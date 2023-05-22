Digital tracking was one of the short-lived successes of the pandemic. In Spain, Radar Covid was born, grew, failed and died quickly. The idea never came to fruition for many reasons, but one that gave it the last straw was that, despite all the initial promises of security and privacy, a Google error caused data to escape from Android mobiles through an unsuspected place: the registries. of activity (logsin English) of the apps. Now new research has discovered that through this hole private information of Android users continues to escape, to which more companies have access than they should.

“This research uncovers a very important hole, which is not well regulated or studied,” says Carmela Troncoso, a researcher at the Federal Polytechnic School of Lausanne (Switzerland) who led a European group in charge of creating the apps of tracking in 2020. “But it is a general problem, in tracking apps and everything. The bottom line is that you can’t do something private by design on a platform like Android, which is flawed by definition.”

The logs They are a long and exhaustive diary that compiles what happens in an app. Its original and accepted use is to detect bugs (bugs in the code) before releasing the apps to the public. But, in reality, that is not the only thing that happens. Google asks app developers to remove the logs once the applications are published, because they may contain sensitive information. And recent research shows that they are still there, and that everything can be found in them.

“We found that the logs they do not have purely technical information, but by carelessness or intentionally they can also contain personal data or information that reveals the user’s activity”, says Juan Tapiador, professor at the Carlos III University and one of the authors of the article. “An example is the case of Microsoft Teams or Discord, or the pharmaceutical apps CVS and Drug Mart, which have activities that give a lot of information. In the case of Teams, it is possible to know, for example, the exact moment you made a call. In the case of CVS and Drug Mart, among other data, the product categories used to filter the search results are stored”. This registers the type of pharmaceutical that someone is looking for, from contraceptives to cholesterol pills.

Permission to access that vast personal private information on Android is limited to Google, the manufacturers of the devices, and the pre-installed apps those manufacturers have chosen to put there. Among them, there are companies that are engaged in advertising. The loot they have access to in the guts of Android mobiles is difficult to calculate. That’s where they all run apps, and there may be from our location to our interests or our love relationships.

Android is based on an open source project maintained by Google. But it is not a closed ecosystem like that of the Apple iPhone. “Any phone manufacturer can make changes to the operating system and apps of other organizations with which it has commercial agreements, including apps from companies that are part of the industry based on the commercialization of personal data and advertising”, says Narseo Vallina-Rodríguez, researcher at Imdea Networks and co-founder of AppCensus, dedicated to the analysis of privacy in apps. “The big problem is that those Pre-installed apps are part of the operating system and have privileged access to sensitive data and resources that an app normal cannot access, as is the case with logs from the system since Android version 4.1″.

It’s a complex balance in a chaotic landscape. Android devices live in a jungle-like environment, where dozens of companies try to extirpate data and profit without it being obvious. “Security and privacy risks arising from the supply chain are complex to resolve. Many parties are involved in the manufacture of a product and all the software that it includes, sometimes with complex relationships among themselves, and where the risks of one entity can be easily inherited by others”, says Juan Tapiador.

To questions from EL PAÍS, a Google spokeswoman responded that they try to do everything at once: protect the user and give app developers more possibilities. “User security and privacy is a top priority for Android. We really appreciate the research from the community that helps keep Android safe. We make constant improvements to Android features to ensure user data is secure and private, while enabling developers to build the best apps possible,” the spokesperson says.

Google admits to this newspaper that all applications that have access to device records are applications authorized by device manufacturers, thereby shifting part of the responsibility for intrusions that may arise from there to other actors.

“I was genuinely surprised at the level of sensitive data recorded by manufacturers of security devices. hardware”, says Serge Egelman, a researcher at the University of California at Berkeley (USA) and also a co-founder of AppCensus. “If these devices are being certified by Google as official Android devices, there really needs to be some oversight that they’re following Google policies and basic best practices.”

But nobody monitors or ensures that this information is not there or is not accessible to actors who could potentially misuse the private information of users. Bart Preneel, professor at the Catholic University of Leuven and technical director of the app Belgian digital tracking company, Coronalert, describes the problem in three points: “One, it makes it easy for developers to log a lot of information, and most of it contains sensitive data, particularly if logs from multiple apps are combined. Two, this information is useful for Google and for manufacturers. But many other applications authorized by them also have access, so the risk of abuse is very high: it allows the creation of user profiles by a large number of parties. And three, Google warns developers not to log too much, but developers do this anyway, and it’s not policed,” Preneel says.

In this case, the information that appears in the logs shouldn’t actually be there. Android advice for years is to avoid including private activity in those logs. But it is not controlled or monitored and for app developers and manufacturers the problem is not directly theirs. It is a clear example that the worst consequence is borne by the user, who knows nothing of what is happening. Is software that it is already there when it reaches your hands, inside your mobile.

After learning about the investigation, Google has introduced a warning for users in version 13 of Android: “The mechanisms that Google has introduced in Android 13 to improve transparency and inform users about access to logs by pre-installed apps are a good step”, says Vallina-Rodríguez. “They will allow users to control when and who can access this information. However, improving the permit system only mitigates this specific problem, and cannot address the general problems associated with the lack of control over the supply chain of digital products”, she adds. It’s an insufficient remedy, adds Preenel: “It’s just a patch, most users don’t have the time or desire to control these types of settings.”

Google obviously doesn’t bear full responsibility here. app developers should be more careful about the information they allow to appear on the logs and knowing that they’re not the only ones who have access to that information: “App creators could log less data,” says Joel Reardon, a researcher at the University of Calgary and co-founder of AppCensus. “Many apps use services like Crashlytics to collect error logs, which allows them to debug with the app already deployed. Before, users of that type of software They were called beta testers and participation was voluntary. If app creators don’t intend to look at the logs, there’s far less reason to log as much data as we’ve found.”

