Smartphone apps may be secretly screenshotting you

With every new privacy scandal that erupts across the digital landscape, we smartphone users and digital nomads must ask ourselves the same question: Have we reached diminishing returns on the usefulness of modern technology? It seems sometimes like every new convenience arrives with a litany of security concerns attached.

The latest news to strike a blow to our expectations of digital privacy is that smartphone apps appear to have been taking screenshots of users' devices and records of their keystrokes without their knowledge.

Which Apps Do Experts Suspect of Doing This?

According to the researchers who uncovered this security loophole, "thousands of apps" of several varieties have these capabilities. The apps in question were frequently ones that gather data beyond user input, including location data and even screen orientation.

It might sound mostly harmless at first, but think of the implications of having an app log the keystrokes of your passwords or save a screenshot of a sensitive or financial-related conversation. Depending on the app, the gleaned data and information could be extremely valuable indeed -- and these programs are all gathering it without users' explicit permission to do so.

Who Discovered This, and What's Actually Happening?

Two college students, Elleen Pan and Jingjing Ren, designed a test protocol to appraise 17,000 apps from the Android software ecosystem. While Android was the only operating system they studied in detail, the researchers admit they haven't found anything that indicates other mobile operating systems wouldn't have the same vulnerabilities.

Their first discovery was something they ruled out: These apps can’t harvest audio data from telephone calls. If anything, what they found was worse: About 9,000 apps of the 17,000 they studied had the "potential" to take screenshots and send them to unidentified third parties.

Some of them even took video footage of what was happening onscreen -- including one called "GoPuff," which is a courier service for fast-food delivery. In that case, Pan and Ren discovered the GoPuff app was sending videos and stills to an analytics company called Appsee. None of this required an opt-in or permission from users.

What Can Smartphone Users Do About It?

Although the researchers did not suspect GoPuff of engaging in obvious nefarious intent in this case, they emerged emphatic about the severity of this security loophole: "This has the potential to be much worse," they warned. And it's not hard to see how they're right about that.

Most modern operating systems have been slow to close at least a few observable security gaps -- including the total lack of vetting for apps in the Android operating system, as well as the lack of oversight in iOS when it comes to how third-party app developers phrase their permission popups for things like photos, calendar and contacts photo access.

Our smartphones contain a host of advanced technologies that reveal quite a lot about who we are and how we live -- but often, these developers and their business partners aren't completely forthcoming about how much of your phone's technology they want to tap into for "analytics" or "product improvement" purposes.

So how can smartphone users protect themselves? It depends on how far you want to go.

For example, while there's a lot to be gained by seeking out and installing some third-party apps, most first-party handset makers already include most of the essential digital tools we'll ever need. Third-party plugins and apps, therefore, might be becoming more of a source of frustration and worry than they're worth, in the grand scheme of things.

Therefore, we can solve some of our security concerns about screenshotting and keystroke logging by doing more research about which software and hardware makers need a revenue stream from harvesting user data to survive, and which ones do not.

The researchers who designed this study were taken aback by their findings. And as we mentioned earlier, even if they didn't find clear evidence of wrongdoing, a security oversight like this one most certainly does have the potential to be exploited, and it may already be in use by black-hat application developers and unscrupulous analytics companies.

In fact, the findings are so compelling that Pan might rearrange her future to study it better: "This has definitely sparked my interest in research, and I will consider going back to graduate school," she said.

Another piece of advice to emerge here might not sound very helpful, but it's one of the few things smartphone users can do to protect themselves: Read the terms of service. Though they may not spell out everything in full detail, it's a good starting point.

But the bottom line ultimately is as old as the Internet: Always be careful about what information you choose to transmit digitally. Even if the app you're using claims it uses the most robust security measures, some of the apps studied here took screenshots while users were entering text -- including their ZIP codes.

If you're not sure about the app or the service you're using, or it's not clear how they can offer their irresistible services and remain financially solvent, it's time to reconsider that app.

There might be an app for everything, but there doesn't necessarily need to be.

Image credit: roncivil / depositphotos

Kayla Matthews is a senior writer at MakeUseOf and a freelance writer for Digital Trends. To read more from Kayla, visit her website productivitybytes.com.