ABSTRACT
The vast majority of online services nowadays, provide both a mobile friendly website and a mobile application to their users. Both of these choices are usually released for free, with their developers, usually gaining revenue by allowing advertisements from ad networks to be embedded into their content. In order to provide more personalized and thus more effective advertisements, ad networks usually deploy pervasive user tracking, raising this way significant privacy concerns. As a consequence, the users do not have to think only their convenience before deciding which choice to use while accessing a service: web or app, but also which one harms their privacy the least.
In this paper, we aim to respond to this question: which of the two options protects the users' privacy in the best way apps or browsers? To tackle this question, we study a broad range of privacy related leaks in a comparison of several popular apps and their web counterpart. These leaks may contain not only personally identifying information (PII) but also device-specific information, able to cross-application and cross-site track the user into the network, and allow third parties to link web with app sessions.
Finally, we propose an anti-tracking mechanism that enable the users to access an online service through a mobile app without risking their privacy. Our evaluation shows that our approach is able to preserve the privacy of the user by reducing the leaking identifiers of apps by 27.41% on average, while it imposes a practically negligible latency of less than 1 millisecond per request.
- Using VPN in the UAE? You'll Be Fined Up To $545,000 If Get Caught! http://thehackernews.com/2016/07/vpn-is-illegal-in-uae.html.Google Scholar
- G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS '14, 2014. Google ScholarDigital Library
- G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, and B. Preneel. Fpdetective: Dusting the web for fingerprinters. In Proceedings of the 2013 ACM SIGSAC Conference on Computer #38; Communications Security, CCS '13, pages 1129--1140, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- Android Developers. Android Debug Bridge. http://developer.android.com/tools/help/adb.html.Google Scholar
- Android Developers. Class Overview: BroadcastReceiver. http://developer.android.com/reference/android/content/BroadcastReceiver.html.Google Scholar
- M. D. Ayenson, D. J. Wambach, A. Soltani, N. Good, and C. J. Hoofnagle. Flash cookies and privacy ii: Now with html5 and etag respawning. SSRN 1898390, 2011.Google Scholar
- bobzilla, arkasha, and uhtu. Wigle: Wireless geographic logging engine. https://wigle.net/.Google Scholar
- T. Book, A. Pridgen, and D. S. Wallach. Longitudinal analysis of android ad library permissions. CoRR, 2013.Google Scholar
- C. Borodescu. Web sites vs. web apps: What the experts think. https://www.visionmobile.com/blog/2013/07/web-sites-vs-web-apps-what-the-experts-think, 2013.Google Scholar
- I. Brodsky. Deathmatch: The mobile web vs. mobile apps. http://www.computerworld.com/article/3016736/mobile-wireless/the-mobile-web-vs-mobile-app-death-match.Google Scholar
- A. Cortesi. An interactive console program that allows traffic flows to be intercepted, inspected, modified and replayed. https://mitmproxy.org/, 2015.Google Scholar
- CYREN. Cyren--Cloud-based Internet Security Solytions. http://commtouch.com/.Google Scholar
- S. Demetriou, W. Merrill, W. Yang, A. Zhang, and C. A. Gunter. Free for all! assessing user data exposure to advertising libraries on android. In NDSS, 2016.Google ScholarCross Ref
- P. Eckersley. How unique is your web browser? In International Symposium PETS, 2010. Google ScholarDigital Library
- S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th WWW, 2015. Google ScholarDigital Library
- M. Firtman. Html5 compatibility on mobile and tablet browsers with testing on real devices. http://mobilehtml5.org/, 2015.Google Scholar
- R. Fishkin. Mobile web vs mobile apps: Where should you invest your marketing? https://moz.com/blog/mobile-web-mobile-apps-invest-marketing-whiteboard-friday.Google Scholar
- J. Freeman. Cydia Substrate: The powerful code modification platform behind cydia., 2008. http://www.cydiasubstrate.com/.Google Scholar
- A. Ghosh and A. Roth. Selling privacy at auction. In Proceedings of the 12th ACM Conference on Electronic Commerce, pages 199--208, New York, USA, 2011. ACM. Google ScholarDigital Library
- Google Developers. Mixed content weakens https. https://developers.google.com/web/fundamentals/security/prevent-mixed-content/what-is-mixed-content#mixed_content_weakens_https, 2017.Google Scholar
- M. I. Gordon, D. Kim, J. H. Perkins, L. Gilham, N. Nguyen, and M. C. Rinard. Information flow analysis of android applications in droidsafe. In NDSS, 2015.Google ScholarCross Ref
- M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi. Unsafe exposure analysis of mobile in-app advertisements. In Proceedings of the Fifth ACM WISEC '12, 2012. Google ScholarDigital Library
- J. Graves. Ssl pinning for increased app security. https://possiblemobile.com/2013/03/ssl-pinning-for-increased-app-security/, 2013.Google Scholar
- J. Gui, S. Mcilroy, M. Nagappan, and W. G. J. Halfond. Truth in advertising: The hidden cost of mobile ads for software developers. In Proceedings of the 37th International Conference on Software Engineering - Volume 1, ICSE '15, pages 100--110, Piscataway, NJ, USA, 2015. IEEE Press. Google ScholarDigital Library
- S. Han, Jaeyeon Jung, and David Wetherall. A study of third-party tracking by mobile apps in the wild, 2012.Google Scholar
- Kicelo and D. Schuermann. Adaway default blocklist. https://adaway.org/hosts.txt, 2016.Google Scholar
- G. Kontaxis, M. Polychronakis, A. D. Keromytis, and E. P. Markatos. Privacy-preserving social plugins. In Proceedings of the 21st USENIX Conference on Security Symposium, Security'12, pages 30--30, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- B. Krishnamurthy, D. Malandrino, and C. E. Wills. Measuring privacy loss and the impact of privacy protection in web browsing. In Proceedings of the 3rd Symposium on Usable Privacy and Security, SOUPS '07, New York, 2007. Google ScholarDigital Library
- S. Kroft. The data brokers selling your personal information. http://www.cbsnews.com/news/the-data-brokers-selling-your-personal-information/, 2009.Google Scholar
- I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo. Don't kill my ads!: Balancing privacy in an ad-supported mobile application market. HotMobile, 2012. Google ScholarDigital Library
- C. Leung, J. Ren, D. Choffnes, and C. Wilson. Should you use the app for that?: Comparing the privacy implications of app- and web-based online services. In Proceedings of the 2016 ACM on Internet Measurement Conference, IMC '16. Google ScholarDigital Library
- C. Leung, J. Ren, D. Choffnes, and C. Wilson. App vs web. https://recon.meddle.mobi/appvsweb/, 2016.Google Scholar
- Y. Liu, H. H. Song, I. Bermudez, A. Mislove, M. Baldi, and A. Tongaonkar. Identifying personal information in internet traffic. In Proceedings of the 2015 ACM on Conference on Online Social Networks, pages 59--70. ACM, 2015. Google ScholarDigital Library
- Z. Ma, H. Wang, Y. Guo, and X. Chen. Libradar: Fast and accurate detection of third-party libraries in android apps. In Proceedings of the 38th ICSE, 2016. Google ScholarDigital Library
- D. Martin, H. Wu, and A. Alsaid. Hidden surveillance by web sites: Web bugs in contemporary use. Commun., Dec. 2003. Google ScholarDigital Library
- C. C. Miller and S. Sengupta. Advertisers find new ways to track smartphone users. http://www.bostonglobe.com/news/nation/2013/10/05/selling-secrets-phone-users-advertisers/ZSNNChJQvFuEcHJFsUJGUM/story.html, 2013.Google Scholar
- P. Mohan, S. Nath, and O. Riva. Prefetching mobile ads: Can advertising systems afford it? In Proceedings of the 8th ACM European Conference on Computer Systems, EuroSys '13, pages 267--280, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- M. Nagappan. Go ahead and add that extra ad library, but be careful about which one you add. https://www.developereconomics.com/add-extra-ad-library-but-be-careful-which-one, 2015.Google Scholar
- D. Naylor, A. Finamore, I. Leontiadis, Y. Grunenberger, M. Mellia, M. Munafò, K. Papagiannaki, and P. Steenkiste. The cost of the "s" in https. In Proceedings of the 10th ACM CoNEXT, 2014. Google ScholarDigital Library
- N. Nikiforakis, W. Joosen, and B. Livshits. Privaricator: Deceiving fingerprinters with little white lies. In Proceedings of the 24th International Conference on World Wide Web, WWW '15, pages 820--830, Republic and Canton of Geneva, Switzerland, 2015. International World Wide Web Conferences Steering Committee. Google ScholarDigital Library
- N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP '13, Washington, DC, USA, 2013. IEEE Computer Society. Google ScholarDigital Library
- P. Papadopoulos, A. Papadogiannakis, M. Polychronakis, A. Zarras, T. Holz, and E. P. Markatos. K-subscription: Privacy-preserving microblogging browsing through obfuscation. In Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC '13, pages 49--58, New York, NY, USA, 2013. ACM. Google ScholarDigital Library
- Raspberry Pi Foundation. Raspberry Pi 2 Model B. https://www.raspberrypi.org/products/raspberry-pi-2-model-b/.Google Scholar
- redphx. Apk Downloader. https://chrome.google.com/webstore/detail/apk-downloader/cgihflhdpokeobcfimliamffejfnmfii.Google Scholar
- J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes. Recon: Revealing and controlling pii leaks in mobile network traffic. In Proceedings of the 14th Annual International Conference MobiSys, 2016. Google ScholarDigital Library
- F. Roesner, T. Kohno, and D. Wetherall. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, NSDI'12, pages 12--12, Berkeley, CA, USA, 2012. USENIX Association. Google ScholarDigital Library
- rovo89. Xposed Module Repository. http://repo.xposed.info/.Google Scholar
- D. Schurmann. Adaway: An open source ad blocker for android using the hosts file. https://adaway.org/.Google Scholar
- Selenium. Selenium -- Web Browser Automation. http://www.seleniumhq.org/.Google Scholar
- S. Seneviratne, H. Kolamunna, and A. Seneviratne. A measurement study of tracking in paid mobile applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks, WiSec '15, 2015. Google ScholarDigital Library
- S. Shekhar, M. Dietz, and D. S. Wallach. Adsplit: Separating smartphone advertising from applications. In Proceedings of the 21st USENIX Security, 2012. Google ScholarDigital Library
- A. Shuba, A. Le, M. Gjoka, J. Varmarken, S. Langhoff, and A. Markopoulou. Antmonitor: Network traffic monitoring and real-time prevention of privacy leaks in mobile devices. In Proceedings of the 2015 Workshop on Wireless of the Students, by the Students, & for the Students. ACM, 2015. Google ScholarDigital Library
- S. Son, D. Kim, and V. Shmatikov. What mobile ads know about mobile users. In 23nd Annual NDSS, 2016.Google ScholarCross Ref
- Y. Song and U. Hengartner. Privacyguard: A vpn-based platform to detect information leakage on android devices. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, pages 15--26. ACM, 2015. Google ScholarDigital Library
- G. Sterling. Morgan stanley: No, apps aren't winning. the mobile browser is. http://marketingland.com/morgan-stanley-no-apps-arent-winning-the-mobile-browser-is-144303.Google Scholar
- R. Stevens, C. Gibler, J. Crussell, J. Erickson, and H. Chen. Investigating user privacy in android ad libraries. In Workshop on Mobile Security Technologies (MoST), 2012.Google Scholar
- J. Summerfield. Mobile website vs. mobile app: Which is best for your organization? https://www.hswsolutions.com/services/mobile-web-development/mobile-website-vs-apps/.Google Scholar
- TRUSTe Technology Blog. Mobile tracking: How it works and why it's different. http://www.truste.com/developer/?p=86, 2016.Google Scholar
- UnhappyGhost Goldenstein. Fingerprinting defenses in the tor browser. http://www.unhappyghost.com/2015/02/forensics-fingerprinting-defenses-in-tor-browser.html.Google Scholar
- W3C Web Security. Same origin policy. https://www.w3.org/Security/wiki/Same_Origin_Policy, 2010.Google Scholar
- J. Walton, JohnSteven, J. Manico, K. Wall, and R. Iramar. Certificate and Public Key Pinning. https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning.Google Scholar
- R. Welton. Android SSL certificate pinning bypass. https://github.com/Fuzion24/JustTrustMe.Google Scholar
- M. Whitener. Cookies are so yesterday; cross-device tracking is in-some tips. https://iapp.org/news/a/cookies-are-so-yesterday-cross-device-tracking-is-insome-tips/.Google Scholar
- L. Wroblewski. Mobile web vs. native apps or why you want both. http://www.lukew.com/ff/entry.asp?1954, 2016.Google Scholar
- C. Yoon, D. Kim, W. Jung, C. Kang, and H. Cha. Appscope: Application energy metering framework for android smartphone using kernel activity monitoring. In Proceedings of the 2012 USENIX ATC. Google ScholarDigital Library
- J. Zang, K. Dummit, J. Graves, P. Lisker, and L. Sweeney. Who knows what about me? a survey of behind the scenes personal data sharing to third parties by mobile apps. http://techscience.org/a/2015103001, 2015.Google Scholar
Index Terms
- The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps
Recommendations
Privacy concerns for mobile app download
In the mobile age, protecting users' information from privacy-invasive apps becomes increasingly critical. To precaution users against possible privacy risks, a few Android app stores prominently disclose app permission requests on app download pages. ...
Settings of Access Control by Detecting Privacy Leaks in SNS
SITIS '13: Proceedings of the 2013 International Conference on Signal-Image Technology & Internet-Based SystemsPeople of all ages are enjoying Social Networking Services (SNSes) nowadays. Posting messages through an SNS increases the risk of privacy invasion since private information is leaked during the process. One reason is that SNS users often leak their own ...
ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic
MobiSys '16: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and ServicesIt is well known that apps running on mobile devices extensively track and leak users' personally identifiable information (PII); however, these users have little visibility into PII leaked through the network traffic generated by their devices, and ...
Comments