Mitja Immonen
Total Page:16
File Type:pdf, Size:1020Kb
Guiding smartphone users for better privacy Mitja Immonen BACHELOR’S THESIS November 2020 Degree Programme in Media and Arts Interactive Media ABSTRACT Tampereen ammattikorkeakoulu Tampere University of Applied Sciences Degree Programme in Media and Arts Interactive Media IMMONEN, MITJA: Guiding smartphone users for better privacy Bachelor's thesis 63 pages November 2020 Most people in developed countries own a modern smartphone. Smartphones are computers with various sensors and components integrated into a slab of metal and plastic. We carry these devices everywhere, oblivious to the extent of how much the devices can collect behavioral data about us. Every action on the internet leaves a trace behind. This data can be collected systematically to create predictions about people and share the information to advertisers. This thesis researches the different types and ways that data can be collected from smartphones. Using the research and public information as basis, a guide- line was created for the everyday smartphone user to have a toolset for taking back some of their lost privacy. People are becoming increasingly aware of the privacy risks that come with social media and other internet services, but for many of us it is still difficult to know how to prevent data collection and online privacy exploitation. This thesis aims to pro- vide guidance for better smartphone privacy in layman's terms. Keywords: data collection, smartphone, privacy, tracking 3 CONTENTS 1 INTRODUCTION .................................................................................. 6 2 RESEARCH QUESTIONS .................................................................... 8 2.1 Objectives ...................................................................................... 8 2.2 Methods ......................................................................................... 9 3 SIGNIFICANCE OF DATA ACCUMULATION .................................... 11 3.1 Predictions and manipulation ....................................................... 11 3.2 Surveillance Capitalism ................................................................ 12 4 DATA COLLECTION & TRACKING .................................................... 14 4.1 How information can be collected ................................................ 14 4.1.1 Online activity ..................................................................... 14 4.1.2 Device information .............................................................. 16 4.1.3 User Activity ....................................................................... 19 4.1.4 Contact tracing ................................................................... 19 4.2 How information can be used ....................................................... 23 4.2.1 Click wrap and social media tracking .................................. 23 4.2.2 Governmental tracking ....................................................... 24 4.3 Not all data harvesting is malicious .............................................. 27 5 GUIDELINES FOR BETTER PRIVACY .............................................. 28 5.1 Introduction to the guide ............................................................... 28 5.2 Structure of the guide ................................................................... 28 5.3 First part ....................................................................................... 29 5.3.1 Personal threat modeling .................................................... 29 5.3.2 Choosing a phone .............................................................. 32 5.3.3 Setting up a smartphone .................................................... 36 5.3.4 Using the built-in phone features ........................................ 37 5.4 Second part .................................................................................. 39 5.4.1 Using a VPN ....................................................................... 40 5.4.2 Using TOR .......................................................................... 42 5.4.3 Ad blocking and tracking protection .................................... 44 5.5 Third part ...................................................................................... 45 5.5.1 Choosing a ROM ................................................................ 46 5.5.2 MicroG and No Google apps .............................................. 47 5.5.3 Gaining access to the system ............................................. 48 5.5.4 Installing post-root tools ...................................................... 51 5.6 Fourth part ................................................................................... 54 5.6.1 Alternative mobile operating systems ................................. 54 4 5.6.2 Alternative smartphones ..................................................... 55 6 DISCUSSION ..................................................................................... 58 REFERENCES ........................................................................................ 60 5 ABBREVIATIONS AND TERMS Bootloader A computer program that loads an operating system or runtime environment for the computer Botnet A collection of internet-connected devices that have been taken advantage of, generally through malware and can be commanded from a central point. Fastboot Protocol used primarily to modify the flash file system via a USB connection from a host computer. It requires the device be started in a bootloader. Hardening The act of making a device more secure from external threats, physical and non-physical, by adding layers of security Jailbreak Extended access to an iOS device through exploits. ROM Read-only memory Here refers to Android operating system packages, which can be used to replace the built-in operating sys- tem. Root Access to system root level Commonly used in Android development, when the software is modified to allow system root level changes, like administrator rights. Software Framework A collection of software tools which provide a standard way to build applications 6 1 INTRODUCTION While people are increasingly worried about their privacy rights being violated by governments and companies, there seems to be a consensus that there is too little control over the data collection. (Pew Research Center 2019.) One of the easiest targets of data harvesting are smartphones. They have various sensors, cameras, microphones, and antennas while being in near proximity of their owner at most times. Many of us have multiple social apps installed, including messag- ing, networking, and dating apps, of which many seemingly need permissions like location and camera to function. Better privacy for individuals often means worse income and control for compa- nies and governments, which in turn discourages them from doing much for the user’s interest. In the world of smart gadgets, we have a few massive ecosystems like Google’s Android and Apple’s iOS and while they are a necessity in the mod- ern world, we as users have little understanding and control over how they work. By design smartphones are locked down and their users are not allowed to touch the inner workings of their operating systems. Privacy exploitation is not limited to just companies and governments, it can also happen on a low level by relatives and close ones. Individual users might not notice the consequences of tracking and spying when it is done on a large scale by corporations, but when it happens locally, there is an immediate impact. The 2019 coronavirus outbreak has put us all into our homes where we might be stuck with the same people more than we would like to. Forced social distancing seems to have increased domestic violence and attackers have been able to manipulate their victims through modern devices, such as smart home installations (Riley, 2020). Central point of authority is an issue on all levels, scaling from households to corporations. Without a distribution of control, it only takes one malicious actor to turn everything upside down. Google made it impossible for a child to create a 7 Google account without their parent’s consent and complete control over the ac- count (Age requirements on Google Accounts). This brings the question as to when is control acceptable, if parents should know what applications their chil- dren download or which websites they visit. The line between responsible control and invasion of privacy can be vague. 8 2 RESEARCH QUESTIONS 2.1 Objectives This thesis focuses specifically on topics revolving around smartphones. The ob- jective is to gain better understanding of what kind of data exploitation happens through smartphones, how personal data can be used on a global and corporate level and what kind of uses it has on a local and immediate level such as interac- tions with people close to us. The topics will also visit some more general ideas of surveillance capitalism and data being the new “oil”, aiming to gain more awareness of how to behave in this new data-centric world. The final goal of this thesis is to provide people of any skill level a better personal protection by providing a simple but extensive guideline. One approach is the technical aspect of ”hardening” the user’s smartphone, manually adding layers as a sort of a firewall around software that might not respect the user’s privacy. Another, maybe even more important aspect to maintaining online privacy is the social behavior and consciousness of what actions might give away personal data, and to be mindful about those actions in everyday