Have you ever experienced a scenario where your phone presents an ad that is a little too coincidental? For example, an ad for something you were just talking about? You’re not alone! Many people believe their phones are listening to their conversations and it is easy to understand why, with so many unexplained ad-targeting stories out there.

This is not just an individual issue, even our business customers are worried about whether their employees and executives are being tracked by unwanted parties through their devices.

From our perspective, user privacy is fundamental to mobile security. So we took this “phone snooping” theory to our research labs to settle the question once and for all.

The Test Plan

To test if advertising platforms are listening to conversations through smartphones, we set up an iPhone and a Samsung Galaxy phone in the “audio test room” with a pet food video playing on a loop for 30 minutes. We also ran a control group with the same two devices in the ‘silent test room’ for 30 minutes over three days.

In our testing, we were looking for two main things:

  1. Did the battery consumption, data consumption, or background usage of key applications change during the testing period?
  2. Could we see ads for pet food within these apps after the testing period?

We used our cloud gateway to see the changes in data consumption of the apps on the test devices, and we used the device stats to determine background usage and battery usage.

The testing was performed as follows:

Audio test room

  1. Ensure all iOS and Android user permissions are given to the Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon apps.
  2. Close all apps on the device, disable automatic app updates, and lock the phones.
  3. Leave devices in the room with this pet food YouTube playlist loop on for 30 minutes at 2 PM Pacific Daylight Time each day for three days.
  4. Unlock devices and record battery consumption, data consumption, and background usage of apps after each testing period.
  5. Check Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon apps for any pet food-related ads after each testing period.

Silent test room

  1. Ensure all iOS and Android user permissions are given to the Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon apps.
  2. Close all apps on the device and disable automatic app updates, and lock the phones.
  3. Leave devices in the quiet room for 30 minutes at 2:30 Pacific Daylight Time each day for three days.
  4. Unlock devices and record battery consumption, data consumption, and background usage of apps after each testing period.
  5. Check Facebook, Instagram, Chrome, SnapChat, YouTube, and Amazon apps for any pet food-related ads after each testing period.

What did we find?

Upon examining the results, we found nothing to suggest our phones are activating the microphone or transferring data in response to sound. The data consumption and battery consumption changes were minimal, and in most cases, there was no change at all. We did not see any pet food ads showing up after the tests.

The following two plots (iOS and Android plotted separately) show the data consumption of phones we thought might have been listening versus phones we knew were listening

These charts show the data consumption (MB) of each app in the test plan during the 30-minute ‘silent room’ test, and the 30-minute ‘audio room’ test, and compares these numbers to the data used by Siri and Google Assistant (on iOS and Android respectively) when recording audio and uploading to the cloud [aka when we know they are listening].

We observed that the data from our tests is much lower than the virtual assistant data over the 30-minute time period, which suggests that the constant recording of conversations and uploading to the cloud is not happening on any of these tested apps. If it was, we’d expect data usage to be as high as the virtual assistants’ data consumption.James Mack, Systems Engineer at Wandera

Note on the methodology for determining virtual assistant data usage: For a 3-second sample request of “what’s the weather?”, we witnessed Siri using ~30KB and Google Assistant using ~100KB of data. (These estimations are in line with testing from Ars Technica which shows the average Siri request uses 36.7KB for local queries and 63KB for queries that require a look-up.) By extrapolating our numbers over a 30 minute period, we estimate that Siri would use ~18MB and Google Assistant would use ~60MB over a 30-minute testing period.

The small amounts of data used likely correlated with the apps waking up to send status updates data back to ‘home base”.

So how are we being targeted?

The reality is, advertisers don’t need to listen to our conversations, because they have other clever ways of profiling users. Location data, browsing behavior, IPs, tracking pixels, and social media profiles all provide enough information to predict what you might be thinking about buying.

Tech giants like Google, Facebook, and Amazon know so much about you. These companies use highly effective algorithms and a wide range of data to predict what you might be thinking about with great accuracy.

Everything that makes your phone useful, like knowing where you are, taking photos, enabling online shopping and banking — these are exactly where the potential weaknesses and vulnerabilities are. The more useful your phone is, the more attractive it is to advertisers, hackers, or anyone who wants your data.Mike Campin, VP of Engineering, at Wandera

But just because these major advertising platforms don’t appear to be spying on you through your microphone, it doesn’t mean no one is.

There are numerous cases of cyber attacks where hackers could take control of a user’s camera and microphone. A recent one was Pegasus, the WhatsApp vulnerability that allowed attackers to install spyware on a device simply by making a WhatsApp call.

Last year, Wandera discovered the RedDrop malware outbreak, during which dozens of apps installed dangerous spyware that harvested sensitive user data, including audio, photos, contacts, files, and more.

Recommendations

To preserve your privacy, we recommend the following measures:

  • Only download apps from official app stores
  • Always keep your OS up to date for important security patches
  • Check the app permissions on your device and limit which apps have access to sensitive information, such as your location data
  • Use private browsing or incognito windows where possible
  • Adopt a more privacy-friendly browser – Safari and Firefox have taken steps to protect users from digital fingerprinting
  • Use a trusted VPN
  • Businesses should deploy an enterprise-grade mobile security solution