October is National Cybersecurity Awareness Month. By now you’ve heard a story—or you have a story—about someone mentioning a product casually in a conversation and later seeing an online ad for the product. Once is coincidence. Twice is surprising. But every other day? How do web and mobile ads somehow seem to know what your interests are? How about the gadgets in your home? Do you ever wonder if they are spying on you? You’re not alone.
The internet wouldn’t be the same if websites didn’t track us. We’d probably spend a lot more on impulse buys if we didn’t have persistent shopping carts. And no one wants to have to log into Facebook every time they want to share an article. Websites have many ways of tracking users. You’re probably familiar with cookies, but cookies are just one tracking method. Websites can also track users through many other mechanisms, including unique identifiers in cached content, web storage, and more. There are also sneakier means, such as browser fingerprinting, which don’t rely on a website storing data on your device.
Why do websites want to track your activities? Generally, it’s to show you ads for products or services you might be interested in. Ad networks inject content into many of the sites you visit. They track the pages you’ve visited and then show you ads related to content you’ve looked at on those pages.
How can you stop websites from tracking your activity? The only foolproof solution is to stop using the internet. But let’s be more realistic. A practical (albeit not 100% effective) solution is to open a private browsing window (e.g., Incognito window in Chrome, Private window in Firefox, InPrivate window in Edge). Conduct any browsing that you don’t want tracked in such windows. It’s important to never sign into any websites in private windows and to close them periodically to wipe data that can be used to track you from websites you visited in these private windows.
Website tracking applies to the websites you browse on your desktop and on your mobile device. But mobile devices also offer another avenue for tracking users: apps. When it comes to mobile apps tracking users, many of the browser-based tracking techniques don’t work with mobile apps unless you’re using a web browser on your mobile device. For mobile apps installed on your device, the operating system typically generates a unique advertising identifier for your device and shares it with any installed apps that ask for it. Apps can send this identifier to ad networks to track you and figure out what ads to display to you.
How can you stop mobile apps from tracking you this way? Change your device’s settings to generate a different identifier for each app. While each app can still track your activities within the app, they cannot collude to track your activities across apps.
Concerns about tracking extend not just to the software on our mobile devices but to the devices themselves. If given permission to do so by end users, mobile apps can retrieve the current location of the device they’re installed on. Devices obtain this information using a variety of methods, including GPS, Wi-Fi geolocation, cellular geolocation, IP geolocation, and more.
How can you prevent mobile device tracking? The best way is to deny apps access to your location information. All versions of iOS and Android 6.0+ allow you to deny installed apps access to specific location information.
Many internet-connected devices now come with a microphone (even if they probably don’t need to). And your smartphone, of course, would be useless without one. But your devices may be listening in on your conversations, even uploading them to the internet.
This is all by design, of course. Consumer devices with on-device keyword spotting listen for a keyword (e.g., “Alexa”) or a key phrase (e.g., “Hey, Siri”) on the device itself. Once they hear the keyword or key phrase, they start recording and sending the recording to server-side components. They don’t normally record and upload all your conversations. But things sometimes do go wrong. (Of course, if any device with a microphone is compromised, malicious software can turn on your microphone and continuously upload your conversations.)
How can you stop your devices from recording you? Check your device settings to see which apps can access the microphone. Do some research before you purchase an internet-connected device in order to understand the information it collects.
Audio recording is just the tip of the potential privacy-invasion iceberg. Many users worry about mobile apps that might be able to record videos or take photographs without permission, or applications that might be able to steal photographs or videos. Access to cameras, as well as previously recorded photographs, on mobile devices is controlled using app permissions.
What happens when you grant an app access to the device’s camera or photos? The app can use the device’s camera or photo library whenever it wants. Depending on the mobile operating system, camera access may or may not be possible when the app is not in the foreground.
Many people put opaque tape over their device cameras, but that doesn’t stop apps from accessing files already on your device. And remember that legitimate apps request and use camera and photo access for various purposes, the most common being to share them with your friends or to back them up. As with any permissions, be careful which apps you allow to access your camera and photos.
If you’ve ever done anything on the internet (including reading this page), you know there’s no such thing as 100% privacy protection. To live in 2018, we must give up some of our privacy. But not all hope is lost. We simply need to take some precautions to ensure that our activities are as secure as humanly possible.
Personal data security starts with you.
Amit Sethi is a principal consultant at Synopsys. He specializes in mobile security, online game security, and cryptography. Amit’s work includes extracting cryptographic keys from embedded devices using side-channel attacks, designing mechanisms to make those attacks more difficult, and designing a format-preserving encryption algorithm based on well-studied cryptographic primitives for a Fortune 500 company. Even in his free time, Amit enjoys reverse engineering binaries, analyzing open source software, and experimenting with new technologies.