2

I am wondering how much data an app on my phone can gather. For instance, let's say I download Angry Birds on my Android device and log in with my gmail account. How much information will be available? Can the app see my wi-fi SSID? Can it get my internal and/or external IP address? My physical coordinates?

In addition, if two or more devices are connected to the same wi-fi network, would it be possible for the app to "know" that both of those devices are connected to it?

schroeder
  • 123,438
  • 55
  • 284
  • 319
KenAdams
  • 21
  • 1
  • If you're worried about a specific app, I would start by checking the permissions you grant to the app when you install it, and the the apps EULA and privacy policy which you will have implicitly/explicitly agreed to when you installed it. You see usually legitimate apps have no need to go sneaking in the shadows for this info when they can get your permission for it instead. – Numeron Oct 22 '17 at 23:06
  • @Numeron - Even reading the policy and EULA, wouldn't the only way be to examine the code? Which most apps don't provide? Yes, the legitimate apps will ask first, but what about malicious apps, who don't prompt for anything, how would the user know without examining the source code? –  Oct 22 '17 at 23:13
  • @S.R You are right, you can never know unless you audit. But why risk getting in big legal trouble secretly exfiltrating personal info when you can be overt about it, safe from legal repercussion and your users still don't know about it because they never read the EULA anyway? – Numeron Oct 23 '17 at 01:40
  • 1
    While me and you want to be good and follow the law, and ask for information, they're are evil developers, that want to cause trouble. For example look at CCleaner, a piece of software that lots of people trust, and one or a few bad employees with access to the code changed it with malicious intent. Luckily they were caught, but whenever you install software, even after reading the agreements, you still have to put a level of trust in the developers, which is scary to some extent. What makes it worse, you don't find out until someone suffers a hack. –  Oct 23 '17 at 01:42
  • "...would be possible for a company...": What company? The company that made the app? – Anders Oct 23 '17 at 07:17

2 Answers2

2

Can the app see my wi-fi SSID?

Yes.

Can it get my internal and/or external IP address?

Yes.

My physical coordinates?

Yes.

In addition, if two or more devices are connected to the same wi-fi network, would it be possible for the app to "know" that both of those devices are connected to it?

Yes.

An app can actually do all that, except from knowing your physical coordinates, without requiring any permissions. This is evident on an app I use, Net Analyzer. The only permission it asks for is Location. When revoking this permission, it can still see a large amount on information regarding your network such as internal/external IP addresses, MAC addresses, other devices on your network, the services running on these devices, etc.

Note that without any permissions your external IP address can be identified - this gives the opportunity to locate your position, although it won't be very accurate.

To stay safe from an app obtaining too much information, I would recommend disabling unnecessary or dangerous permissions as shown on this article. Some app developers show their permissions along with an explanation of why they are required which is a good way to identify why the permissions are needed, and what permissions can be denied without affecting the performance of the application. It's very difficult to know exactly what an app is doing behind the scenes, and the only real way to know is to decompile the app and view the Java source code.

Joe
  • 2,734
  • 2
  • 12
  • 22
0

As far as the internet comes: Anytime you connect to an external site, doesn't matter what you are doing over the internet, your IP address is visible. That means they can trace you as far as the nearest proxy. That is usually your internet service provider unless you use other means for proxy services. Most the time internet service providers will not provide information about their clients unless legally required to do so.

Grabbing your WiFi name is possible through software. On an Android device it requires permissions.

Scanning your network for other devices running the same software is fairly simple without any permissions needed because network access is a default permission. If you've ever downloaded a remote control app, you'll notice it doesn't require any permissions and it automatically finds your TV or smart device on your network.

I don't know personally, but I assume your wifi password is hashed once it is stored in your phone. Which basically means the actual key isn't printed anywhere inside your phone.

For your peace of mind: In order for somebody to want any of your WiFi information, they would need to be within a physical range of your network. Most app developers don't know who will download their applications, so hacking you through an app is much more complicated than it's worth.

mrbeers2232
  • 1