14 DAY TRIAL // MIT researchers have analyzed the top 500 most popular Android apps and discovered that 63% of these apps initiate covert communications to remote servers that have no impact on the user experience.
Researchers used both static analysis techniques and human evaluators to compile their results. The researchers described an overt communication as any connection between the app and a remote server that directly changed or modified the app's behavior and UI. All other connections were considered covert, having no impact on the user's experience within the app.
Not all the covert traffic can be attributed to analytics
By processing app data traffic and comparing the UI before and after the connection started, scientists found out that 63% of the top free Android apps are guilty of engaging in "secret whispering."
While half of the covert communications accounted for analytics traffic, data shared with online advertisers about the device and its user, the other half remained a mystery to MIT's scientists.
"Our analysis shows that covert communication is quite common in top-popular Android applications in the Google Play store," the research team noted.
Human testers confirmed the researchers' findings
Researchers went a step further and also decompiled and modified 47 of the top 100 free Android apps, disabling their ability to start covert communications.
The MIT staff then tested these apps with human subjects, who reported that they couldn't spot any differences between the original and the modified version in 30 of these applications. Only 5 applications stopped working, while the other 12 showed minimal impact on the UI.
In most cases, most of the secret communications were started by the same components. The biggest offender is com.google.android, used in 76.4% of the entire analyzed apps. Researchers discovered that the component started 1,913 covert calls, 50% of its total number of calls.
Other notable infringers are com.gameloft (mobile games), com.unity3d (mobile games), com.facebook (social media), and a slew of advertising SDKs.
Researchers also noted that the Candy Crash Saga, an app that was scrutinized so many times about various user privacy issues, was not making any secret calls at all.
The Covert Communication in Mobile Applications research paper is available for download on MIT's website.
