Are iPhones Really Better for Privacy? Comparative Study of iOS and Android Apps

While many studies have looked at privacy properties of the Android and Google Play app ecosystem, comparatively much less is known about iOS and the Apple App Store, the most widely used ecosystem in the US. At the same time, there is increasing competition around privacy between these smartphone operating system providers. In this paper, we present a study of 24k Android and iOS apps from 2020 along several dimensions relating to user privacy. We find that thirdparty tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children. In the children’s category, iOS apps tended to use fewer advertising-related tracking than their Android counterparts, but could more often access children’s location. Across all studied apps, our study highlights widespread potential violations of US, EU and UK privacy law, including 1) the use of third-party tracking without user consent, 2) the lack of parental consent before sharing personally identifiable information (PII) with third-parties in children’s apps, 3) the non-data-minimising configuration of tracking libraries, 4) the sending of personal data to countries without an adequate level of data protection, and 5) the continued absence of transparency around tracking, partly due to design decisions by Apple and Google. Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied.

[1]  Jun Zhao,et al.  Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps , 2017, CHI.

[2]  Jun Zhao,et al.  X-Ray Refine: Supporting the Exploration and Refinement of Information Exposure Resulting from Smartphone Apps , 2018, CHI.

[3]  Athina Markopoulou,et al.  NoMoATS: Towards Automatic Detection of Mobile Tracking , 2020, Proc. Priv. Enhancing Technol..

[4]  Narseo Vallina-Rodriguez,et al.  50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System , 2019, USENIX Security Symposium.

[5]  Joris Van Hoboken,et al.  Smartphone platforms as privacy regulators , 2021, Comput. Law Secur. Rev..

[6]  David A. Wagner,et al.  The Effectiveness of Application Permissions , 2011, WebApps.

[7]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[8]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[9]  Malcolm Hall,et al.  ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing , 2013, MobiSys '13.

[10]  D.P.M. Comber,et al.  Title: The Technical or the Reflective PG Cert: do you get what you pay for ? , 2003 .

[11]  Minas Gjoka,et al.  AntMonitor: A System for On-Device Mobile Network Monitoring and its Applications , 2016, 1611.04268.

[12]  Katie Shilton,et al.  Platform privacies: Governance, collaboration, and the different meanings of “privacy” in iOS and Android development , 2018, New Media Soc..

[13]  Narseo Vallina-Rodriguez,et al.  Beyond Google Play: A Large-Scale Comparative Study of Chinese Android App Markets , 2018, Internet Measurement Conference.

[14]  Jun Zhao,et al.  Third Party Tracking in the Mobile Ecosystem , 2018, WebSci.

[15]  Jason I. Hong,et al.  Does this App Really Need My Location? , 2017, Proc. ACM Interact. Mob. Wearable Ubiquitous Technol..

[16]  Athina Markopoulou,et al.  NoMoAds: Effective and Efficient Cross-App Mobile Ad-Blocking , 2018, Proc. Priv. Enhancing Technol..

[17]  Kelly D. Martin,et al.  The role of data privacy in marketing , 2016, Journal of the Academy of Marketing Science.

[18]  Lisa Harris,et al.  Data havens, or privacy sans frontières?: a study of international personal data transfers , 2014, WebSci '14.

[19]  Joanne Gray,et al.  Creating in an age of algorithms: won’t somebody think of the children? , 2019 .

[20]  Erik Derr,et al.  Reliable Third-Party Library Detection in Android and its Security Applications , 2016, CCS.

[21]  Travis D. Breaux,et al.  Ambiguity in Privacy Policies and the Impact of Regulation , 2016, The Journal of Legal Studies.

[22]  Bin Ma,et al.  Following Devil's Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[23]  Nigel Shadbolt,et al.  A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps , 2021, SOUPS @ USENIX Security Symposium.

[24]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[25]  Jun Zhao,et al.  Measuring Third-party Tracker Power across Web and Mobile , 2018, ACM Trans. Internet Techn..

[26]  Florian Schaub,et al.  "We Can't Live Without Them!" App Developers' Adoption of Ad Networks and Their Considerations of Consumer Risks , 2019, SOUPS @ USENIX Security Symposium.

[27]  Alessandro Acquisti,et al.  Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions , 2016, SOUPS.

[28]  Eran Toch,et al.  Privacy by designers: software developers’ privacy mindset , 2018, 2018 IEEE/ACM 40th International Conference on Software Engineering (ICSE).

[29]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[30]  Urs Hengartner,et al.  PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices , 2015, SPSM@CCS.

[31]  Jason Nieh,et al.  A measurement study of google play , 2014, SIGMETRICS '14.

[32]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[33]  Norman M. Sadeh,et al.  Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014, SOUPS.

[34]  G. Loewenstein,et al.  Privacy and human behavior in the age of information , 2015, Science.

[35]  Minhui Xue,et al.  iOS, Your OS, Everybody's OS: Vetting and Analyzing Network Services of iOS Applications , 2020, USENIX Security Symposium.

[36]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[37]  Bin Liu,et al.  Automated Analysis of Privacy Requirements for Mobile Apps , 2016, NDSS.

[38]  Narseo Vallina-Rodriguez,et al.  Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem , 2018, NDSS.

[39]  Tadayoshi Kohno,et al.  Exploring ADINT: Using Ad Targeting for Surveillance on a Budget - or - How Alice Can Buy Ads to Track Bob , 2017, WPES@CCS.

[40]  Carmela Troncoso,et al.  Bugs in our Pockets: The Risks of Client-Side Scanning , 2021, J. Cybersecur..

[41]  Alessandro Acquisti,et al.  Nudging Privacy: The Behavioral Economics of Personal Information , 2009, IEEE Security & Privacy.

[42]  Kristin A. Bryant [1ShidlerJLComTech004] Not Child's Play: Compliance with the Children's Online Privacy Protection Rule , 2004 .

[43]  Robert H. Deng,et al.  Comparing Mobile Privacy Protection through Cross-Platform Applications , 2013, NDSS.

[44]  Haoyu Wang,et al.  LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps , 2016, 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C).

[45]  Amit Elazari Bar On,et al.  On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies , 2019 .

[46]  M. V. Kleek,et al.  “Money makes the world go around”: Identifying Barriers to Better Privacy in Children’s Apps From Developers’ Perspectives , 2021, CHI.

[47]  Erik Derr,et al.  Keep me Updated: An Empirical Study of Third-Party Library Updatability on Android , 2017, CCS.

[48]  Matthias Büchler,et al.  CRiOS: Toward Large-Scale iOS Application Analysis , 2016, SPSM@CCS.

[49]  Norman M. Sadeh,et al.  MAPS: Scaling Privacy Compliance Analysis to a Million Apps , 2019, Proc. Priv. Enhancing Technol..

[50]  Michael Backes,et al.  Share First, Ask Later (or Never?) Studying Violations of GDPR's Explicit Consent in Android Apps , 2021, USENIX Security Symposium.

[51]  Narseo Vallina-Rodriguez,et al.  Do You Get What You Pay For? Comparing the Privacy Behaviors of Free vs. Paid Apps , 2019, IEEE S&P 2019.

[52]  B. Bergvall-Kåreborn,et al.  ‘The future’s bright, the future’s mobile’: a study of Apple and Google mobile application developers , 2013 .

[53]  David A. Wagner,et al.  The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[54]  Adrian Holzer,et al.  Mobile application market: A developer's perspective , 2011, Telematics Informatics.

[55]  Travis D. Breaux,et al.  Ambiguity in Privacy Policies and the Impact of Regulation , 2016, The Journal of Legal Studies.