Your apps can incriminate you. Just ask these 600 soccer fans

Nobody likes a snitch. They are seen in movies and in public as the lowest of the lows. Should we view technological snitches in the same way? Well, what’s a technological snitch, you might ask?

Spain’s top soccer league, La Liga, was fined €250,000 ($280,000) by the country’s data protection agency for monitoring its Android app users’ microphones and locations without proper approval.

The [La Liga App’s] Shazam-like feature was designed to imperceptibly identify bars playing league games, pairing the geographic information to see whether the establishment had paid to license the content or was showing it illegally. This March, 600 Spanish bars and restaurants were accused of pirating matches.

Jacob Feldman, Sports Illustrated

The truly frightening part about this is that it’s not even that elaborate of a scheme. A popular sports app was downloaded by fans (the equivalent of downloading the NBA or PGA app). Those users agreed to device permissions – access to their phone’s microphone and location. La Liga created some sort of “fingerprint” they programmed to play during soccer live streams, which the app could easily identify while the matches were playing. And then they cross-referenced live stream locations with licenses to view the content.

To understand the motivation, just compare the €250,000 fine La Liga now faces to the €400 million it says it loses every year because of piracy.

Jacob Feldman, Sports Illustrated

If this doesn’t seem like a huge concern to you, then imagine if HBO pulled a similar stunt with Game of Thrones? According to piracy data firm Muso, the season 8 premiere was illegally downloaded or streamed more than 54 million times. Nielsen project the number of legal viewers at 17.4 million. That’s 3x the number of illegal to legal viewers.

In the grand scheme of things, the incentive to abuse user privacy far outweighs the consequences for many companies. And the way that mobile privacy permissions are set up, apps present themselves as one of the simplest ways to ascertain information about people.

Apps are a Privacy Weak Link

“While many seem to be paying a lot of attention to privacy issues involving Facebook and other tech giants, our research has uncovered something much bigger with mobile apps. You can very easily delete your Facebook account, but a mobile app with the wrong permissions can log all of your activities and track you. What’s more worrying is that many people give these mobile apps permission to track them without really knowing what’s going on behind the scenes.”

Thomas Michael, Infosecurity Magazine

As Wired pointed out in their article titled, App Permissions Don’t Tell Us Nearly Enough About Our Apps, the oversimplified data permissions we agree to in apps often does align with the data they are actually collecting:

Once you grant location access, app makers are able to pull in bearing and altitude information in addition to single location objects. This means apps can know “roughly which floor of a highrise you live on.”

A travel app, learned some interesting behavioral patterns about its customers based on how they were holding their phones [because of their access to the phone’s motion sensors].

“We found that during traffic spikes [in the app] at night, a lot of device rotations were happening,” Setlur says. “They were starting like this, and then they would turn the phone like this. We realized that people were trying to plan their next trip, turning the phone sideways to look at photos, while they were lying in bed.”

That’s just the location permission you give. La Liga showed us how access to a phone’s microphone could be abused. What about access to your camera, camera roll, calendar, contacts, motion sensors, speech recognition, and social media accounts? There are ways these can be abused as well.

The point being that there’s a large opportunity to exploit app permissions. Yes, to use the Uber app you have to give them Location Services. But there’s no reason the flashlight app or strategy game you just downloaded needs access to your location or your microphone.

It’s easy to blindly give away these permissions when we get a new app, usually because it seems like a requirement. And this behavioral loophole is easily exploited:

Realizing how much data can be mined by exploiting mobile apps, TalkingData, a Chinese big data company does just this: by creating basic mobile apps that people need — such as VPN apps, games, etc — and requiring unnecessary permissions (which many users automatically go on to accept), TalkingData now boasts a $1 billion valuation and access to data on over 700 million monthly active data.

Thomas Michael, Infosecurity Magazine

I’d highly recommend you take a trip to your phone’s privacy settings and see what permissions you’re giving to which apps. If something stands out as odd, then turn that puppy off.

Today, our app permissions may inform some eerie advertisements that reflect something you said in a conversation with your sister. But if the La Liga is any indication of how else our smartphone apps could be used against us, then there are a lot of ways our apps could incriminate us.

Apps as Spies?

It’s important to get creative and think deeply about how the data you create by using your smartphone tells a meaningful story about your livelihood, intentions, etc…

There’s no imagination necessary when we talk about criminal endeavors. Location and motion sensors could place a suspect at the scene of the crime. For good reason, Apple has stayed pretty firm on denying government or police access to phones of potential criminals. But this doesn’t necessarily apply to the third-party apps on that phone.

More relevant to you, the permissions you give to some health and fitness app could be used by health insurance companies to more accurately assess your health risk leading to potentially higher premiums. Giving calendar access to some third-party app could be used to determine when you’ll be out of town (or at the office for a long stretch)… the best time to rob your house.

I don’t mean to frighten you by these seemingly improbable connections. However, who could’ve anticipated what La Liga would do via an app? We routinely underestimate the assumptions and judgments that can be made about individuals just by looking at the data they create.

Two years ago, I wrote an article called The iPhone is a Black Box discussing the treasure trove of information stored on iPhones. Every day it seems to become truer than the last.