Exposing indirect privacy leaks on mobile apps

Today, we have been informed that the ICSI Haystack Project has been awarded with one of the prestigious Data Transparency Lab 2016 grants. If you are not familiar with the Data Transparency Lab efforts, the DTL is a community of technologists, researchers, policymakers and industry representatives working to advance online personal data transparency through scientific research and design. The initiative is led by Mozilla, Telefonica, and ODI.

Our DTL research proposal aims to illuminate the presence of indirect privacy leaks in mobile apps. A typical privacy-aware user checks the app’s permission list at the time of installing a new Android app from Google Play. Some users may still agree to share part of their personal information with the app developer even when they consider an app permission harmful for their privacy. However, what most users do not know, is that the app developer may not be the only organization collecting their personal information.

As in the browser context, mobile apps can leak user personal information to third parties such as ad networks and analytics services without user awareness and consent. While these services are valuable to app developers, they may track users and collect a vast amount of personal information about them by piggybacking on the permissions requested by the app developer and granted by the user. Google Play does not require the app developer to inform users about the presence of tracking services in Android apps.

Mobile users, and even regulators, lack of tools to understand how mobile apps operate behind the scenes and the organizations collecting user data. Our research and development efforts in the ICSI Haystack project seek to illuminate this dark space with the hope of helping users to stay in control of their online privacy and rise societal awareness.

To that end, we created an interactive map of tracking services on Android apps: the ICSI Panopticon. The image below contains a screenshot of the interactive map.

ICSI Haystack Panopticon Screenshot

The ICSI Haystack Panopticon contains records for more than 1,500 Android apps and it is built upon the data collected from the users of our ICSI Haystack Privacy Monitor app. If you’re one of the, we would like to thank you for your help. If not, we strongly invite you to install the app and contribute to extend our catalogue of Android apps. Note that we collect the data by crowdsourcing means in a completely anonymized way: we do not collect any personal information about our users as we describe in our privacy policy .

Our analysis revealed that 70% of our monitored mobile apps connect at least with one tracking service. A significant fraction of apps even connect to more than 10 tracking services simultaneously. We invite you to play with the Panopticon and identify the organizations collecting your personal information when you use a given app by yourself. As you will notice, there is a strong power law distribution as a few organizations dominate this ecosystem: Crashlytics and Flurry (both owned by Yahoo), Google Analytics, AdJust, AppsFlyer, Mixpanel and Facebook Analytics. Interestingly, many of these services are cross-platform so that they can track you not only in your mobile apps but also in the browser.

We’re working hard to release new app features to help you to better protect your online privacy. We are taking inspiration from Ghostery’s and Privacy Badger browser extensions to enable data flow blockage in an easy-to-use way. Stay tuned!

Leave a Reply

Your email address will not be published. Required fields are marked *