Is Your App Spying on You?

Recently, some users have discovered that the popular social media app WeChat (with over 1.25 billion active users monthly) has been scanning its users’ photo app content in the background every few hours and sending that data back to its servers, as seen here. That left many users frazzled and worried that their privacy was at risk—why would a social media app look at your personal content without direct authorization?

Unfortunately, many other apps do the same thing. WeChat just happens to be one of the more prominent that is currently facing scrutiny. While the company promised to remove the background scanning behavior in a future update, the questions are:

1. What can we do to better protect our privacy?
2. Should we blindly entrust any app or device with our data?

Apps often ask for access to a lot of our private content and system resources. Some of the most commonly requested resources are:

1. Camera: necessary for video communication and picture-taking
2. Microphone: necessary for audio communication
3. Contact list: necessary for convenient and easy connection with people you already know
4. Camera roll: necessary for photo upload and sharing, but legitimate only if the app provides a backup function

For most social media apps, it is almost impossible to not grant them access to our Camera and Microphone. Many people would also prefer the convenience of automatically connecting with their friends instead of manually adding them via phone number or email address so they grant the app access to their Contact List.

But I would argue that apps that don’t provide a backup function for our photos do not need unfettered access to our Camera roll. When we need to share some photos, we do have a choice of sending them from the Camera roll to the social media app, instead of letting the social media app search and pull them from the Camera roll. Personally, I disable the Camera roll access in all the social media apps I use.

When we decide to use an app, we start the process of learning to trust the app developer, which requires constant cultivation by the app developer. App developers need to give users more visibility on when and how their personal data is being accessed and used. Also, app developers should make it as convenient as possible for export of data from another app into their app (as opposed to using import). Make no mistake, to create an app that functions in the background on your cell phone requires highly skilled effort that jumps through some challenging hurdles imposed by the mobile operating system (iOS in particular). The background scanning of personal data when the app has no business doing so is not an innocent mistake. Apps that do this deserve to be called out and users should rightfully be outraged.

The moral of the story is that users should demand transparency from the app developer, and not give them unfettered access to data they don’t need to access. The Apple iOS platform has a decent security infrastructure for app isolation. There is no reason for any iOS app to be sloppy on data access requests. Earlier Android platforms have been almost free-for-all where apps can easily peek into each other’s content without user’s permission. It seems that Google is getting the pressure to fix this problem in its upcoming Android SDK. Some apps may lose some of their older functionalities as a result of Google’s upcoming updates. It is better late than never for Google to finally take user’s data security more seriously on their Android platform. But good riddance to features that have opened security holes.