When it comes to knowing what apps do and don't do on Android, there is little that average users can find out in advance or after installation.
While the requested permissions may provide information about data the app may access or modify, and also about network or Internet connections it may establish, nothing is provide in detail.
For instance, you may know that an app connects to the Internet based on its permission requests but you don't know to which sites and often why.
A recently published research paper suggests that many free applications offered on Google Play connect to urls in the background.
The team analyzed 2146 free applications in all 25 categories on Google Play based on popularity and recency and discovered that these applications connected to "almost 250,000 unique URLs across 1985 top level domains".
The methodology used to analyze these apps was the following:
- All apps were downloaded and executed on a Samsung Galaxy SIII Mini smartphone running Android 4.1.2.
- The phone was configured to use a local VPN which the researchers monitored for traffic activity using tcpdump to create a package for each individual application.
- A series of 10000 automated user interactions with each application simulated use while the app was running.
- Each packet capture was processed with tshark to extract urls which the team compared against EasyList and EasyPrivacy, two popular lists used by Adblock Plus and other adblocking and anti-tracking extensions and programs.
- Last but not least, all urls are checked on Virustotal as well.
The conclusion is devastating. About 10% of all tested apps connect to more than 500 distinct URLs with the top applications all connecting to more than 1000 distinct URLs each and about 100 top level domains.
About 33% of apps don't connect to ad-related sites while the remaining applications connect to an average number of 40 ad urls (some to more than 1000) with Google owned sites at the top.
About one quarter of apps communicate with tracking servers. Some connect to more than 800 different trackers.
As far as Virustotal ratings are concerned, 94.4% of all urls tested had a suspicion score of 0 with the worst case for the rest being that hits were recorded by three of 52 different engines used by the service.
The developers have created an application that introduces reporting functionality on Android similar to what they have done.
The app is not available on Google Play currently but plans have been made to publish it on the site in the future. For now, it is only available directly on this address.
Update: The download is no longer available due to traffic. We have set up a mirror here on Ghacks. Download the file with a tap or click on the following link. Please note that we don't support it in any way and cannot be held responsible for issues that may occur. nsa_app_secon.zip
Note: It installed fine on My Motorola G running Android 5 but crashed after the introduction.
The app installs a local proxy and monitors traffic from applications run on the system to identify 3rd party trackers and malicious destinations.