Earlier this week, a long-lost co-worker sent me a request on Trivia Crack. The message flashed on my iPhone’s screen, and then later popped up in my Facebook notifications. Hours later, an old barfly friend of mine sent another one. And then after a few days passed, a high school classmate sent one as well.
Something had to be up, because not only was I not a big Trivia Crack player, I didn’t even have the app on my phone anymore. So I dropped my classmate a note via Facebook, asking what prompted her to prod me on a game I only played twice, months ago. “You sent me a spin, I thought I returned the favor,” she replied.
Immediately, my mind went racing. It was bad enough this game was doing things in my name without my permission, but what does Trivia Crack know about me? One thing’s for certain: it knows who my Facebook friends are. To learn more, I turned to PrivacyGrade, a website funded by the National Science Foundation that rates apps based on how invasive they are, compared to how people expect them to behave.
“For example, according to studies we have conducted, most people don’t expect games like Cut the Rope to use location data, but many of them actually do,” explains the site. “This kind of surprise is represented in our privacy model as a penalty to an app’s overall privacy grade.” Trivia Crack, despite my experience with it, got a B.
According to Jason Hong, associate professor at Carnegie Mellon’s school of computer science and the head of the team running PrivacyGrade, most apps that collect personal user data do so to make in-app advertising more relevant, similar to how interactive marketing works on the web. For instance, if the app sees that you’re in New York, it will serve you ads for businesses based in the city, rather than Los Angeles.
“We have seen some unusual apps — and these are pretty rare — ones that try to get your contact list information, or also your microphone data so they can record some of the data that’s going around,” Hong says. “As you can imagine, that’s very sensitive, and hugely surprising to a lot of people.”
According to PrivacyGrade’s research, around 70% of the apps they’ve analyzed take very little or no information from users. In fact, when data like my Trivia Crack account is used, it’s not actually the apps themselves that are to blame. Instead, it’s something called a third-party library.
“If you think of an app being made out of a lot of LEGO pieces, some of these pieces were actually offered by other people,” says Hong. For example, Facebook has a library that makes it easy to access their services. So rather than having to write new code to access Facebook, developers just download the code that’s already been prepared for this purpose. These pieces of code are third-party libraries. “If you linked your Trivia Crack to your Facebook account, then they can get a lot more data about you,” says Hong.
For instance, Trivia Crack requests full network access from its users, a necessity for running the game engine, gathering mobile analytics, linking to social networks and serving targeted ads. It also can approximate the user’s location using GPS or Wi-Fi, so it can deliver geographically relevant ads. And curiously, it can both write to your phone’s USB storage and retrieve information on other currently and recently running apps on your phone — two features PrivacyGrade has yet to analyze.
But those are only the things the app can do on its own. The third-party libraries that Trivia Crack uses include Flurry, which provides data such as how frequently the game is used. Its Twitter and Facebook libraries can pull all sorts of personal data that you’ve fed into your social networks, like your list of friends, posts, and demographic information like your name and hometown.
While that may all sound pretty invasive to the casual user, the app gets a passing grade because it’s up-front with asking for this data — and most every user obliges. “Most app developers aren’t trying to creep you out — they’re not evil, they’re just trying to make some money off their work,” says Hong. “The important thing is that you usually get a notification and you have to approve it.”
But there are some bad apples out there in the app marketplace trying to get your data. “The ones with the low grades was a relatively small percentage, and the reason they get this is because they’re usually trying to collect lots of data, and are sharing it with lots of third parties,” says Hong. For instance, some well-known apps have scored Ds on PrivacyGrade’s tests, including Flashlight — Torch LED Light (which is able to record audio using the phone’s microphone), popular game Tiny Tower (which can figure out your phone carrier and even your phone number), and the CVS Pharmacy app (which can connect to your Bluetooth device, among other things).
But the most troubling thing is these apps’ access to third-party libraries, not only because of what personal data these libraries can share, but what high-powered apps can figure out from that information. “They could probably infer things like what kinds of interests you have,” says Hong. In addition to where you are and who you know, some apps can determine what you like, what kind of stores you go to, and more.
Now that I know that, I’ll be even more careful when signing up for apps — and I was already careful before. But it seems like the mystery of my Trivia Crack attack stems from the fact that my Facebook account is still connected to the app. Or, I should say, was connected to it, since I’ve gone into my Facebook settings and severed the link — along with dozens of others. But not all is lost. Trivia Crack taught me something new after all.