back to article Uh-oh. Boffins say most Android apps can slurp your screen – and you wouldn't even know it

What is billed as the "first large-scale empirical study of media permissions and leaks from Android apps" has found that an alarming number can help themselves to your screen. Over 89 per cent of apps in the Google Play store make use of an API that requests screen capture or recording – and the user is oblivious as it evades …

  1. yossarianuk

    Purism (real linux based) phones cannot come soon enough

    I am only getting cast off phones now until Purism releases their phone.

    Nothing else can be trusted.

    https://puri.sm/shop/librem-5/

    1. Geoff Campbell

      Re: Purism (real linux based) phones cannot come soon enough

      Might be nice, but I'm not forking over six hundred bucks on a startup that may or may not deliver. Come back to me when they have a product.

      GJC

    2. ratfox Silver badge
      Angel

      Re: Purism (real linux based) phones cannot come soon enough

      Just saying, Android is Linux-based, too.

      1. Anonymous Coward
        Anonymous Coward

        @ratfox - Re: Purism (real linux based) phones cannot come soon enough

        What you say is irrelevant. Android is far from Linux especially in terms of end-user freedoms. And it's like that by design. While on any Linux distro I can execute whatever program/command I want, my shiny Android phone does not allow me to disable weather notifications, just because an idiotic developer decided to promote his lousy idea. Every morning I have to look at my phone to be notified that it's sunny with xx degrees Celsius, irrespective of what plans I might have for the day. Like I would care on what is Android based!

        1. DougS Silver badge

          Re: @ratfox - Purism (real linux based) phones cannot come soon enough

          The kernel used in Android is irrelevant to whatever data slurping may take place at higher layers thanks to either poor permissions or by Google's design. They could use a bug free perfectly secure kernel but if Google creates an API that lets third parties slurp data, the kernel isn't going to stop them.

          A Linux based vaporware phone from some company no one has ever heard of isn't much to hang your hat on, especially if you happen to like using your phone for more than what the vendor installs - a.k.a. apps.

        2. os2baba

          Re: @ratfox - Purism (real linux based) phones cannot come soon enough

          You can't disable your weather app's notification and you want to execute your own scripts? LOL.

          1. Anonymous Coward
            Anonymous Coward

            @os2baba-Re: @ratfox - Purism (real linux based) phones cannot come soon enough

            Clue for you: the post says "not allowed to". Your LOL is pretty lame.

    3. Anonymous Coward
      Anonymous Coward

      Re: Purism (real linux based) phones cannot come soon enough

      Sailfish X due to be released around November time. It'll be chargeable, but focussed on user privacy and security with Android app support.

      Likely my next mobile OS (I have a supported device).

      1. Anonymous Coward
        Anonymous Coward

        Re: Purism (real linux based) phones cannot come soon enough

        The problem with things like Sailfish is that one has to ask if they have the developer resources to ensure security. APIs needed to run things are so monstrously complicated these days that it must be extremely hard to avoid gotchas.

        Part of me wishes BlackBerry had had a lot more success with BB 10. It was coming along nicely till events supervened, and one had some degree of confidence that they understood security. Now, using Android, it's a guessing game as to what they might have missed.

  2. Dan 55 Silver badge

    Watch Google not fix it

    Everything will stay the same for those apps targetting Android P or earlier because compatibility, apps targetting Android Q will have yet another permission added to the list (probably Others) which people will ignore.

  3. Giovani Tapini Silver badge

    Is it likely

    that any phone solution can give you complete privacy and security?

    Yes, anodroid and others can include bugs and gotchas either by accident or design.

    But the device advertises its presence, location and a bunch of other characteristics just by being switched on.

    The collision of convenience against security in this class of device is also likely to lead to direct threats of bad apps, or indirectly by inferring your usage from other apps or device sensors. This seems to be possible regardless of platform. Its both unrealistic to human review all apps for hidden nasty's, if indeed you trusted them not to be paid off to ignore certain violations.

    I am fairly sure that if I want security and privacy the only good device is one that is switched off.

    1. Charles 9 Silver badge

      Re: Is it likely

      "I am fairly sure that if I want security and privacy the only good device is one that is switched off."

      How about a good device that's actually useful?

      1. MrXavia

        Re: Is it likely

        "How about a good device that's actually useful?"

        Impossible Dream

      2. Anonymous Coward
        Anonymous Coward

        Re: How about a good device that's actually useful?

        Good, useful, or competitively priced: pick one. :-)

    2. Solarflare

      Re: Is it likely

      I'm sure I'll get downvoted to hell for this (as is the norm whenever you mention it), but you could always use an iPhone instead.

      1. magickmark
        Holmes

        Re: Is it likely

        @Solarflare

        This...

        "The researchers plan to investigate third-party libraries on iOS next to see what slurping may be taking place there."

        Lets see what they come up with.

      2. Anonymous Coward
        Anonymous Coward

        Re: Is it likely

        At least iOS tells you when it's recording the screen / using the microphone, etc, etc

        1. Anonymous Coward
          Anonymous Coward

          Re: Is it likely

          "At least iOS tells you when it's recording the screen / using the microphone, etc, etc"

          ---------------------------

          To consider:

          1. At one point those whose job it was to remotely hack sub-laptop devices reported 100% success against iOs devices.

          2. It sure looks like what iOs is doing and what a third party library, extension, etc is doing may be two very different things.

      3. hplasm Silver badge
        Devil

        Re: Is it likely

        " ... but you could always use an iPhone instead."

        "How about a good device that's actually useful?"

        Duscuss...

    3. onefang

      Re: Is it likely

      "I am fairly sure that if I want security and privacy the only good device is one that is switched off."

      And in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying "Beware of the Leopard". Which if I remember correctly, is how Windows NT got it's high security certificate.

  4. Pascal Monett Silver badge

    "the permission model is flawed"

    Wow, what a cliffhanger. I don't think I've ever heard that before.

    </sarcasm>

    What a pity that even a group of boffins in real lab coats with an actual study of it will probably not generate a change of the matter.

  5. Robert Carnegie Silver badge

    Um

    I may be behind the time, but isn't this apps just being able to read screen data that the app itself is displaying? So presumably already knows about... only for some reason it's just easier to read it back from the screen.

    1. This post has been deleted by its author

  6. Tim99 Silver badge
    Trollface

    Surely

    Google’s version of Android slurps by design?

  7. Anonymous Coward
    Anonymous Coward

    Boffins say most Android apps can slurp your screen

    Define most...

    Otherwise it's little more than clickbait

    1. onefang

      Re: Boffins say most Android apps can slurp your screen

      "Define most...

      "Otherwise it's little more than clickbait"

      The article did include some numbers, perhaps you should read it, instead of clicking the bait just to comment? There was even a table with lots of numbers in it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Boffins say most Android apps can slurp your screen

      "Define most...

      Otherwise it's little more than clickbait"

      Ahh, i see our resident Google shill is on this thread as well.

      How's things at the Chocolate factory AC?

      1. Anonymous Coward
        Anonymous Coward

        Re: Boffins say most Android apps can slurp your screen

        Not chocolate factory, I'm an engineer and I work on facts and question anything that avoids that. Even more stinky is when something like deliberately avoids testing this GS that would fail to fail (in this case anything made in the last 4 years)

        I guess you are the fake news Facebook numpty that believes everything on the internet and never questions motives...

        What is pay-day for these "researchers"? Who is the paymaster?

    3. JeffyPoooh Silver badge
      Pint

      Re: Boffins say most Android apps can slurp your screen

      Yeah!

      Where's the 'Name and Shame' section of this finding?

      If (for example) Facebook is capturing screenshots of my phone's on-line banking app, then they should be named and shamed, and subjected to the legal hell of class action lawsuits and regulatory punishments. It would certainly make the news, and cost the billions.

      Otherwise this report is all just meaningless noise.

      1. Anonymous Coward
        Anonymous Coward

        Re: Boffins say most Android apps can slurp your screen

        If (for example) Facebook is capturing screenshots of my phone's on-line banking app, then they should be named and shamed, and subjected to the legal hell of class action lawsuits and regulatory punishments

        =================================================

        Have you given a moment's thought about what the term 'third party' may mean?

  8. RobThBay

    I'll keep using my old BB10 Blackberry

    Another good reason I'll stick with my BlackBerry Passport.

    I wonder if BlackBerry's version of android has this flaw?

  9. Anonymous Coward
    Anonymous Coward

    What versions of Android are most affected?

    4,5,6,7,8,9 etc - That aspect is especially important, no?

    1. Anonymous Coward
      Anonymous Coward

      Plus can Netguard / DNS66 / Blokada block the phone-home?

      All three use the same trick of installing a VPN to intercept traffic. So it would be interesting to know if this is enough of a defense to stop rogue apps phoning home all the screenshots / videograbs?

    2. Anonymous Coward
      Anonymous Coward

      Re: What versions of Android are most affected?

      Yes, everything tested was 4 years old ore more.

      They deliberately avoided anything newer for obvious reasons..

  10. Chris G Silver badge

    The article does not say what the apps are doing with the recorded screen data, are they phoning home with it or just using it it in the app process?

  11. Anonymous Coward
    Anonymous Coward

    Adventures in a NEW Android 6 Phone

    UPDATE: Thanks to those who helped before. Recap of goal: Take dirt cheap android phone and install Signal-app while stripping the phone of toxic-slurp. Repeat for each family member... Ran with Alcatel U3 as its less than 50 euro and all obvious Google/Facebook slurp can be disabled / uninstalled.

    After doing that nothing on the phone works anymore. So browsed substitute open-source apps off Fossdroid (easier to browse F-Droid using desktop browser). Then side-loaded substitutes for everything from Calendar to Photos. Downloaded 'Total Commander' separately as its a staple from HTC XDA days. Sadly, no versions of VLC would run at all. So still looking for a good replacement, but F-Droid offers a good range of starting apps overall.

    The key step is installing a Firewall on a non-rooted phone. Netguard / DNS66 / Blokada all use the same trick of installing a VPN to intercept traffic. Going back to the article it would be interesting to know if this is enough defence to stop rogue apps phoning home screenshot / screengrabs? Anyway ran with Netguard for now as the interface is simple / powerful, and you can block system-level apps apparently, which is key here obviously...

    In terms of guaranteeing privacy, all of this is a long way short of Rooting the phone or installing LineageOS or other free alternative OS. But that's a lot of trouble for the time available right now. Still interested in trying that sometime though, after switching to Mint on desktop there's really no going back....

    Last thing... One phone must run WhatsApp for work. We started to notice a Hidden .facebook_cache folder popping up containing suspected mini-map tracking images. Disabling the built-in Chrome browser seems to have neutered this behavior. For now we're only using Firefox Klar (F-droid).

  12. Anonymous Coward
    FAIL

    Calling bullshit

    Did they state what version of Android? Seems since Android 5 the main method of obtaining the screen buffer is blocked unless you are rooted (and screen recording should be the least of your worries). They didn't talk about background recording or foreground recording (big difference). This is little more than mucky clickbait.

    Post Android 5 you need to connect to a pc every time and run some PC app that sends some debug ADB commands to get things working. These idiots just lost all credibility....

    Cite:

    https://stackoverflow.com/questions/25616026/screen-recorder-in-android-programmactically-not-screen-shots/33326957#33326957

    https://play.google.com/store/apps/details?id=uk.org.invisibility.recordable

    1. Rob D.
      Thumb Down

      Re: Calling bullshit

      The report does state when and where the apps and APKs are collected/selected, including newest versions of apps on Google Play at April 2017, and newest versions of APKs at January 2017. See section 5.1 of the study PDF. The test devices run Android 6 API level 23 on Nexus 6P/5X devices and a couple of Android 4.4.4 API level 19 on Nexus 5. The test, data collection and analysis methodologies are described in some detail. See section 5.3 and others. They provide some acknowledgements of possible weak areas in their methods.

      There might be useful points to raise about what the study does or does not show, but after a demonstrable failure to pick up the basics of what was done in a significant investigation run over several months with formal reporting of data, methods, analysis and conclusions, then it might be worth reading the study itself before someone calls BS on the BS call.

      1. Anonymous Coward
        Anonymous Coward

        Re: Calling bullshit

        "The test devices run Android 6 API level 23 on Nexus 6P/5X devices and a couple of Android 4.4.4 API level 19 "

        So nothing from the last 4 years then.... I wonder why.. (I know why). This doesn't constitute most, even the word some is stretching it.. That's not even the last version of Android for those devices - 5x and 6p are on Android 8.1, even the older Nexus 6 and Nexus 7 (2013) are on Android 7.1.

        Android 4.4 is now 5 years old....

        Picking hardware and deliberately not updating it and testing 5 year old OS version stinks of bullshit... As mentioned, the credibility of the authors of this must seriously be questioned.

        On the upside, this is a great clickbait filter, if you spot any other website posting this same story, you instantly have a great quality filter metric.

  13. Anonymous Coward
    Anonymous Coward

    Meh!

    Some of us have known about "covert" internal screenshots being taken of our Android phones for a while now.

    I noticed that there was a dropbox folder that collects "WTF" error messages as well as actual internal screenshots taken of every single task as it goes to background.

    I took a screenshot of one of these internal screenshots that showed my last text message that included the contacts name and phone number and would have contained a picture of the person if I had assigned them one.

    I changed ownership of these folders so that they could no longer be written to.

    Here are some recent logcat results showing attempts to write to these folders and failing after I changed ownership:

    Can't write: system_server_wtf

    06-01 20:29:15.373 1185 1229 E DropBoxManagerService: java.io.IOException: Can't list files: /data/system/dropbox

    06-01 20:29:21.320 1185 2082 E TaskPersister: saveImage: unable to save /data/system_ce/0/recent_images/248_task_thumbnail.png

    The folders in question are in the /data/system/dropbox directory and in /data/system/recent_tasks and /data/system/recent_images on my Android phone.

    (Requires root to chown these directories so they cannot be written to)

  14. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    Boffin

    I hate the word boffin. Makes me hopping mad. Why not use the word engineers, scientists, programmers, analysis, investigators, security experts anything but ******* boffin. I'm gonna go lay down now !

    1. onefang

      Re: Boffin

      All of those non-boffin words are longer, and some of them are even hard to spell. Boffin is short, easy to spell, and fits into a headline. You yourself used "gonna" instead of "going to", you should appreciate the use of short easy to spell words. Perhaps in the future it'll be "bofin" and "gona", just coz.

    2. Robert Helpmann?? Silver badge
      Headmaster

      Re: Boffin

      Why Boffin? Because it's the Register!

      REF: https://www.theregister.co.uk/2004/11/30/proper_english_guide/

  16. eldakka Silver badge
    Facepalm

    Fuck it

    I'm just going to put a faraday cage around my house and never ever leave it or communicate with anyone outside it again.

    Seems to be the only way to have some sort of security and privacy these days.

    At least until I run out of food and starve.

    1. _LC_ Silver badge
      Angel

      Re: Fuck it

      I did put my GSM phone in a metal tea box once. The phone managed to penetrate it. ;-)

      1. Mr Han

        Re: Fuck it

        Did this produce a cute little phone that could be dipped in boiling water and make a lovely tasting beverage?

        1. _LC_ Silver badge

          Re: Fuck it

          Unfortunately, it did not as the box was empty. It only led to an increased cortisol level on my side.

  17. Christian Berger Silver badge

    It's a general problem of "application based" computing

    If everything is wrapped in an application which is allowed to execute code, you'll always have the problem of rampaging malware, since you need lots of applications and if one of them is malware, you're toast.

    The more sensible way is to only exchange data and have a (nearly) fixed set of applications which can work with a multitude of data sources. Kinda like online services used to be before Javascript. You logged in via a modem connection or telnet and had access to a database. You didn't need to have any kind of special software.

    Installing new code should be something you only do rarely from sources you personally trust. It shouldn't be something you casually do when a QR-code tells you to do it or something your browser run automatically as a feature.

    1. onefang

      Re: It's a general problem of "application based" computing

      Ah, so you are advocating something like ChromeOS, and other thin client things. Some of those phone apps are just wrappers around a HTML5 web site, which is almost thin clientish.

      1. Christian Berger Silver badge

        Re: It's a general problem of "application based" computing

        Now if the web wouldn't have adopted Javascript it would have been a decent alternative. Unfortunately during the browser wars browser vendors were mostly concerned with features for webdesigners, not for web users. Otherwise they'd automatically handle tables including things like hiding columns and sorting.

      2. _LC_ Silver badge
        Facepalm

        Re: It's a general problem of "application based" computing

        *eeerm*

        That's the opposite of what was said. JavaScript in the browsers runs anything from anywhere and WebAssembly drives even bigger nails into the same coffin labeled 'security'.

    2. Charles 9 Silver badge

      Re: It's a general problem of "application based" computing

      "Installing new code should be something you only do rarely from sources you personally trust. It shouldn't be something you casually do when a QR-code tells you to do it or something your browser run automatically as a feature."

      That problem will ALWAYS be there. Simply because of box thinking, or there's no way to fully encapsulate everything you want something to do in a limited interface. It's the reason for downloads in the first place, going all the way back to the PC (in the broadest sense to include pre-IBM stuff) days. Who cares about security when it comes to "just get the bloody job done"?

      1. Christian Berger Silver badge

        Re: It's a general problem of "application based" computing

        "there's no way to fully encapsulate everything you want something to do in a limited interface"

        Actually there is, you can do everything via a terminal, either text based or graphical.

  18. Anonymous Coward
    Anonymous Coward

    Here's a real large scale study on mobile applications

    The University of Oxford have published an actual large scale study on almost 1,000,000 android applications and their data sharing practices

    Binns, R., Lyngs, U., Van Kleek, M., Zhao, J., Libert, T., & Shadbolt, N. (2018, April 14). Third Party Tracking in the Mobile Ecosystem. https://doi.org/10.1145/3201064.3201089

  19. Anonymous Coward
    Anonymous Coward

    It's worth pointing out that the "screenshot" APIs that this paper talks about only give the app access to its own content. It isn't possible to screenshot another application, or system UI without additional permissions.

    So basically this represents a really inefficent way of uploading data that the application already has access to.

  20. pkoning

    For a security focused version of Android, take a look at Blackphone. Among other things, they long ago identified the flawed permission model as an issue and fixed it.

  21. androiddeveloper

    Very misleading

    Apps may read the "view" that they themselves present. In other words, an app may spy on itself. That's how an application sandbox works folks. How very uninteresting. Carefully wording it to make it sound like an app may generally screen grab is (intentionally?) misleading. But I guess FUD (Fear, Uncertainty and Doubt) drives clicks.

  22. Phil Endecott Silver badge

    They seem to be worried about apps that include libraries, and those libraries can read the screen that the app itself is presenting.

    If I’ve understood this correctly, I think it’s a non-issue. App developers using 3rd-party code in their apps need to trust that code. If they don’t trust it, it could do anything. (In principle you could have another level of sandboxing between libraries and the main app code, but that’s not something that any OS I’ve ever seen does.)

    iOS would be vulnerable to essentially the same issues.

  23. os2baba

    Wait what?

    They studied 17,260 apps over a year from Google Play Store and *other download sites*, and used dynamic analysis on a subset of around 9,000 apps. Out of 3 million+ apps. And then concluded from that incredibly small sample that 89% of apps in *the play store* slurp screens?

  24. Mr Han

    Question. Isn't this what the recent apps switcher does?

    Even when I press 'quit' in FF with FF set to clear all private data, if I then open 'recent apps' then my previously visited webpage is shown in all it's glory, even when this page isn't available when I reopen FF.

    This also happens on iOS which I've noticed shows the content of text messages in the recent apps view.

    If the apps are closed using the 'clear all' function of Android, or the laborious 'swipe close' function of iOS, then this data appears to be gone

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020