Pocket Spies: The Untold Story of Your Apps

They're Tracking You More Than You Think

Imagine having a friend who keeps a diary of everything you do, right down to your tiny gestures and expressions. That's essentially what your smartphone apps are doing, tracking and recording your every tap, scroll, and click unbeknownst to most users [1].

While analysing user behaviour enables apps to improve their services, their data collection practices often lack transparency. As our recent study discovered through comprehensive analysis, privacy policies frequently describe monitoring activities in vague boilerplate language like “user's interaction with the service” [2]. This generic wording reveals little about the scope of user data being gathered.


Just How Much Are They Tracking?

To peel back the curtain on mobile app data practices, we conducted static analysis of popular Android apps' codebases [2]. We found apps across all categories placed heavy emphasis on logging how frequently users interacted with various interface elements like buttons and text fields. For instance, more than 70% of the top apps collected data on button presses, likely to understand feature usage.

But frequency was just the tip of the iceberg. Apps also gathered information on interaction duration, motion details like swipe speed, and even composite gestures like double taps [2]. This exhaustive monitoring can expose more about individuals than one might expect.


The Transparency Gap

Take the massively popular weather app Yr, created by Norwegian broadcaster NRK. Through examining Yr's codebase, the researchers found it collects detailed data on actions like location changes and opening forecast graphs.

However, Yr's privacy policy (https://hjelp.yr.no/hc/en-us/articles/360003337614-Privacy-policy) only vaguely alludes to usage statistics, with no specifics on the types of user interaction data gathered. This disparity highlights the need for transparency in disclosing monitoring practices.

Why It Matters

In today's data-driven world, even seemingly innocuous actions can expose sensitive attributes, from political leanings to age and gender [3]. By standardising collection claims in privacy policies and comparing them to actual app behaviour, we aimed to enhance transparency around user interaction data practices.

Our findings underscore the pervasiveness of user monitoring in apps and the shortage of clarity around these activities. While usage data enables personalization and improvements, transparency and user control must remain priorities.


The Takeaway

So next time you tap, swipe or scroll on your phone, remember your apps may know you better than you realise! The secret life of our apps is quite the page-turner, but users deserve to know just how closely their activities are being tracked behind the scenes.


[1] Razaghpanah, A., Nithyanand, R., Vallina-Rodriguez, N., Sundaresan, S., Allman, M., Kreibich, C., & Gill, P. (2018, February). Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In The 25th Annual Network and Distributed System Security Symposium (NDSS 2018).

[2] Tang, F., & Østvold, B. M. (2023). Transparency in App Analytics: Analyzing the Collection of User Interaction Data. arXiv preprint arXiv:2306.11447.

[3] Gadotti, A., Houssiau, F., Annamalai, M. S. M. S., & de Montjoye, Y. A. (2022). Pool Inference Attacks on Local Differential Privacy: Quantifying the Privacy Guarantees of Apple's Count Mean Sketch in Practice. In 31st USENIX Security Symposium (USENIX Security 22) (pp. 501-518).

This blogpost was written by Feiyang Tang.  He joined the Norwegian Computing Center (NR) as a PhD student (ESR 11) of PriMa in October 2020. Before that, he obtained MSc in Artificial Intelligence from KU Leuven with a thesis on image-text alignment for artworks and BSc Honours in computer science from The University of Auckland focused on adaptive data stream mining.