Lumen Privacy Monitor monitors Android apps tracking
Lumen Privacy Monitor is a free application for Google Android that monitors connections that applications make on a device it runs on to uncover communication with tracking servers and data collecting.
Created as an academic research project, Lumen Privacy Monitor provided the researchers with a large set of data to analyze. The results were published in the paper "Apps, Trackers, Privacy, and Regulators A Global Study of the Mobile Tracking Ecosystem" (access PDF here). One of the key findings was that the research team managed to identify 233 new trackers that were not listed on popular advertising and tracking blocklists.
Lumen Privacy Monitor
Android users need to have a strong stomach during installation and on first run: the app requires lots of permissions, needs to install a root certificate, will monitor encrypted and normal traffic by default, and send anonymized data to the researchers.
The application requires access to personal data on the device to determine leaks. The researchers note that personal data is never submitted. Still, the application is not open source and it is clear that the privileges that it requests are cause for concern.
If you give permissions to the app, install the root certificate and flip the monitoring switch to on, you will get detailed reports about application activity and leaks.
Lumen Privacy Monitors monitors apps while it runs. The main interface displays the three tabs leaks, apps and traffic.
- Leaks display personal or device information that apps may leak. A severity rating is
- Apps lists all applications that the monitoring app picked up with options to display a detailed report about individual apps.
- Traffic offers an overview of the analyzed traffic. It includes information about HTTPS and other connections, bandwidth, and the overhead that ads and analytics scripts and connections cause.
The Apps group is probably the most interesting as it reveals important information to you. A tap on a monitored application displays interesting information such as the list of domains the application tried to establish connections to, the number of trackers and the overhead caused by them, leaks and traffic overviews, and the list of requested permissions.
The list of connections is certainly useful as you can determine whether these connections appear to be valid or not. While you may need to research domains before you understand why the application may want to connect to it, you'd quickly find out if an app connects to tracking servers or makes other unwanted connections.
The list of permissions includes risk assessments for each permission which you may use to determine whether to keep an application installed or remove it.
What I like particularly about Lumen Privacy Monitor is that it reveals the overhead that ads and tracker connections cause, the connections an app makes, and the data leaks of applications.
It would be better if the researchers would consider releasing the application as open source to address concerns about the application's wide-reaching permission requests and installation of a root certificate.
What you do with the information is entirely up to you. You could consider removing applications or install apps that block connections to trackers to prevent data leaks.
Now You: Do you use apps on your mobile device?
- Clueful scans your Android phone for privacy risks
- Ghostery releases Privacy Browser for Android
- PrivacyGrade rates Android app privacy and informs about third-party use
- PrivacyHawk: risk analysis for Android apps
- Privacy Look adds disk wiping unlock code to your Android device
The best solution (more like a band aid) that I have found so far for Android is blocking everything that doesn’t need internet access with open source NetGuard no-root firewall. It’s ridiculous how much data is being sent out in the background if you don’t use something like this.
I read on Github you can setup NetGuard in whitelist mode and allow internet only to apps you want to, just like Simplewall. Nice. :)
If you plan on using NetGuard, make sure you install the version from github. This one has a built-in hosts adblocker (in the options under backup). Make sure to never update via the PlayStore as it would overwrite it with the google version without the adblocker.
You then have to enable filtering in the options and import a hosts file.
NetGuard has a built-in tracker. I can’t find the source of info, but it’s somewhere on XDA. Off of https://www.netguard.me :
“Any in-app purchase will disable the in-app advertisements.”
So, unless you purchase the Pro version, your privacy is still at risk (although less).
The first Android app that I have ever bought. totally worth it…
I was curious about this one since AFWall is crashing for me.
Here your answer
“(15) Why won’t you support the F-Droid builds?
NetGuard contains ads since a while, because very few people support the NetGuard project in other ways. This means NetGuard will not be accepted by F-Droid.”
Question is, can you block NetGuard using NetGuard?
Thanks again for a great tip.
I uninstalled it. It hurt performance and crashed after reporting that a safe program, AdBlock Browser, was risky. Oh, well.
AdBlock Browser has an analytics module by Adjust and a million permissions, no surprise there.
“Do you use apps on your mobile device?”
Anyway, NetGuard is good, AdGuard and DNS66 as well (though AdGuard is not free) and personally I’m using Blokada (from F-Droid). I’m not under an illusion that any of them blocks everything that’s wrong, but it’s better than nothing, I don’t get any ads, trackers get blocked and it doesn’t impact my battery life, quite the contrary. It’s open source and I even contributed a translation to my native language because I liked it so much. Sometimes I scan my apps with Addons Detector and add what I find to Blokada’s blacklist, just to make sure that it’s actually blocked (though with several hosts files to choose from, it probably already is).
I gather this app is something like Wireshark for Android……
The recent update to Android Messages wants a lot of new permissions for its new “features”. More recently, the error messages about the lack of permissions I’ve given it have stopped so I guess that’s good…….
I don’t use apps that require an internet connection to work, and I rarely connect anyway and on an as-needed basis only. And I don’t store much sensitive information on my phone or in the cloud. The phone company and my ISP have enough on me already.
I like Google services and all, but I don’t trust them and their partners with my personal information, financial data, etc., and I’m not inclined to sacrifice my privacy and security for the sake of convenience. If Google just wanted my stats to make an extra buck, I might be OK with that, but the potential for abuse is just too high â€” inevitable, actually.
Curious though, but I think Google is on to me. When I’m signed in and online at the Play Store, the first in the list of ‘apps suggested for me’ is “Offline Survival Manual”!
It says it is incompatible with my Nexus 7 2013… wonder why?
“no carrier” is the reason listed if you view the play store page on a desktop browser.
Don’t understand why google doesn’t provide that info when you use the play store app.
Either way it doesn’t makes sense… should work as long as I have an internet connection.
The app developer is the one who decides what Android platforms the app will and won’t run on. Google probably doesn’t have the “why” information you seek — you’d have to ask the developers of the app.
Maybe it would be a good app, but without permissions to read our contacts, messages and call logs.
And there is no possibility to opt-out from uploading anonymized reports to they servers. We can only choose if we want upload them on WiFi only or always.
Before testing apps on my phone I always revoke from them all android permissions using great privacy manager XPrivavyLua https://forum.xda-developers.com/xposed/modules/xprivacylua6-0-android-privacy-manager-t3730663
XPrivacyLua is indeed the best privacy tool on Android.
An article about it should be published IMHO.