Analysis of What Information Angry Birds Collects

Some folks have been inquiring about what kind of personal information Angry Birds collects, and who it sends it to, due to a recent New York Times article that briefly discussed our work. I asked some students I work with (Jialiu Lin, Prateek Sachdeva, and Shah Amini) to probe Angry Birds using some static analysis tools, to figure out what specifically it is doing.


Here is the list of third party APIs that Angry Birds sends location data to:
- flurry (does a lot of analytics for apps; Troy Hunt has a good analysis of what data is being sent to flurry)
- inmobi (targeted mobile advertising)
- jumptap (targeted mobile advertising)
- millennialmedia (targeted mobile advertising)

Also the device ID information is sent to:
- burstly (does ads, ads optimization, and rewards)
- jumptap (see above)
- millennialmedia (see above)

Other 3rd-party APIs this app uses are:
- greystripe (mobile ad network)
- google ads

Now, I've argued in the past that most smartphone apps are spyware. The primary motivator for gathering all of this information is primarily monetization of apps, rather than maliciousness (though your definition of maliciousness may differ from mine). However, based on our research probing people's expectations of privacy with smartphone apps (PDF of our Ubicomp 2012 paper), we found that many of these uses of personal data were highly surprising to people. People have even uninstalled apps while I give my talk about what these apps do.

Our general position is that we need better policies, visualizations, and tools to help people make better trust decisions about these apps. As such, our current work (done with Janne Lindqvist, Joy Zhang, and Norman Sadeh) is to build better tools to help people understand what's going on with these smartphone apps. One line of work is to crowdsource privacy policies, finding mismatches between expectations and reality (this is the Ubicomp 2012 paper above). Another line of work is to build better tools to help third parties quickly and efficiently probe apps, to understand their privacy and security-related behaviors (you can see a preview of Gort, our analysis tool, here).

Our project is supported by Google, the National Science Foundation, and the National Security Agency. The views and conclusions contained in this document are those of the authors and should not be
interpreted as representing the official policies, either expressly or implied, of these organizations.

Comments

Popular posts from this blog

How to Fix a Jammed Toyota Camry Trunk

This problem needs a higher pagerank, so I figured I would post the solution here. If your Toyota Camry trunk won't open, one possible reason is that it is set to valet mode. Valet mode means that you cannot open the trunk using the release lever inside the car. To set valet mode, you put the key into the trunk lock and turn it counterclockwise. You will know that your trunk is in valet mode if the lock is horizontal rather than vertical, and if you cannot open the trunk using the lever near the driver's seat. Of course, a problem is that sometimes the Camry can get stuck in valet mode, such that you can't use your key to get out of it. (You can see how I spent part of my Sunday morning ...) The solution turns out to be WD-40 . Spray some WD-40 on your key and on the lock. Put the key in, and jiggle it around, and happiness ensues. From an interaction design perspective, it sort of makes sense to have a valet mode. After all, the point of having a valet key is to limit the...

Web 2.0 and Research

I've been chatting with many of my friends and colleagues about an issue that's been bugging me for a while, namely whether academic research has any role to play in the emerging Web 2.0 . I've been slowly coming to the conclusion that the answer is not much. I had a similar discussion with other researchers at HotMobile a few weeks ago. When the web first came out, pretty much every systems researcher ignored it because it was so ugly. The web was not very sophisticated in terms of distributed systems, HTTP lacked elegance, HTML conflated many different ideas, and so on. There were also not any really new ideas with the web, as evidenced by the fact that Tim Berners-Lee 's first paper on the Web was (probably rightfully) rejected from an ACM conference on hypertext. I'm sure one thing that really irked researchers about the nascent web was that it completely ignored the large body of work in hypertext and distributed systems that had preceded it. Even in 1997, as ...

Chase Fraud Alert from SMS 28107

I got a fraud alert on my phone this morning from SMS short code 28107. Is this legitimate? The short story, from what I can tell, is yes. The alert I got was: FREE MSG: Chase Fraud-Did you use card ending xxxx for $xx.xx at INGLES MARKETS on 07/13? If YES reply 1, NO reply 2 In cybersecurity, getting these kinds of alerts is a pretty common kind of scam. Attackers will send out lots of these kinds of SMS and email and try to get you to verify your account, essentially tricking you into sharing sensitive information. If you ever get one of these kinds of alerts, you should try to verify it independently. So I logged into my credit card account and saw that there were several purchases that morning. Looking up the name of the store, it appears to be a chain of grocery stores in North Carolina. Ok so definitely fraud. So I responded with a "1" to the SMS message, and it said that Chase would call when a specialist is available, or call the number on the card. There...