Analysis of Longitudinal Changes in Privacy Behavior of Android Applications

Privacy concerns have long been expressed around smart devices, and the concerns around Android apps have been studied by many past works. Over the past 10 years, we have crawled and scraped data for almost 1.9 million apps, and also stored the APKs for 135,536 of them. In this paper, we examine the trends in how Android apps have changed over time with respect to privacy and look at it from two perspectives: (1) how privacy behavior in apps have changed as they are updated over time, (2) how these changes can be accounted for when comparing third-party libraries and the app’s own internals. To study this, we examine the adoption of HTTPS, whether apps scan the device for other installed apps, the use of permissions for privacy-sensitive data, and the use of unique identifiers. We find that privacy-related behavior has improved with time as apps continue to receive updates, and that the third-party libraries used by apps are responsible for more issues with privacy. However, we observe that in the current state of Android apps, there has not been enough of an improvement in terms of privacy and many issues still need to be addressed.

[1]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[2]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[3]  Michelle L. Mazurek,et al.  You are Not Your Developer, Either: A Research Agenda for Usable Security and Privacy Research Beyond End Users , 2016, 2016 IEEE Cybersecurity Development (SecDev).

[4]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[5]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[6]  Haoyu Wang,et al.  LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[7]  Tianshi Li,et al.  Coconut: An IDE Plugin for Developing Privacy-Friendly Apps , 2018, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[8]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[9]  Lorrie Faith Cranor,et al.  The Privacy and Security Behaviors of Smartphone App Developers , 2014 .

[10]  Narseo Vallina-Rodriguez,et al.  Studying TLS Usage in Android Apps , 2018, ANRW.

[11]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[12]  Tao Xie,et al.  WHYPER: Towards Automating Risk Assessment of Mobile Applications , 2013, USENIX Security Symposium.

[13]  Malcolm Hall,et al.  ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing , 2013, MobiSys '13.

[14]  Haoyu Wang,et al.  An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective , 2017, WWW.

[15]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[16]  Michalis Faloutsos,et al.  Permission evolution in the Android ecosystem , 2012, ACSAC '12.

[17]  Jean-Pierre Hubaux,et al.  HideMyApp: Hiding the Presence of Sensitive Apps on Android , 2019, USENIX Security Symposium.

[18]  Kenneth Olmstead,et al.  Apps permissions in the Google Play Store , 2015 .

[19]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[20]  Zhong Chen,et al.  AutoCog: Measuring the Description-to-permission Fidelity in Android Applications , 2014, CCS.

[21]  Dan S. Wallach,et al.  Longitudinal Analysis of Android Ad Library Permissions , 2013, ArXiv.

[22]  Lorrie Faith Cranor,et al.  Improving App Privacy: Nudging App Developers to Protect User Privacy , 2014, IEEE Security & Privacy.

[23]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[24]  Kai-Uwe Loser,et al.  Security and Privacy as Hygiene Factors of Developer Behavior in Small and Agile Teams , 2014, HCC.