that were persistent. 24k in total were transmitting the ad ID by itself, so over 70% of those were abusing the policy or ignoring it. This included popular apps like Flipboard and Angry Birds Classic, Audiobooks from Audible, and more. Many of these recipient domains were obviously advertisers or data collection aggregators, like ads.flurry.com or admarvel, or adcolony. 

Threatwire on Patreon 

Egelman says the report was submitted 5 months ago but they’ve not heard back from Google about how they will be addressing this violation of their own policy. In an article by CNET, Google responded that they did take action against some apps but did not clarify how many. Some apps responded to questions by stating that they collect the Ad ID, but not for ad targeting.