When you add a new app to your phone, how do you know where it is sending data?
The app is a black box from a general user perspective. Without awareness of this issue and the proper tools for analysis we are, at best, giving our data to apps with nothing more than faith and trust in the goodwill of those who created them. Ignorance at worst.
I like to know where an app is sending my data. Not just for my own peace of mind regarding privacy, but also because it speaks to the integrity and honesty of those who created that app. I want to be the one deciding where my data goes, not the ones writing the apps.
It turns out my concerns are answered for Android users with a free app called Lumen, created by researchers at the International Computer Science Institute (ICSI). Lumen can be downloaded and used without cost from the Google Play Store.
The process for me is just to activate Lumen for a short while after installing a new app. I leave the loopback VPN running while I configure and test the app so that when I am finished I can check the data in Lumen to see what has been recorded. The resulting reports help me make decisions about security and privacy. Sometimes the data provided by Lumen indicates that I should just delete that new app and find something else.
You should be aware that the loopback VPN that Lumen uses for monitoring seems to go direct, bypassing any device-level proxy settings. This is just the way it needs to work and is not a fault. However, in my case I use a proxy.pac file on local connections, so it is not practical to keep the Lumen VPN running except for testing.
I have used Lumen to identify which of my other apps are leaking data, which sites they connect to when they are in use, and I have done some testing using Lumen to block potentially undesirable sites to see if those blocks affect functionality. These checks have improved my personal security and privacy, enabled me to add particular rules to the sitewide proxy.pac, and in some cases have been sufficient to select a different app for a particular need.
I accept that many apps rely on Google Firebase, AWS services, Google Search, Google API services and similar. Blocking those services may/probably cause timeouts and misbehaviour for affected apps. What I am looking for is suspicious connections to uncommon sites – not advertisers (those are better managed in other ways, if desired), and not sites related to core app functionality unless they raise suspicion.
A word on Malware
While the Google Play Store does a lot of good work to eliminate security threats , there have been sufficient incidents of malware being discovered in downloaded apps to indicate that there is still a significant risk to Google Play Store users.
Lumen is not intended to be a replacement for an Android anti-malware app. It is also not a substitute for due diligence checking for malware reports if you choose not to use anti-malware.
With that understood, Lumen does allow you to do your own checks on how an app is communicating in the background, identify potential privacy leaks, and generally increase your awareness of the compromises that these apps introduce to your privacy and local network, and I am hoping you find value in this.
In any case, I keep Lumen on all my devices and switch on the loopback VPN occasionally to do a general check, or whenever I am trialling a new app. I hope this helps you as well.