Tuesday, May 15, 2018

Be aware of smartphone apps and games

Touch-screen based smartphones are ubiquitous in the modern world, and can be really useful (especially since along the hardware technology also service providers have lowered their prices by orders of magnitude, making it affordable for anybody). When Apple, and soon after most other phone manufacturers opened up their platforms for digital distribution of apps and games, this caused an explosion in possibilities. The number of such programs available in the different smartphone stores can be counted in the hundreds of thousands, at minimum.

This had another, perhaps at first a bit unforeseen consequence: Firstly, smartphone apps and games became extraordinarily cheap. The average purchase price for such a program very quickly dropped to the 1-2 dollar range (where in the desktop world a completely equivalent program would cost several tens of dollars, sometimes even hundreds). Developers started competing with each other with how cheap they would offer their products. The logical extreme, which was reached in just a few years, was that the vast majority of apps and games are offered for free.

Well, not really free. "Free". Quotation marks extremely pertinent here.

When you download an app or game to your phone for "free", how exactly do you think the developers are making any money? There are, of course, in-app purchases, ie. "microtransactions", but not all apps nor games use them, and even with many that do, it's not their main source of income.

The answer is advertisements. Only a very small fraction of all apps available for smartphones are truly free, without any monetary costs and without any sort of ads.

"Ok", you might think, "sure, there will be some ad banners and some interstitials... they can be slightly annoying, but they aren't such a big deal. I'm ready to suffer them so that I can play this for free."

The thing is, the advertisement kits embedded into these programs are doing more than just downloading and displaying ads on screen. There's a ton of things that they are most often doing behind the scenes, without really informing you in detail.

If you sometimes bother to read the usage licenses of these programs, you will probably find some paragraph that says something like "this software collects anonymous statistics".

That's not a joke. They do. A lot. And on most cases it's completely intentional by the developers (not just the advertisement company.)

When you start the app, when you close it, when you click on a particular button, when you go to a particular screen, which screens or parts of the app/game you spend most of the time with, how long it takes for you to reach a particular level, how many points you get. You name it, chances are that the app/game is collecting info about it, and sending it to some third-party server somewhere, without really telling you about it. This may include as much hardware and software info about your phone that the app can collect (physically and/or legally, sometimes borderline legally). Both developers and advertisers love their statistics.

And, very often, we are not talking about just one single advertisement kit embedded into the app. We are talking about several independent ones, each one collecting usage statistics and other info, and sending it to their respective servers. (I know, I work in the industry. I create these apps and games. It's not like it's a huge secret. It's just not advertised (hah!) a lot.)

In the beginning years these apps could collect a lot of personally identifiable identification from your phone, such as a unique device ID number that uniquely identified your phone. Both Apple and Google have mostly stopped this at the operating system level, as well as in their usage licenses. However, this doesn't stop apps from circumventing these limitations, to varying extents (and, in some cases, perhaps even against the manufacturer's license agreements.) But even today, even though apps may not be able to uniquely identify your actual device, the operating system still offers advertiser-friendly ID numbers for apps to use for targeted advertisement. (Usually the operating system creates a new such ID for each app, so it's harder for the developers/advertisers to see that the same person is using two of their different apps, but the ID is still used to see that it's the same user using the same app every time.)

Many apps and games will offer you the choice of connecting to Facebook. Connect with friends, challenge friends, send posts to your Facebook wall from the game, sync your savedata between devices... all kinds of benefits. But this same Facebook ID also gets sent to the advertisers.

For many years this was your actual, real Facebook ID. The developers and advertisers could see your actual Facebook profile. Later Facebook changed this and started creating app-specific (in a sense "fake") ID numbers, with the same idea that a developer or advertiser couldn't make the connection between two different apps being used by the same user. They also started being extremely strict about asking the user for permission for the app to retrieve the user's information from Facebook (such as real name, email address, and friends list). This is enforced at the API/SDK level (so apps can't bypass this surreptitiously). However, most people will just agree with everything without much thought.

Some apps and games can offer tangible benefits from connecting to Facebook (such as the abovementioned friend challenges, and syncing savedata between devices), but you should be aware of what kind of info the app will be getting from your Facebook profile, which it might be sending to some third-party servers behind the scenes, alongside your usage statistics. Some of these apps and games may be even bending manufacturer usage agreements to do so.

And all these are just the most innocuous, mainstream, legal (even if barely so) apps and games created by known big-name publishers. There are tons and tons of programs that are much less honest. Some of these may be considered borderline malware. There are tons of things that these programs can do to circumvent operating system limitations, or to fool people into agreeing with by just presenting some system message. And there are very little limitations on where all this info is being sent to. In the vast majority of cases the user has absolutely no idea what servers the app is contacting, and what info is being sent there.

Next time you are browing your phone's app store and trying "free" stuff to see if you like them, consider what those apps are doing behind the scenes, and what servers they might be contacting with all kind of info about you or your phone.

No comments:

Post a Comment