research-article

How does misconfiguration of analytic services compromise mobile privacy?

Authors:

Jianwei NiuAuthors Info & Claims

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

Pages 1572 - 1583

https://doi.org/10.1145/3377811.3380401

Published: 01 October 2020 Publication History

Abstract

Mobile application (app) developers commonly utilize analytic services to analyze their app users' behavior to support debugging, improve service quality, and facilitate advertising. Anonymization and aggregation can reduce the sensitivity of such behavioral data, therefore analytic services often encourage the use of such protections. However, these protections are not directly enforced so it is possible for developers to misconfigure the analytic services and expose personal information, which may cause greater privacy risks. Since people use apps in many aspects of their daily lives, such misconfigurations may lead to the leaking of sensitive personal information such as a users' real-time location, health data, or dating preferences. To study this issue and identify potential privacy risks due to such misconfigurations, we developed a semi-automated approach, Privacy-Aware Analytics Misconfiguration Detector (PAMDroid), which enables our empirical study on mis-configurations of analytic services. This paper describes a study of 1,000 popular apps using top analytic services in which we found misconfigurations in 120 apps. In 52 of the 120 apps, misconfigurations lead to a violation of either the analytic service providers' terms of service or the app's own privacy policy.

References

[1]

2017. Equifax Data Breach. Retrieved May, 2019 from http://fortune.com/2018/09/07/equifax-data-breach-one-year-anniversary/

[2]

2018. AppBrain Android analytics libraries. Retrieved October, 2018 from https://www.appbrain.com/stats/libraries/tag/analytics/android-analytics-libraries

[3]

2018. AppBrain, Firebase. Retrieved October, 2018 from https://www.appbrain.com/stats/libraries/details/firebase/firebase

[4]

2018. AppsFlyer provide encryption option in API setUserEmails. Retrieved October, 2018 from https://support.appsflyer.com/hc/en-us/articles/207032126-AppsFlyer-SDK-Integration-Android

[5]

2018. Crashlytics dashboard. Retrieved October, 2018 from https://stackoverflow.com/questions/34888420/crashlytics-how-to-see-user-name-email-id-in-crash-details/

[6]

2018. Facebook Data Breach. Retrieved May, 2019 from https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html

[7]

2018. Firebase collect user event by default. Retrieved October, 2018 from https://support.google.com/firebase/answer/6317485?hl=en&ref_topic=6317484

[8]

2018. Firebase set user ID. Retrieved October, 2018 from https://frebase.google.com/docs/analytics/userid

[9]

2018. Firebase set user preoperties. Retrieved October, 2018 from https://firebase.google.com/docs/analytics/android/properties

[10]

2018. Firebase user propertise. Retrieved October, 2018 from https://support.google.com/firebase/answer/6317519?hl=en&ref_topic=6317489

[11]

2018. Flurry API setUserId(). Retrieved October, 2018 from https://developer.yahoo.com/flurry/docs/analytics/gettingstarted/technicalquickstart/android/

[12]

2018. Flurry dashboard. Retrieved October, 2018 from https://developer.yahoo.com/flurry/docs/analytics/lexicon/eventreporting/

[13]

2018. GDPR Anonymous Data. Retrieved January, 2020 from https://gdpr-info.eu/recitals/no-26/

[14]

2018. GDPR definition of personal data. Retrieved October, 2018 from https://gdpr-info.eu/art-4-gdpr/

[15]

2018. GDPR Lawfulness of processing. Retrieved January, 2020 from https://gdpr-info.eu/art-6-gdpr/

[16]

2018. GDPR online identifiers for profiling and identification. Retrieved October, 2018 from https://gdpr-info.eu/recitals/no-30/

[17]

2018. Marriott Data Breach. Retrieved May, 2019 from https://www.consumer.ftc.gov/blog/2018/12/marriott-data-breach

[18]

2018. Mixpanel collect user event by default.

[19]

2018. Mixpanel's rule about using API. Retrieved October, 2018 from https://help.mixpanel.com/hc/en-us/articles/360000679006-Managing-Personal-Information

[20]

2018. PlayDron metadata. Retrieved August, 2018 from https://archive.org/details/android_apps&tab=about

[21]

2018. Privacy policy of Crashlytics. Retrieved October, 2018 from https://try.crashlytics.com/terms/privacy-policy.pdf

[22]

2018. Universal Analytics usage guidelines. https://support.google.com/analytics/answer/2795983?hl=en.

[23]

2019. Market share of Firebase. Retrieved August, 2019 from https://www.appbrain.com/stats/libraries/details/firebase/firebase

[24]

2019. Market share of Flurrt. Retrieved August, 2019 from https://www.appbrain.com/stats/libraries/details/flurry/flurry-analytics

[25]

2019. Market share of Google Analytics. Retrieved August, 2019 from https://www.appbrain.com/stats/libraries/details/analytics/google-analytics

[26]

2019. Market share of Mixpanel. Retrieved August, 2019 from https://www.appbrain.com/stats/libraries/details/mixpanel/mixpanel

[27]

2019. Privacy policy of emojidom. Retrieved August, 2019 from http://www.emojidom.com/privacy-policy

[28]

2019. Privacy policy of Staples. Retrieved August, 2019 from https://www.staples.com/hc?id=dbb94c10-973c-478b-a078-00e58f66ba32

[29]

2019. Privacy policy of Shopclues. Retrieved August, 2019 from http://m.shopclues.com/rules-and-policies.html

[30]

2019. UI/Application Exerciser Monkey. Retrieved August, 2019 from https://developer.android.com/studio/test/monkey.html

[31]

2019. Understanding PII in Google's contracts and policies. Retrieved August, 2019 from https://support.google.com/analytics/answer/7686480?hl=en

[32]

Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. Acm Sigplan Notices 49, 6 (2014), 259--269.

Digital Library

[33]

Mixpanel dashboard. 2018. . Retrieved October, 2018 from https://help.mixpanel.com/hc/en-us/articles/360000865566-Set-up-Your-Tracking/

[34]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32, 2 (2014), 5.

Digital Library

[35]

Seungyeop Han, Jaeyeon Jung, and David Wetherall. 2012. A study of third-party tracking by mobile apps in the wild. Univ. Washington, Tech. Rep. UW-CSE-12-03-01 (2012).

[36]

Jie Huang, Oliver Schranz, Sven Bugiel, and Michael Backes. 2017. The ART of App Compartmentalization: Compiler-based Library Privilege Separation on Stock Android. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 1037--1049.

Digital Library

[37]

Xing Liu, Sencun Zhu, Wei Wang, and Jiqiang Liu. 2016. Alde: privacy risk analysis of analytics libraries in the android ecosystem. In International Conference on Security and Privacy in Communication Systems. Springer, 655--672.

[38]

Yuhong Nan, Zhemin Yang, Xiaofeng Wang, Yuan Zhang, Donglai Zhu, and Min Yang. 2018. Finding clues for your secrets: Semantics-driven, learning-based privacy discovery in mobile apps. In Proceedings of the 2018 Annual Network and Distributed System Security Symposium (NDSS)(San Diego, California, USA.

[39]

Siegfried Rasthofer, Steven Arzt, and Eric Bodden. 2014. A Machine-learning Approach for Classifying and Categorizing Android Sources and Sinks. In NDSS, Vol. 14. Citeseer, 1125.

[40]

Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. 2018. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. (2018).

[41]

Abbas Razaghpanah, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian Kreibich, Phillipa Gill, Mark Allman, and Vern Paxson. 2015. Haystack: In situ mobile traffic analysis in user space. arXiv preprint arXiv:1510.01419 (2015), 1--13.

[42]

Jingjing Ren, Martina Lindorfer, Daniel J. Dubois, Ashwin Rao, David R. Choffnes, and Narseo Vallina-Rodriguez. 2018. Bug Fixes, Improvements, ... and Privacy Leaks - A Longitudinal Study of PII Leaks Across Android App Versions. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018.

[43]

Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. 2016. Recon: Revealing and controlling pii leaks in mobile network traffic. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 361--374.

Digital Library

[44]

Suranga Seneviratne, Harini Kolamunna, and Aruna Seneviratne. 2015. A measurement study of tracking in paid mobile applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks. ACM, 7.

Digital Library

[45]

Jaebaek Seo, Daehyeok Kim, Donghyun Cho, Insik Shin, and Taesoo Kim. 2016. FLEXDROID: Enforcing In-App Privilege Separation in Android. In NDSS.

[46]

Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D Breaux, and Jianwei Niu. 2016. Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th International Conference on Software Engineering. ACM, 25--36.

Digital Library

[47]

Connor Tumbleson and Ryszard Wisniewski. 2017. Apktool-A tool for reverse engineering 3rd party, closed, binary Android apps.

[48]

Narseo Vallina-Rodriguez, Jay Shah, Alessandro Finamore, Yan Grunenberger, Konstantina Papagiannaki, Hamed Haddadi, and Jon Crowcroft. 2012. Breaking for commercials: characterizing mobile advertising. In Proceedings of the 2012 Internet Measurement Conference. ACM, 343--356.

Digital Library

[49]

Xiaoyin Wang, Xue Qin, Mitra Bokaei Hosseini, Rocky Slavin, Travis D Breaux, and Jianwei Niu. 2018. Guileak: Tracing privacy policy claims on user input data for android applications. In Proceedings of the 40th International Conference on Software Engineering. ACM, 37--47.

Digital Library

[50]

Le Yu, Xiapu Luo, Xule Liu, and Tao Zhang. 2016. Can we trust the privacy policies of android apps?. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). IEEE, 538--549.

[51]

Yuan Zhang, Min Yang, Bingquan Xu, Zhemin Yang, Guofei Gu, Peng Ning,XSean Wang, and Binyu Zang. 2013. Vetting undesirable behaviors in android apps with permission use analysis. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 611--622.

Digital Library

[52]

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven Bellovin, and Joel Reidenberg. 2017. Automated analysis of privacy requirements for mobile apps. In Proceedings 2017 Network and Distributed System Security Symposium.

Cited By

Pagano FVerderame LRusso EMerlo A(2025)MarvelHideDroid: Reliable on-the-fly data anonymization based on Android virtualizationComputers and Electrical Engineering10.1016/j.compeleceng.2024.109882121(109882)Online publication date: Jan-2025
https://doi.org/10.1016/j.compeleceng.2024.109882
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Xiao YZhang CQin YAlharbi FXing LLiao XLuo BLiao XXu JKirda ELie D(2024)Measuring Compliance Implications of Third-party Libraries' Privacy Label Disclosure GuidelinesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670371(1641-1655)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670371
Show More Cited By

Recommendations

Minimal privacy disclosure for Accessing Web services
INFOS '16: Proceedings of the 10th International Conference on Informatics and Systems

Web services are considered as a powerful solution for information systems integration which is based on the service oriented architecture (SOA). Privacy is a big obstacle when using web services. Therefore, accessing web service with minimal privacy ...
Enhancing web services compositions with privacy capabilities
iiWAS '15: Proceedings of the 17th International Conference on Information Integration and Web-based Applications & Services

Web service composition has been extensively studied in recent years. Although a lot of new models and mechanisms have been proposed, many issues in service composition still remain unsolved. Among them, privacy is one of the major concerns. Indeed, ...
Privacy-aware DaaS services composition
DEXA'11: Proceedings of the 22nd international conference on Database and expert systems applications - Volume Part I

Data as a Service (DaaS) builds on service-oriented technologies to enable fast access to data resources on the Web. However, this paradigm raises several new privacy concerns that traditional privacy models do not handle since they only focus on the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ICSE '20: Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering

June 2020

1640 pages

ISBN:9781450371216

DOI:10.1145/3377811

General Chairs:
Gregg Rothermel
North Carolina State University
,
Doo-Hwan Bae
KAIST, South Korea

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

KIISE: Korean Institute of Information Scientists and Engineers
IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 October 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Badges

Artifacts Available / v1.1

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

ICSE '20

Sponsor:

SIGSOFT

ICSE '20: 42nd International Conference on Software Engineering

June 27 - July 19, 2020

Seoul, South Korea

Acceptance Rates

Overall Acceptance Rate 276 of 1,856 submissions, 15%

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

18
Total Citations
View Citations
308
Total Downloads

Downloads (Last 12 months)74
Downloads (Last 6 weeks)2

Reflects downloads up to 12 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pagano FVerderame LRusso EMerlo A(2025)MarvelHideDroid: Reliable on-the-fly data anonymization based on Android virtualizationComputers and Electrical Engineering10.1016/j.compeleceng.2024.109882121(109882)Online publication date: Jan-2025
https://doi.org/10.1016/j.compeleceng.2024.109882
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Xiao YZhang CQin YAlharbi FXing LLiao XLuo BLiao XXu JKirda ELie D(2024)Measuring Compliance Implications of Third-party Libraries' Privacy Label Disclosure GuidelinesProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3670371(1641-1655)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3670371
Inayoshi HKakei SSaito SRubin JLam WCatolino GPoshyvanyk D(2024)Detection of Inconsistencies between Guidance Pages and Actual Data Collection of Third-party SDKs in Android AppsProceedings of the IEEE/ACM 11th International Conference on Mobile Software Engineering and Systems10.1145/3647632.3647991(43-53)Online publication date: 14-Apr-2024
https://dl.acm.org/doi/10.1145/3647632.3647991
Wang YFan MLiu JTao JJin WWang HXiong QLiu T(2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.3479288(1-23)Online publication date: 2024
https://doi.org/10.1109/TSE.2024.3479288
Makhdoom IAbolhasan MLipman JShariati NFranklin DPiccardi M(2024)Securing Personally Identifiable Information: A Survey of SOTA Techniques, and a Way ForwardIEEE Access10.1109/ACCESS.2024.344701712(116740-116770)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3447017
Zhu WProksch SGerman DGodfrey MLi LMcIntosh S(2024)What is an app store? The software engineering perspectiveEmpirical Software Engineering10.1007/s10664-023-10362-329:1Online publication date: 2-Jan-2024
https://dl.acm.org/doi/10.1007/s10664-023-10362-3
Tang FØstvold B(2024)User Interaction Data in Apps: Comparing Policy Claims to ImplementationsPrivacy and Identity Management. Sharing in a Digital World10.1007/978-3-031-57978-3_5(64-80)Online publication date: 23-Apr-2024
https://doi.org/10.1007/978-3-031-57978-3_5
Zhang XHeaps JSlavin RNiu JBreaux TWang X(2023)DAISY: Dynamic-Analysis-Induced Source Discovery for Sensitive DataACM Transactions on Software Engineering and Methodology10.1145/356993632:4(1-34)Online publication date: 27-May-2023
https://dl.acm.org/doi/10.1145/3569936
Tahaei MVaniea KRashid A(2023)Embedding Privacy Into Design Through Software Developers: Challenges and SolutionsIEEE Security & Privacy10.1109/MSEC.2022.320436421:1(49-57)Online publication date: Jan-2023
https://doi.org/10.1109/MSEC.2022.3204364
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents