Android apps are invasive and insecure: Study – Security

According to researchers at the University of Passau, the way apps capture user behavior via fingerprints poses a greater risk to user privacy than browser fingerprints.

In a preprint published at arXiv, the researchers claimed that “fingerprints in hybrid apps may contain account-specific and device-specific information that uniquely identifies users across multiple devices.”

While browser fingerprinting is well known, there is less research on hybrid apps – smartphone apps that combine web components like JavaScript and native components.

In this study, researchers examined Android hybrid apps that use WebView to provide browser functionality.

As the researchers noted, “WebView…provides an active communication channel between the native Android app component and JavaScript in the browser.”

“JavaScript can access the functionality of the Android app through shared objects,” they said.

“This grants web components powerful opportunities to access native Android APIs without having to request Android permissions individually.”

To see what privacy leaks might occur, the researchers combined a well-known Android test environment, Monkey, with WVProfiler, a custom-built tool for analyzing WebView streams.

The researchers evaluated 20,000 apps from the Play Store and identified more than 5,000 that used at least one instance of WebView’s APIs, of which they examined 1,000 in depth.

Their first finding was that because users can’t configure system-wide privacy policies in Android, the built-in browser used by hybrid apps “exposes more sensitive information than the standalone browser.

At least: “All hybrid apps in our dataset show the build number and phone model in their fingerprints.”

Second, hybrid apps often violate standard privacy policies,” the study said.

“Famous apps like Instagram offer their users little to no control over the amount of sensitive information released through web components.”

For example, Instagram app collects phone model, build number, localization information, SDK, Android version and processor.

Third, the combination of cookies and user agent information can collect sensitive device and user specific information.

“This information can be exploited to uniquely profile a user, for example to identify origin
and assessing personal financial status,” the study said.

“Also, some apps in our dataset append their users’ account IDs (unique to a user) to the cookies, which allows their users to be uniquely identified across different devices.”

Fourth, “(Potentially) insecure web components violate the integrity of a native app’s object.”

Finally, while most of the web has switched to HTTPS to protect information passed in URLs, hybrid apps have not caught up: “32 percent of the apps in our dataset disclose sensitive information over unencrypted communication protocols like HTTP.” .

“These URLs contain sensitive data such as device IDs, IP addresses, advertising identifiers,
location information and other sensitive data,” the researchers said.

The study was authored by Abhishek Tiwari and Jyoti Prakash along with co-researchers Alimerdan Rahimov and Christian Hammer.