Android Apps Are Invasive and Insecure: Research – Security

According to researchers at the University of Passau in Germany, the way apps fingerprint user behavior poses a greater risk to user privacy than browser fingerprinting.

in preprint Published on arXivthe researchers argued, “Hybrid app fingerprints may contain account-specific and device-specific information that uniquely identifies a user across multiple devices.”

Browser fingerprinting is well known, but hybrid apps (smartphone apps that combine web components such as JavaScript with native components) are less researched.

In this study, researchers investigated an Android hybrid app that uses WebView to provide browser functionality.

As the researchers put it, “WebView … provides an active communication channel between native Android app components and JavaScript in the browser.”

“JavaScript can access Android app functionality through shared objects,” they said.

“This gives web components the powerful ability to access native Android APIs without requiring separate Android permissions.”

To see what privacy leaks might occur, researchers combined Monkey, a well-known Android testing environment, with WVProfiler, a custom-developed tool for analyzing WebView streams.

Researchers evaluated 20,000 apps from the Play Store, identified over 5,000 that used at least one instance of WebView’s API, and scrutinized 1,000 of them.

Their initial finding was that the built-in browser used in hybrid apps “allows for more sensitive information exposure than a standalone browser” because users cannot configure system-wide privacy policies on Android.

At a minimum, “All hybrid apps in the dataset expose their build number and phone model in their fingerprint.”

Second, hybrid apps often violate standard privacy policies,” the study claims.

“In popular apps like Instagram, users have little to no control over the amount of sensitive information exposed through their web components.”

For example, the Instagram app collects phone model, build number, localization information, SDK, Android version, and processor.

Third: Sensitive device- and user-specific information can be collected through a combination of cookies and user agent information.

“This information can be used to uniquely profile users, including identifying their origin.
and estimate an individual’s financial status,” the study said.

“Additionally, some apps in our dataset attach a user’s account ID (unique to the user) to a cookie to allow the user to be uniquely identified across devices.”

Fourth: “(Potentially) insecure web components violate the integrity of native app objects.”

And finally, while much of the web has switched to HTTPS to protect information passed in URLs, hybrid apps have not caught up.

“These URLs contain sensitive data such as device IDs, IP addresses and advertising identifiers.
locale information, and other sensitive data,” the researchers said.

The study was authored by Abhishek Tiwari and Jyoti Prakash with collaborators Alimerdan Rahimov and Christian Hammer.

Android Apps Are Invasive and Insecure: Research – Security

Source link Android Apps Are Invasive and Insecure: Research – Security

Back to top button