The following link: ABSTRACT AND INTRODUCTION TO ANDROID APPLICATION COVERT COMMUNICATIONS will provide you with a audible read of a portion of the MIT document and its authors. It includes their names, the abstract and the introduction. This will provide a primer for the following article. For the complete document, see the instructions at the end of the article.
I went to public school so I’m not sure who MIT is. I think he was that Mormon who lost the presidential election to BARAK. Apparently, he also analyzes covert communications that Android applications send and receive that have no impact on the functionality of the app. Even if the connections are blocked and the port cannot transmit or receive covert data streams…the Application has no degradation in usability.
DEFINING THE TERMS
One of the metrics I found the most disturbing, is how often it happens based in the methodology used. First let’s define a:
Data transmitted that is hidden and unexpected from the users point of view
Overt communication is:
Data transmitted that contributory to the application functionality and anticipated by the user
For example, if you are in a chat module or any other share data module of an application where you are transmitting your location, or perhaps contact information or a broadcast about what you are doing or where you are going, you expect that text data or binary (a photo or other file) to get to the person you are sending it to.
You therefore expect the operating system to allow whatever is needed to get it there, and nothing more. You don’t expect a connection to an unrelated server you don’t know about or to another application that you aren’t using to receive anything.
Put into context:In a hypothetical You are using the ‘Walmart’ application when you see a coupon or an advertisement for a TV you like because your Mom wants to buy one for your Dad. You send the ad to your Mom with text that says, “Mom: Dad, Birthday present”
You expect the ad and the text to get to your mom through the method you designate…email, SMS, App-to-App relay or what have you. For that to happen, both your Mom and your email, phone number, or AppID are needed, and other data like IP addresses will be used.
That is expected.
However, because your Google Android handset has made the relationship connection as to who your Mom and Dad are, the probability for related data to be packaged up becomes a reality. Unlike App Permissions, you don’t know what you are authorizing for transmission or where Android will want to send it. The contact information and other private data you have in contact notes like birth dates, anniversary dates, their relationship data to other contacts, work contact information, contact photo and every other field for all three contact files have been been named by a single data point request (that is valid) but only portions of your contact info and portions of your moms contact info are needed…none of your Dads is needed.
If that over-arching package of data gets sent to a server that is unrelated to the Walmart app or carrier service or email service…that is unexpected, and that’s a problem. That is a big problem.
That is covert communication.
YOUR BATTERY AND DATA PLAN
46% of the connection statements in the study are labeled as covert…or data that you don’t expect to be transmitted to some unrelated server, has nothing to do with the usability (how the app behaves and functions).
That means, 46% of the data (which counts against your data plan) and the power it takes to collect, compute, package and transmit that data could be removed…and magically nothing negative impacts the application functionality.
In the context of USABILITY
Usability is the expectation you have for an application to do what it is supposed to do when you have gained competency of its operation.
If you use Twitter, when you tweet something, you expect it to broadcast to followers. If you @someone, it goes to @someone. If you include a photo, that photo is to be seen by those who need to see it.
A negative impact on usability would be, some of your followers accounts received the tweet package as designed with fidelity, some didn’t, and perhaps others got a portion of the package. This is hypothetical. Twitter as a service is fairly reliable. But according to the study by MIT, 46% of the data transmitted could be removed and the application could be just as effective.
I have read and have been reminded time and time again that the Android user is generally more technically inclined than the average mobile user when it comes to mobile computing. In that context, it surprises me that they didn’t know about this. If they did, then why didn’t they raise the concern? Most Android users are on limited data plans that can be capped or charged overage by the carrier for going over the limit. This means that Android, and more specifically, Google is directly responsible for the monetary compensation.
When you realize that there are over one billion Android users world-wide, the probability of at least some of them have been penalized for data overage is significant. Either through caps (which reduces the quality of User Experience) denying them the speed they pay for, or through monetary penalty (inflation of their monthly bill.) There is a really good chance that most of that could have been mitigated through demanding the privacy they deserve.
I actually attempted to construct the research requirement that would be needed to provide nuclear-grenade accuracy of the amount of money that has been unfairly charged to the Android user because of covert communications. 30 minutes later I capitulated.
My head hurt because of all the Google Stupid.
I purposefully did not publish the entirety of the white papers 11 pages including the reference material declared by the Authors of the document.
The 2 documents I did use were for references for the argument of this article, and they belong to the authors on page 1.
If you would like view that document in whole, please execute a GOOGLE SEARCH for: “COVERT COMMUNICATION IN MOBILE APPLICATIONS ANDROID MIT“
The above link is directed to a Google Search based search for the exact text string that you see.
If you would rather complete the query manually…pretty freakin’ please…USE GOOGLE SEARCH