Appinspect: large-scale evaluation of social networking apps

Third-party apps for social networking sites have emerged as a popular feature for online social networks, and are used by millions of users every day. In exchange for additional features, users grant third parties access to their personal data. However, these third parties do not necessarily protect the data to the same extent as social network providers. To automatically analyze the unique privacy and security issues of social networking applications on a large scale, we propose a novel framework, called AppInspect. Our framework enumerates available social networking apps and collects metrics such as the personal information transferred to third party developers. AppInspect furthermore identifies web trackers, as well as information leaks, and provides insights into the hosting infrastructures of apps. We implemented a prototype of our novel framework to evaluate Facebook's application ecosystem. Our evaluation shows that AppInspect is able to detect malpractices of social networking apps in an automated fashion. During our study we collaborated with Facebook to mitigate shortcomings of popular apps that affected the security and privacy of millions of social networking users.

[1]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[2]  Ahmad-Reza Sadeghi,et al.  AmazonIA: when elasticity snaps back , 2011, CCS '11.

[3]  Ravi S. Sandhu,et al.  Social-Networks Connect Services , 2010, Computer.

[4]  Nikita Borisov,et al.  flyByNight: mitigating the privacy risks of social networking , 2009, SOUPS.

[5]  Markulf Kohlweiss,et al.  Scramble! Your Social Network Data , 2011, PETS.

[6]  Mohamed Shehab,et al.  Social applications: exploring a more secure framework , 2009, SOUPS.

[7]  Emiliano De Cristofaro,et al.  Private Information Disclosure from Web Searches , 2010, Privacy Enhancing Technologies.

[8]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[9]  Edgar R. Weippl,et al.  Friend-in-the-Middle Attacks: Exploiting Social Networking Sites for Spam , 2011, IEEE Internet Computing.

[10]  Balachander Krishnamurthy,et al.  On the leakage of personally identifiable information via online social networks , 2009, CCRV.

[11]  Jens Grossklags,et al.  Third-party apps on Facebook: privacy and the illusion of control , 2011, CHIMIT '11.

[12]  Pern Hui Chia,et al.  Is this app safe?: a large scale study on application permissions and risk signals , 2012, WWW.

[13]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[14]  Kevin Borders,et al.  Social networks and context-aware spam , 2008, CSCW.

[15]  Celine Latulipe,et al.  Contextual gaps: privacy issues on Facebook , 2009, Ethics and Information Technology.

[16]  Jennifer King,et al.  Privacy: is there an app for that? , 2011, SOUPS.

[17]  Christopher Krügel,et al.  PoX: Protecting users from malicious Facebook applications , 2011, 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops).

[18]  Richard Chbeir,et al.  Privacy in Online Social Networks , 2013, Security and Privacy Preserving in Social Networks.

[19]  Balachander Krishnamurthy,et al.  Privacy and Online Social Networks: Can Colorless Green Ideas Sleep Furiously? , 2013, IEEE Security & Privacy.

[20]  John C. Mitchell,et al.  Third-Party Web Tracking: Policy and Technology , 2012, 2012 IEEE Symposium on Security and Privacy.

[21]  Qi Xie,et al.  FaceCloak: An Architecture for User Privacy on Social Networking Sites , 2009, 2009 International Conference on Computational Science and Engineering.

[22]  Saikat Guha,et al.  NOYB: privacy in online social networks , 2008, WOSN '08.

[23]  Edgar R. Weippl,et al.  Social snapshots: digital forensics for online social networks , 2011, ACSAC '11.

[24]  Balachander Krishnamurthy,et al.  Privacy leakage vs . Protection measures : the growing disconnect , 2011 .

[25]  Dawn Xiaodong Song,et al.  Mining Permission Request Patterns from Android and Facebook Applications , 2012, 2012 IEEE 12th International Conference on Data Mining.

[26]  Wenke Lee,et al.  xBook: Redesigning Privacy Control in Social Networking Platforms , 2009, USENIX Security Symposium.

[27]  Engin Kirda,et al.  A security analysis of Amazon's Elastic Compute Cloud service , 2012, IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2012).

[28]  A. Felt Privacy Protection for Social Networking APIs , 2008 .