Track: Mobile

Session chair: Panos Papadimitratos

• Discontinued Privacy: Personal Data Leaks in Apple Bluetooth-Low-Energy Continuity Protocols
  Guillaume Celosia (Univ Lyon, INSA Lyon, Inria, CITI) and MathieuCunche (Univ Lyon, INSA Lyon, Inria, CITI)

Pre-recorded presentation

Summary:

Apple Continuity protocols are the underlying network component of Apple Continuity services which allow seamless nearby applications such as activity and file transfer, device pairing and sharing a network connection. Those protocols rely on Bluetooth Low Energy (BLE) to exchange information between devices: Apple Continuity messages are embedded in the payload of BLE advertisement packets that are periodically broadcasted by devices. Recently, Martin et al. identified [1] a number of privacy issues associated with Apple Continuity protocols; we show that this was just the tip of the iceberg and that Apple Continuity protocols leak a wide range of personal information. In this work, we present a thorough reverse engineering of Apple Continuity protocols that we use to uncover a collection of privacy leaks. We introduce new artifacts, including identifiers, counters and battery levels, that can be used for passive tracking, and describe a novel active tracking attack based on Handoff messages. Beyond tracking issues, we shed light on severe privacy flaws. First, in addition to the trivial exposure of device characteristics and status, we found that HomeKit accessories betray human activities in a smarthome. Then, we demonstrate that AirDrop and Nearby Action protocols can be leveraged by passive observers to recover e-mail addresses and phone numbers of users. Finally, we exploit passive observations on the advertising traffic to infer Siri voice commands of a user.

• How private is your period?: A systematic analysis of menstrual app privacy policies
  Laura Shipp (Royal Holloway, University of London) and Jorge Blasco (Royal Holloway, University of London)

Pre-recorded presentation

Summary:

Menstruapps are mobile applications that can track a user's reproductive cycle, sex life and health in order to provide them with algorithmically derived insights into their body. These apps are now hugely popular, with the most favoured boasting over 100 million downloads. In this study, we investigate the privacy practices of a set of 30 Android menstruapps, a set which accounts for nearly 200 million downloads. We measured how the apps present information and behave on a number of privacy-related topics, such as the complexity of the language used, the information collected by them, the involvement of third parties and how they describe user rights. Our results show that while common pieces of personal data such as name, email, etc. are treated appropriately by most applications, reproductive-related data is not covered by the privacy policies and in most cases, completely disregarded, even when it is required for the apps to work. We have informed app developers of our findings and have tried to engage them in dialogue around improving their privacy practices.

• The Price is (not) Right: Comparing Privacy in Free and Paid Apps
  Catherine Han (University of California, Berkeley), Irwin Reyes (Two Six Labs / International Computer Science Institute), Álvaro Feal (IMDEA Networks Institute), Joel Reardon (University of Calgary), Primal Wijesekera (University of California, Berkeley), Narseo Vallina-Rodriguez (IMDEA Networks Institute / International Computer Science Institute), and Serge Egelman (International Computer Science Institute / University of California, Berkeley)

Pre-recorded presentation

Summary:

It is commonly assumed that “free” mobile apps come at the cost of consumer privacy and that paying for apps could offer consumers protection from behavioral advertising and long-term tracking. This work empirically evaluates the validity of this assumption by comparing the privacy practices of free apps and their paid premium versions, while also gauging consumer expectations surrounding free and paid apps. We use both static and dynamic analysis to examine 5,877 pairs of free Android apps and their paid counterparts for differences in data collection practices and privacy policies between pairs. To understand user expectations for paid apps, we conducted a 998-participant online survey and found that consumers expect paid apps to have better security and privacy behaviors. However, there is no clear evidence that paying for an app will actually guarantee protection from extensive data collection in practice. Given that the free version had at least one third-party library or dangerous permission, respectively, we discovered that 45% of the paid versions reused all of the same third-party libraries as their free versions, and 74% of the paid versions had all of the dangerous permissions held by the free app. Likewise, our dynamic analysis revealed that 32% of the paid apps exhibit all of the same data collection and transmission behaviors as their free counterparts. Finally, we found that 40% of apps did not have a privacy policy link in the Google Play Store and that only 3.7% of the pairs that did reflected differences between the free and paid versions.

• Angel or Devil? A Privacy Study of Mobile Parental Control Apps
  Álvaro Feal (IMDEA Networks Institute / Universidad Carlos III de Madrid), Paolo Calciati (IMDEA Software Institute / Universidad Politécnica de Madrid), Narseo Vallina-Rodriguez (IMDEA Networks Institute / ICSI), Carmela Troncoso (EPFL), and Alessandra Gorla (IMDEA Sofware Institute)

Pre-recorded presentation

Summary:

Android parental control applications are used by parents to monitor and limit their children’s mobile behaviour (e.g., mobile apps use, Internet browsing, calls, and text messages). In order to offer this service, parental control apps require access to sensitive data and system resources which may significantly reduce the dangers associated with kids’ online activities, but it also raises important privacy concerns which are overlooked by European security centers providing recommendations to the public. We conduct the first in-depth study of the Android parental control applications ecosystem from a privacy and regulatory point of view. We exhaustively study 46 apps which have a combined 20M installs in the Google Play Store. Using a combination of static and dynamic analysis we find that, among others: these apps are on average more permission-hungry than the top 150 apps in the Google Play Store, and tend to request more dangerous permissions with new releases; 11% of the apps transmit personal data in the clear; 34% of the apps gather and send personal information without appropriate consent; and 72% of the apps share data with third parties (including online advertising and analytics services) without mentioning their presence in the apps’ privacy policies. In summary, parental control applications lack of transparency and lack of compliance with regulatory requirements can have severe implications for children’s privacy. Therefore, it is necessary to develop stricter auditing tools that incorporate transparency and privacy risk analysis before recommending their use to concerned parents.