When you add a new app to your phone, how do you know where it sends data?
The app is a black box from a general user perspective. Without awareness of this issue and the proper tools for analysis, we are, at best, giving our data to apps with nothing more than faith and trust in the goodwill of those who created them. Ignorance at worst.
I like to know where an app is sending my data. This is not just for my own peace of mind regarding privacy but also because it speaks to the integrity and honesty of those who created that app. I want to control where my data goes rather than blindly trust those writing the apps.
My concerns are answered for Android users with a free app called Lumen, created by researchers at the International Computer Science Institute (ICSI). Lumen can be downloaded and used without cost from the Google Play Store.
For me, the process is just to activate Lumen for a short while after installing a new app. I leave the loopback VPN running while I configure and test the app so that when I am finished, I can check the data in Lumen to see what has been recorded. The resulting reports help me make decisions about security and privacy. Sometimes, the data provided by Lumen indicates that I should just delete that new app and find something else.
You should be aware that the loopback VPN that Lumen uses for monitoring seems to go direct, bypassing any device-level proxy settings. This is how it needs to work and is not a fault. However, in my case, I use a proxy.pac file on local connections, so it is not practical to keep the Lumen VPN running except for testing.
I have used Lumen to identify which of my other apps are leaking data and which sites they connect to when they are in use. I have also tested using Lumen to block potentially undesirable sites to see if those blocks affect functionality. These checks have improved my personal security and privacy. They have enabled me to add particular rules to the sitewide proxy.pac, and sometimes has caused me to select a different app for a particular need.
I accept that many apps rely on Google Firebase, AWS services, Google Search, Google API services and similar. Also, blocking connections without due care can cause timeouts and misbehaviour for affected apps. What I am looking for is suspicious connections to uncommon sites – not advertisers (those are better managed in other ways, if desired), and not sites related to core app functionality unless they raise suspicion.
A word on Malware
While the Google Play Store does a lot of good work to eliminate security threats, there have been sufficient incidents of malware being discovered in downloaded apps to indicate that there is still a significant risk to Google Play Store users.
Lumen is not intended to be a replacement for an Android anti-malware app. It is also not a substitute for due diligence checking for malware reports if you choose not to use anti-malware.
With that understood, Lumen allows you to do your own checks on how an app is communicating in the background, identify potential privacy leaks, and increase your awareness of the security and privacy compromises that these apps introduce. I hope you find value in this.
In any case, I keep Lumen on all my devices and occasionally switch on the loopback VPN to do a general check or whenever I am trialling a new app. I hope this helps you as well.