Request For Research Presentations For the PrivacyCon Conference
Is mobile privacy getting better or worse over time? As mobile devices and apps become increasingly present in our everyday lives, the potential for accessing and sharing personal information has grown. The corresponding privacy risks from using these apps have received significant attention, not only from users who are at risk, but also from regulators who enforce laws that protect them. A key problem with the above trend is that once personal information is shared with another party, it can potentially be linked to that individual forever. Thus, monitoring privacy implications of mobile apps should not focus just on a snapshot of their behavior, but also on how their behavior evolved over time. In fact, because apps are regularly updated with new versions (as frequently as once a month on average) that fix bugs, add improve performance, add features, and even change what is shared with other parties, it is essential to study app behavior across versions. In this work, we are the first to conduct a comprehensive, longitudinal study of the privacy implications by studying privacy leaks from historical and current versions of 512 popular Android apps, covering 7,665 app releases over 8 years of app version history. Through automated and scripted interaction with apps and analysis of the network traffic they generate on real mobile devices, we compile a dataset that informs what information is exposed over the Internet (identifiers, locations, passwords, etc.), how it is exposed (encrypted or plaintext), and to whom that information is exposed (first or third party). We analyze this dataset to understand how privacy has changed over time (for individual apps and in aggregate across popular apps), why these trends occur, and what their implications are. Our key findings include: - On average, privacy has worsened over time. We analyze privacy risks along multiple attributes (what PII is leaked, to how many destinations, and whether it is encrypted) independently and in combination. We find that apps increasingly leak more types of PII and to more domains over time, but HTTPS adoption has seen slow growth. When combining these factors, we find that about a quarter of apps (26.3%) are getting better with respect to privacy, but twice as many are getting worse over time (51.1%), with only a small fraction (9.5%) staying the same or exhibiting highly variable privacy risks between versions (13.1%). - HTTPS adoption is slow. Unlike recent trends in HTTPS adoption for Web traffic, we find that apps are slow to adopt HTTPS. In fact, from the moment we see that a domain first starts supporting HTTPS, it takes five years for at least half of the apps in our study to start using it. Overall, the fraction of flows using HTTPS has remained nearly constant over the time period covered by our study. - Third-party tracking is pervasive. While previous work using small snapshots of time demonstrates that third parties collect substantial amounts of PII, we find the problem to be even worse when considering PII leaks across versions. We analyze how third parties (among which several are not highlighted in previous studies) collect locations, email addresses and gender along with tracking identifiers, enabling fine-grained tracking of users and their daily activities. In summary, our key contributions are: (1) a large-scale privacy analysis across multiple apps and app versions, (2) a dataset of network traffic generated by running apps, along with labels describing the PII contained in them, and (3) an analysis of the origins and privacy implications of these information leaks. Our dataset and analysis are publicly available at https://recon.meddle.mobi/appversions/ The attached manuscript that provides more details of our study and findings will appear in NDSS 2018.