Bug Fixes, Improvements, ... and Privacy Leaks - A Longitudinal Study of PII Leaks Across Android App Versions

Ren, Jingjing; Lindorfer, Martina; Dubois, Daniel J.; Rao, Ashwin; Choffnes, David; Vallina-Rodriguez, Narseo

doi:10.14722/ndss.2018.23143

Cited by 49 publications

(41 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Other studies have focused on data sharing with third parties. In a longitudinal study Ren et al [43] observed 512 Android apps over eight years of version history and concluded that the increased number of third party domains receiving data lead to higher privacy risk over time. Because third party libraries and their host apps have access to the same Android app permissions, it is often difficult to discern who is processing what data.…”

Section: Privacy Surveysmentioning

confidence: 99%

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Zimmeck

Story

Smullen

et al. 2019

Proceedings on Privacy Enhancing Technologies

132

141

View full text Add to dashboard Cite

The app economy is largely reliant on data collection as its primary revenue model. To comply with legal requirements, app developers are often obligated to notify users of their privacy practices in privacy policies. However, prior research has suggested that many developers are not accurately disclosing their apps’ privacy practices. Evaluating discrepancies between apps’ code and privacy policies enables the identification of potential compliance issues. In this study, we introduce the Mobile App Privacy System (MAPS) for conducting an extensive privacy census of Android apps. We designed a pipeline for retrieving and analyzing large app populations based on code analysis and machine learning techniques. In its first application, we conduct a privacy evaluation for a set of 1,035,853 Android apps from the Google Play Store. We find broad evidence of potential non-compliance. Many apps do not have a privacy policy to begin with. Policies that do exist are often silent on the practices performed by apps. For example, 12.1% of apps have at least one location-related potential compliance issue. We hope that our extensive analysis will motivate app stores, government regulators, and app developers to more effectively review apps for potential compliance issues.

show abstract

Section: Privacy Surveysmentioning

confidence: 99%

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Zimmeck

Story

Smullen

et al. 2019

Proceedings on Privacy Enhancing Technologies

132

141

View full text Add to dashboard Cite

show abstract

“…There are a number of reasons why an app may request permissions outside of those needed for its core functionality, such as for analytics, personalization, testing, performance assessment, advertising (especially for free apps), or support for (unused) functionality in libraries that the app includes. Prior research has shown that many mobile apps request potentially unnecessary permissions [21,27,29] or permissions that are not directly related to their core functionality [2,8,17,24,28,35], or use permissions in unexpected ways [21]. This has also been reported by the press [12,33,37].…”

Section: Introductionmentioning

confidence: 89%

Reducing Permission Requests in Mobile Apps

Peddinti

Bilogrevic

Taft

et al. 2019

Proceedings of the Internet Measurement Conference

View full text Add to dashboard Cite

Users of mobile apps sometimes express discomfort or concerns with what they see as unnecessary or intrusive permission requests by certain apps. However encouraging mobile app developers to request fewer permissions is challenging because there are many reasons why permissions are requested; furthermore, prior work [25] has shown it is hard to disambiguate the purpose of a particular permission with high certainty.In this work we describe a novel, algorithmic mechanism intended to discourage mobile-app developers from asking for unnecessary permissions. Developers are incentivized by an automated alert, or "nudge", shown in the Google Play Console when their apps ask for permissions that are requested by very few functionallysimilar apps-in other words, by their competition. Empirically, this incentive is effective, with significant developer response since its deployment. Permissions have been redacted by 59% of apps that were warned, and this attenuation has occurred broadly across both app categories and app popularity levels. Importantly, billions of users' app installs from the Google Play have benefited from these redactions.

show abstract

“…Demetriou et al [11] present the first measurement system to reveal the potential risk of ad libraries in mobile apps. Recently, researchers have discovered that the third-party ad libraries in mobile apps misuse their inherited permission and access rights to learn and track users' private information without explicit consent [6], [7]. Both static and dynamic analyses tools have been developed to detect privacy leakage in mobile apps.…”

Section: Related Workmentioning

confidence: 99%

“…We install Mitmproxy certificate on the mobile device to decrypt the HTTPs traffic. We also use Monkey, a popular input generation tool used extensively [7], [17], to automate the app interaction by randomly injecting user event sequences. We let Monkey interact with each app for five minutes in order to generate enough traffic for analysis.…”

Section: A Traffic Measurementmentioning

confidence: 99%

Characterizing Location-based Mobile Tracking in Mobile Ad Networks

Lin

Zheng

et al. 2019

2019 IEEE Conference on Communications and Network Security (CNS)

View full text Add to dashboard Cite

Mobile apps nowadays are often packaged with third-party ad libraries to monetize user data. Many mobile ad networks exploit these mobile apps to extract sensitive real-time geographical data about the users for location-based targeted advertising. However, the massive collection of sensitive information by the ad networks has raised serious privacy concerns. Unfortunately, the extent and granularity of private data collection of the location-based ad networks remain obscure. In this work, we present a mobile tracking measurement study to characterize the severity and significance of location-based private data collection in mobile ad networks, by using an automated fine-grained data collection instrument running across different geographical areas. We perform extensive threat assessments for different ad networks using 1,100 popular apps running across 10 different cities. This study discovers that the number of locationbased ads tend to be positively correlated with the population density of locations, ad networks' data collection behaviors differ across different locations, and most ad networks are capable of collecting precise location data. Detailed analysis further reveals the significant impact of geolocation on the tracking behavior of targeted ads, and a noteworthy security concern for advertising organizations to aggregate different types of private user data across multiple apps for a better targeted ad experience.

show abstract

Bug Fixes, Improvements, ... and Privacy Leaks - A Longitudinal Study of PII Leaks Across Android App Versions

Cited by 49 publications

References 30 publications

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

MAPS: Scaling Privacy Compliance Analysis to a Million Apps

Reducing Permission Requests in Mobile Apps

Characterizing Location-based Mobile Tracking in Mobile Ad Networks

Contact Info

Product

Resources

About