Uninstalling Netmonitor due to privacy concerns

[boomerbubba]

Like many here, I have used Netmonitor as a tool to try mapping local Sprint towers. But recently I have investigated its privacy settings, and decided to uninstall the app. I wish I had never installed it.

 

Basically, the Android permissions granted to this app would allow it to harvest my phone number and those I contact, the unique IMEI of my device, my location, my WiFi settings, and other detailed data on my Android phone. Plus, it has unlimited Internet access so any harvested information could be sent to any server anywhere without my knowledge. The most recent version asks to expand the privileges even further to read sensitive log data.

 

I can't know that the app is actually doing anything I wouldn't like with my private information, but anyone installing it has to trust the developer not to do so, having granted the Android app permissions. But who is that developer? He has no published identity beyond an Gmail address, and no published privacy policy. I don't even know where he is, but the app's example screenshots on the Google Play site show locations in Belarus. The developer has responded to email questions, but I find the responses very unsatisfactory.

 

According to Google's Play market site, here are the sweeping permissions that Netmonitor is granted when installed:

 

This application has access to the following:

 

Your location

coarse (network-based) location

Access coarse location sources such as the cellular network database to determine an approximate tablet location, where available. Malicious apps may use this to determine approximately where you are. Access coarse location sources such as the cellular network database to determine an approximate phone location, where available. Malicious apps may use this to determine approximately where you are.

fine (GPS) location

Access fine location sources such as the Global Positioning System on the tablet, where available. Malicious apps may use this to determine where you are, and may consume additional battery power. Access fine location sources such as the Global Positioning System on the phone, where available. Malicious apps may use this to determine where you are, and may consume additional battery power.

Network communication

full Internet access

Allows the app to create network sockets.

Your personal information

read sensitive log data

Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the tablet, potentially including personal or private information. Allows the app to read from the system's various log files. This allows it to discover general information about what you are doing with the phone, potentially including personal or private information.

Phone calls

read phone state and identity

Allows the app to access the phone features of the device. An app with this permission can determine the phone number and serial number of this phone, whether a call is active, the number that call is connected to and the like.

Storage

modify/delete USB storage contents modify/delete SD card contents

Allows the app to write to the USB storage. Allows the app to write to the SD card.

System tools

change Wi-Fi state

Allows the app to connect to and disconnect from Wi-Fi access points, and to make changes to configured Wi-Fi networks.

prevent tablet from sleeping prevent phone from sleeping

Allows the app to prevent the tablet from going to sleep. Allows the app to prevent the phone from going to sleep.

Network communication

view network state

Allows the app to view the state of all networks.

view Wi-Fi state

Allows the app to view the information about the state of Wi-Fi.

 

I emailed the developer, asking why all these permissions are justified. I also asked who he is and where is a published privacy policy. The answer I got seemed like incomplete doubletalk to me:

 

Internet is used to get cell location from Google, when app crashes it sends logcat logs if you allow, so I can fix the problem. Thanks.

 

In fact, the cell location does not come from Google on the Internet, but rather gets them directly from the Android's own API, which gets the coordinates over the air from the cell towers themselves. Several other apps, such as CDMA Field Test, do this without any Internet access at all.

 

(The app's help screen does include another possibility for cell site location, which I have never seen in practice. That other possibility is referred to as "coordinates came from Gears Geolocation API." But Google says the Gears API is deprecated and is no longer available. Even when it did exist, Gears geolocation did not provide a tower location, but the phone's own estimated location. And location is available to an Android app directly from the Android API by the Location permissions alone.)

 

Although CDMA Field Test is not quite as handy, I think it does basically what Netmonitor does for me, but without the privacy concerns and without all the intrusive permissions. In fact, it has no Internet permissions. So I am uninstalling Netmonitor.

[S4GRU]

Like many here, I have used Netmonitor as a tool to try mapping local Sprint towers. But recently I have investigated its privacy settings, and decided to uninstall the app. I wish I had never installed it.

 

Basically, the Android permissions granted to this app would allow it to harvest my phone number and those I contact, the unique IMEI of my device, my location, my WiFi settings, and other detailed data on my Android phone. Plus, it has unlimited Internet access so any harvested information could be sent to any server anywhere without my knowledge. The most recent version asks to expand the privileges even further to read sensitive log data.

 

I can't know that the app is actually doing anything I wouldn't like with my private information, but anyone installing it has to trust the developer not to do so, having granted the Android app permissions. But who is that developer? He has no published identity beyond an Gmail address, and no published privacy policy. I don't even know where he is, but the app's example screenshots on the Google Play site show locations in Belarus. The developer has responded to email questions, but I find the responses very unsatisfactory.

 

According to Google's Play market site, here are the sweeping permissions that Netmonitor is granted when installed:

 

 

 

I emailed the developer, asking why all these permissions are justified. I also asked who he is and where is a published privacy policy. The answer I got seemed like incomplete doubletalk to me:

 

 

 

In fact, the cell location does not come from Google on the Internet, but rather gets them directly from the Android's own API, which gets the coordinates over the air from the cell towers themselves. Several other apps, such as CDMA Field Test, do this without any Internet access at all.

 

(The app's help screen does include another possibility for cell site location, which I have never seen in practice. That other possibility is referred to as "coordinates came from Gears Geolocation API." But Google says the Gears API is deprecated and is no longer available. Even when it did exist, Gears geolocation did not provide a tower location, but the phone's own estimated location. And location is available to an Android app directly from the Android API by the Location permissions alone.)

 

Although CDMA Field Test is not quite as handy, I think it does basically what Netmonitor does for me, but without the privacy concerns and without all the intrusive permissions. In fact, it has no Internet permissions. So I am uninstalling Netmonitor.

 

If you wanted to create your own app that provided these same features, and maybe even some from CDMA Field Test and Debug...all without the privacy problems, I would be willing to pay some money for it. I think most network geeks would pay $10-$20 for such an app.

 

Robert

[iansltx]

Know how to use Wireshark? Install it on a computer on your local network, connect your phone to the same network, then fire up NetMonitor. You'll be able to see all traffic that transpires from your phone to whatever it's connecting to, NetMonitor included.

 

My guess is that the phone will ask Google for its location, given a few parameters, so it can get a quicker GPS fix/tell where it is even if you don't have GPS turned on. Other than that, no information will be sent or received.

 

Some developers are sloppy with the permissions they require on Google Play; it's just an XML file (having done Android development in the past) that guarantees that those functions will be available to the app if it needs to use them. The app doesn't have to use that functionality.

[digiblur]

I miss the feature in CM7 where you could revoke whatever permissions you wanted on each app that you didn't want them to have. You can easily break things in some apps but oh well.

 

Sent from my C64 w/Epyx FastLoad cartridge

[boomerbubba]

If you wanted to create your own app that provided these same features, and maybe even some from CDMA Field Test and Debug...all without the privacy problems, I would be willing to pay some money for it. I think most network geeks would pay $10-$20 for such an app.

 

Robert

 

Unfortunately I lack the hands-on Java and Android programming skills, although I have enough knowledge as an analyst to read the docs and know generally what is possible.

 

For the time being, I will use CDMA Field Test intractively and view its simpl e maps. For more complex multisite maps, it is easy to export. Edit: Now I am no longer sure CDMA Field Test can log coordinates, even though it captures them interactively. Still exploring that.

[boomerbubba]

Know how to use Wireshark? Install it on a computer on your local network, connect your phone to the same network, then fire up NetMonitor. You'll be able to see all traffic that transpires from your phone to whatever it's connecting to, NetMonitor included.

 

My guess is that the phone will ask Google for its location, given a few parameters, so it can get a quicker GPS fix/tell where it is even if you don't have GPS turned on. Other than that, no information will be sent or received.

 

Some developers are sloppy with the permissions they require on Google Play; it's just an XML file (having done Android development in the past) that guarantees that those functions will be available to the app if it needs to use them. The app doesn't have to use that functionality.

 

Wireshark could be set up to sniff your own WiFi traffic, I think, but not OTA data.

 

 

[iansltx]

You can set it to sniff all WiFi traffic in a given area (if the connection is unencrypted). Or if the connection is encrypted, I think you can still sniff anything on your LAN. Been awhile since I used it though.

[boomerbubba]

You can set it to sniff all WiFi traffic in a given area (if the connection is unencrypted). Or if the connection is encrypted, I think you can still sniff anything on your LAN. Been awhile since I used it though.

 

But that still captures only WiFi. I don't know of any way to sniff Internet traffic over the air via Sprint.

 

Sent from my SPH-D700 using Tapatalk 2

[boomerbubba]

For the record, I have received another email from the Netmonitor developer:

 

If you have problems with privileges, don't use it.Cell location from tower is only available in CDMA and not on all towers, so Google Geolocation API is used. I do not collect any data.

 

I am unpersuaded, except for the suggestion that I just don't use the app.

 

But I may be wrong about the capabilities of CDMA Field Test. It does not seem to capture coordinates in its log, even though there are values displayed in the app' s main screen for one BSID at a time. (I saw another user here in another thread say he logged coordinates with this app, so I am confused.)

 

Edit: Thanks to tutoring from nseabrook, I now see that CDMA Field Test's logging of both coordinates and signal strength works after all. The trick is that the user must tap the button to email the logs, not just view them onscreen. That includes both a kml file and a csv file. I can work with that just fine.

 

Netmonitor still leaves me queasy. I prefer not to use it.

[boomerbubba]

Again for the record, I received an email from the Netmonitor developer, who says that one recently added feature as been removed in a new version:

 

Crash report is removed from version 0.11.4. Thanks

 

I checked Google Play, and the specific permission for Netmonitor to "read sensitive log data" is no longer there. This effectively backs out the expanded perimission that the most recent prior version had requested. All the other permissions remain, notably including full Internet access, and there is no feature of Netmonitor I use that requires that. I still can get what I need from CDMA Field Test, which has less intrusive permissions and no Internet access. So a decision to install Netmonitor comes down to how much one trusts the developer.

[S4GRU]

Again for the record' date=' I received an email from the Netmonitor developer, who says that one recently added feature as been removed in a new version:

 

I checked Google Play, and the specific permission for Netmonitor to "read sensitive log data" is no longer there. This effectively backs out the expanded perimission that the most recent prior version had requested. All the other permissions remain, notably including full Internet access, and there is no feature of Netmonitor I use that requires that. I still can get what I need from CDMA Field Test, which has less intrusive permissions and no Internet access. So a decision to install Netmonitor comes down to how much one trusts the developer.[/quote']

 

I think the Full Internet Access is because of the mapping feature built in. CDMA Field Test takes you out of the program to look at maps of site locations. Which is kind of wonky. But allows the program to not need internet access.

 

Robert via CM9 Kindle Fire using Forum Runner

[boomerbubba]

I think the Full Internet Access is because of the mapping feature built in. CDMA Field Test takes you out of the program to look at maps of site locations. Which is kind of wonky. But allows the program to not need internet access.

 

Robert via CM9 Kindle Fire using Forum Runner

 

Maybe. CDMA FT does only map one site at at time, just passing the coordinates. And Nemonitor's map display is certainly handy. (I still prefer to export the data and map it myself anyway.) The developer never mentioned that functionality in our email conversation. He indicated the Internet access is required for whatever method the app uses to try finding GSM locations. There is an Android mapping API that does not require setting up a generalized Internet socket, which is what Netmonitor does. That same socket could also be used for any purpose, and the user would really have no way to know for sure.

 

Unfortunately, Google sometimes bundles Android permissions a little too broadly. For example, an audio app might have a legitimate need to detect that there is an incoming phone call to suppress music output. But giving it permission to do that also gives permission to know my phone number and the number I am connected to.

 

The way the Android ecosystem works, all end users are responsible for their own safe computing after being notified of permissions, which 99 percent of users don't understand. Heck, I consider myself pretty knowledgeable, but I know I have tapped through those permissions when installing apps lots of times. I had to go research this stuff to find out what the permissions meant.

 

The net effect of generalized permissions and fallible human users is that there are some very questionable apps being installed out there. And it is easy to forget that when granting permissions, we users are not granting them just to Google -- or Microsoft, Apple, Facebook, etc. -- corporations with a domestic address and a published privacy policy, but to developers who for all practical purposes are anonymous and beyond legal recourse. A particular developer, known only through his Gmail persona, may be quite benign. But he may also be harvesting private information (phone call records, IMEIs, locations, etc.) for scummy marketers, stalkers, hackers etc. just through social engineering.

 

More egregiously and obviously, right now you can find half a dozen apps on the Google Play market that purport to "boost" the user's cell connection by "optimizing" it or some similar snake oil. I think that advertised functionality is mostly a phony placebo, just resetting the phone or something similar by toggling settings. But if you look at the permissions granted to those apps (which overlap with much of Netmonitor's permissions, including Internet access) they seem to be poised to rape the user's privacy in the background. These apps have tens of thousands of downloads.

 

So I just get suspicious in the presence of three things:

• Developer is basically an anonymous stranger.
  
• App has permissions to read a lot of private data.
  
• App has full Internet permissions.