Mobile devices are continually expanding their functionality and now contain many sensors and communications channels. Sensors include the device’s camera, microphone, gyroscope and accelerometer, while communication channels include cellular, Wi-Fi, Bluetooth and NFC. In recent years, innovative use of these sensors has been on the rise. One trend is the use of device microphones — previously simply a sensor — as a covert communications channel.
Apps can now send and receive ultrasonic signals via speakers and microphones to communicate with mobile devices as well as with TVs, handheld devices, and other IoT devices. Users may be unaware of these communications since the sounds of these signals are near the edge of or outside the human hearing range. These hidden communications are cause for concern among privacy-conscious consumers and enterprises.
Why are Ultrasonic Communications Worrisome?
Ultrasonic communications are not top of mind for device users or enterprise security teams. People aren’t familiar with the technology and don’t think of the many ways device sensors can be used for communications. They also don’t consider the privacy and tracking implications these communications entail. These include:
Behaviour Tracking: Popular ultrasonic SDKs, such as Shopkick, are known to listen for special ultrasonic signals from TV commercials. From the information transmitted in ultrasonic signals, the apps and SDKs know users’ TV viewing habits. In 2016, the Federal Trade Commission (FTC) sent warnings to app developers that their apps may violate Federal Trade Commission Act for monitoring television-viewing habits.
Precise Location Tracking: In addition to tracking TV commercials and viewing habits, ultrasonic signals can also be used to track users’ exact locations in a way that is more granular than what Android’s normal location permission allows. For instance, apps using ultrasound may know the exact store and level a user is in a shopping mall in addition to the latitude and longitude normally provided by the Android system.
Potential for Eavesdropping: SDKs with ultrasonic communications capabilities have continuous access to device microphones. Thus, if a vulnerability exists inside an app with the SDK, it can be abused to eavesdrop on users.
How Common are Ultrasonic SDKs?
Appthority’s analysis on the prevalence of three well-known ultrasonic libraries shows that, while the number of apps with ultrasonic libraries has increased over the years, it is still a small percentage of the billions of apps present in app stores. In enterprises, however, we see a higher prevalence. We found ultrasonic SDKs in 33.33% of enterprises monitored by Appthority.
We also notice that Google’s Nearby API, released in July 2017, contains APIs related to ultrasonic communication and there are many more apps using it. Although Google provides developer guidelines to be respectful of user privacy and requires an explicit user-initiated action to start Nearby, how much this guideline is being followed is still unknown.
- Avoid installing apps which request access to microphone without apparent reason (e.g. game apps)
- Read privacy policies before granting audio data access and usage
- Report to app stores if you notice any apps that track users without explicitly claiming to do so
Appthority MTP protects Appthority’s enterprise customers by detecting microphone access, the presence of popular ultrasonic libraries, and apps with the ability to run in the background.