Archive 6 min read

Secret App Telemetry

Websites, apps, and even your desktop applications may be tracking a how lot more of your behaviour than you think. The reason in most cases is simply to deliver a better application from a technical perspective. But sometimes, it's more insidious.

Secret App Telemetry

Watch this episode on YouTube.

Reasonably Accurate 馃馃 Transcript

Morning everybody. How you doing today on this episode of the show, we're gonna talk about just how much your computer is sending out information about you without you knowing. So there was a fantastic article in the Wall Street Journal published over the weekend that focused on 11 apps that were actually sending data to Facebook without the users being aware of it.

Now, these focused on mobile applications, but this applies to pretty much anything that you're using. Now, in this particular case, the Wall Street Journal called out um a number of health applications. So um workout trackers, um ovulation and menstruation trackers, um real estate app, um a glucose tracker.

They had uh pretty much um you know, a decent mix, but a lot of them had some really important information and really personal information that was being sent out to a service that Facebook runs called app events. Now, this is not the only service of this type, but we're going to run down a few of these in this video so that you understand what's going on.

Um But like I said, this Wall Street Journal um article called out these mobile applications, but I run what's called a reverse firewall on my laptop that's running Mac O si run into, it's called Little Snitch. Fantastic little application and it sees all the things that your laptop is requesting note and it gives you the option to block them or to allow them.

So I've seen this over the last few years where there's a huge amount of desktop applications that are also sending information out to services like the one that Facebook is running. And I want to talk to you about that issue in this video. So first of all, let me tell you the intended use of a lot of these things because you're going to see a few different services named Facebook app events, Google Analytics, Microsoft's um Hockey, um Apple's Test flight.

The idea is to allow developers to gather more information about the use of their applications in the case of test flight from Apple and Hockey Net um or Hockey app net from Microsoft. The idea is to gather analytics around stability around performance um in early stages of application so that you can have a better development life cycle.

Um with Apple's test flight, it's a very explicit experience. Hey, you're trying a beta. Um Please give us feedback. This is heavily monitored and there's a lot more telemetry coming from the app than normal. In Microsoft's example, it's not so distinct because it's run for a lot of applications as well.

But we see Google analytics um being used on desktop applications as well. Now you may be thinking, wait a minute. Isn't Google Analytics for web page tracking. Yes, it was originally but they fully support being installed in a mobile application or desktop application to send custom events back so that you as a developer can track your users or track your application um usage.

Now, Facebook app events is has the um badge of shame, has the distinction. I don't know how you want to phrase it as being targeted about collecting those events explicitly for better advertising, tuning to track advertising metrics. And that's according to the Facebook documentation. But all of these apps in their collective sort of category are getting detailed events from applications that are running either on your tablet, your phone or your desktop and sending them back out to a third party somewhere on the net so that they can have a fine grain tracking of what's going on.

Now, what's really important um And what's really sort of shocking to a lot of users comes to that desktop level. So I mentioned earlier, I run a reverse firewall. Now what most uh networks and what most um operating systems like windows and like Mac Os and Linux are set up to do is to block incoming communications, random services on the internet.

Can't just call in and start talking to your computer. What they do allow is for your computer to call out and to receive a response. So the way through that wall coming in is if I called you. So that makes total sense. If you pull up a web browser and Ping, you're allowed to see the response from that.

So any application that calls out normally is green lit, it's wide open, a reverse firewall stops that and it actually pops up a prompt that says, hey, do you want to allow this type of communication out from this particular application? Now, I use this to narrow down the network traffic that's running on my system.

So I know if anything out of the ordinary uh is running that I have a good awareness of that. It helps me just be generally aware which helps in my line of work but also just paranoid tinfoil hacked. Now there's a lot of services, you know, where you see things like Adobe Creative Cloud calls out to an insane amount of internet addresses.

Microsoft keeps adding new domains that it's talking to. But every once in a while you're running a normal app or a completely localized app that you don't expect is calling out and you see it calling to these third party services like Hockey like Google Analytics and in those cases, it is tracking your usage in some way, shape or form.

Now you don't know the specific details because most of the time that data is encrypted, this is happening on mobile without that level invisibility as well. The whole point of the Washington uh or the Wall Street Journal article was, hey, this is not cool, you shouldn't be doing this and I 100% agree there is a balance to be struck between developers having better information because it's very costly to manage software that's deployed somewhere.

This is why the industry for big enterprise apps and the majority of apps has gone to a service model because if you're running it in your services um in your cloud and you manage all of the back end infrastructure, it's really easy to fix things and to um add new services, add new features to your product.

If it's deployed on somebody's system, you're back into this cycle that we had for decades where you need to push them to do an upgrade. Um If they have a problem, you're pretty much blind to it, you're relying on them to describe it. So getting some telemetry totally, totally makes sense.

The problem is trans currency. That's really at the heart of this article was that there's no transparency saying that your information in these cases were being sent to Facebook. And in the case of these very personal um health trackers, fitness trackers, even the shopping for real estate that has critical impacts to your privacy and to your digital.

Well being in the case of some of your desktop applications that might not have such of a big impact, but it is still important to be up and transparent with your users. Now, I have yet to find a really good example of a developer saying, hey, I use this service to track what's going on so that we can give better performance, better usage metrics to make a better product for you.

And here's exactly what we are tracking at each step of the way. Um making that upfront, making that clear that the user that's happening and to give the user the ability to opt out is critical because this started happening about 567 years ago where it's standard practice for your applications to call back home and transfer some amount of information that may or may not be sensitive and you have no idea.

I'm sure it's buried somewhere in the user agreement or in the terms of service or in the privacy policy. But as we've covered many, many times, nobody reads them. And even if you tried, you probably couldn't understand it. So be aware, you can use a tool like uh reverse firewall on your desktops on your laptops to stop that from happening on mobile.

You don't have as many options. Um It is an issue, we need to be aware of. It's an issue developers need to be clear about. Um And we need to strike a balance somewhere. What do you think? What's your experience with this issue? Let me know uh at Mark NC A in the comments down below and as always by email me at Mark N dot C A.

Hope you're set up for a fantastic day and we'll see you on the next show.

Read next