How Big Star Labs was able to use data collecting apps

An investigation by ad-blocking vendor AdGuard Software Ltd. found that several Chrome and Firefox browser extensions, as well as Android and iOS data collecting apps published by a company called Big Star Labs, were collecting personal browsing data using various tricks -- and without user permission. What types of data were these extensions and apps collecting, and what techniques did Big Star Labs use to get the data?

The use of centralized repositories or app stores to publish apps and add-ons provides many security benefits. And, many times, app stores or repositories will offer basic security checks and reviews to help people better understand applications.

Some app stores, such as the Google Play Store and Apple's App Store, have relatively strict guidelines, while stores provided by other vendors and third-parties may not be as rigorous.

The privacy aspects of central app stores and add-ons are often not well explained even though they create a central point for reviews. Many people purely focus on the functionality or entertainment aspects of an app and not on what permissions or data the app can access or its privacy policy. Even if a user tries to review those items, it's unlikely they would identify any issues without a detailed investigation into an app.

AdGuard, an ad-blocking vendor, recently conducted a detailed investigation into several Big Star Labs add-ons and apps where users may not have been aware of what kind of data the apps were collecting -- the user's browser history. According to AdGuard, some individuals don't realize how sensitive browser history data is or understand how it can be used to uniquely identify and develop a detailed profile on users.

However, browser history data is literally a representation of all of the URLs the user has visited. This can include information about the web browser or endpoint itself, including geolocation data, device names, networks, IP addresses and other device identifiers that can be used to identify a person. This data can be combined with other information about the endpoint in order to identify an individual. Some personal data is incorporated by default into browsing history, such as a username included in a URL, making it easy to identify the person.

App developers often represent their data collecting apps as being helpful to stop ads, speed up internet access and stop pop-ups; however, most modern web browsers offer similar capabilities without exposing personal data. The data collecting apps from Big Star Labs appear to be primarily interested in collecting data after recording every visited URL.

After the initial AdGuard report was published, Google Play and the Chrome Web Store removed the Big Star Labs data collecting apps. However, just a month later, most of the offending apps had been reinstated. In order to help app stores improve their privacy protections, these apps should be reported again.

Ask the expert:
Have a question about enterprise threats? Send it via email today. (All questions are anonymous.)