Skip to main content
SpringerLink
Log in

Alde: Privacy Risk Analysis of Analytics Libraries in the Android Ecosystem

  • Conference paper
  • First Online:
Security and Privacy in Communication Networks (SecureComm 2016)

Abstract

While much effort has been made to detect and measure the privacy leakage caused by the advertising (ad) libraries integrated in mobile applications (i.e., apps), analytics libraries, which are also widely used in mobile apps have not been systematically studied for their privacy risks. Different from ad libraries, the main function of analytics libraries is to collect users’ in-app actions. Hence, by design, analytics libraries are more likely to leak users’ private information.

In this work, we study what information is collected by the analytics libraries integrated in popular Android apps. We design and implement a tool called “Alde”. Given an app, Alde employs both static analysis and dynamic analysis to detect the data collected by analytics libraries. We also study what private information can be leaked by the apps that use the same analytics library. Moreover, we analyze apps’ privacy policies to see whether app developers have notified the users that their in-app action information is collected by analytics libraries. Finally, we select 8 widely used analytics libraries to study and apply our method on 300 apps downloaded from both Chinese app markets and Google play. Our experimental results request the emerging need for better regulating the use of analytics libraries in Android apps.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    “users’ in-app actions” means the users’ behaviors when they are using an app, such as opening the app, browsing different pages in the app, pressing a button in the app, etc.

  2. 2.

    We download Chinese apps from “Wandoujia” market. “Wandoujia” is a famous Android app market in China.

  3. 3.

    Some Chinese apps do not have corresponding English names, so we use their package names instead.

References

  1. Admob: Admob by Google (2016). https://www.google.com/admob/

  2. Admob: Admob quick start (2016). https://developers.google.com/admob/android/quick-start?hl=en

  3. Android: Dalvik bytecode (2016). https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html

  4. Android: Monkey runner (2016). https://developer.android.com/studio/test/monkeyrunner/index.html

  5. Apktool: Apktool (2016). http://ibotpeaches.github.io/Apktool/

  6. Appbrain: Appbrain stats, May 2016. http://www.appbrain.com/stats

  7. Appsee: Appsee, 09 March 2016. https://www.appsee.com

  8. Balebako, R., Marsh, A., Lin, J., Hong, J.I., Cranor, L.F.: The privacy and security behaviors of smartphone app developers (2014)

    Google Scholar 

  9. Book, T., Wallach, D.S.: A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 79–86. ACM (2013)

    Google Scholar 

  10. Book, T., Wallach, D.S.: An empirical study of mobile ad targeting. arXiv preprint arXiv:1502.06577 (2015)

  11. Chen, T., Ullah, I., Ali Kaafar, M., Boreli, R.: Information leakage through mobile analytics services. In: Proceedings of the 15th Workshop on Mobile Computing Systems and Applications, p. 15. ACM (2014)

    Google Scholar 

  12. Demetriou, S., Merrill, W., Yang, W., Zhang, A., Gunter, C.A.: Free for all! Assessing user data exposure to advertising libraries on android. In: NDSS 2016 (2016)

    Google Scholar 

  13. Eguan: Eguan mobile apps top list, March 2016. http://qianfan.analysys.cn/user-radar/view/ranking/topRanking.html

  14. Flurry: Custom events with flurry analytics for Android (2016). https://developer.yahoo.com/flurry/docs/analytics/gettingstarted/events/android/

  15. Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 101–112. ACM (2012)

    Google Scholar 

  16. Han, S., Jung, J., Wetherall, D.: A study of third-party tracking by mobile apps in the wild. Technical report, University of Washington (2012)

    Google Scholar 

  17. JesusFreke: Smali (2016). https://github.com/JesusFreke/smali

  18. Meng, W., Ding, R., Chung, S.P., Han, S., Lee, W.: The price of free: privacy leakage in personalized mobile in-app ads. In: NDSS Symposium 2016 (2016)

    Google Scholar 

  19. Milano, D.T.: Androidviewclient (2016). https://github.com/dtmilano/AndroidViewClient

  20. Mobyaffiliates: The best app analytics tools list (2015). http://www.mobyaffiliates.com/guides/best-app-analytics-tools-list/

  21. Nath, S.: Madscope: characterizing mobile in-app targeted ads. In: Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, pp. 59–73. ACM (2015)

    Google Scholar 

  22. LLC SaurikIT: Cydia substrate: the powerful code modification platform behind cydia (2016). http://www.cydiasubstrate.com/

  23. Slavin, R., Wang, X., Hosseini, M.B., Hester, J., Krishnan, R., Bhatia, J., Breaux, T.D., Niu, J.: Toward a framework for detecting privacy policy violations in Android application code. In: Proceedings of the 38th International Conference on Software Engineering, pp. 25–36. ACM (2016)

    Google Scholar 

  24. Spreitzer, R.: Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 51–62. ACM (2014)

    Google Scholar 

  25. Talkingdata: Talkingdata (2016). https://www.talkingdata.com/

  26. Umeng: Umeng (2016). https://www.umeng.com/

  27. UxCam: Uxcam, 09 March 2016. https://uxcam.com

  28. Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)

    Google Scholar 

  29. Yu, L., Zhang, T., Luo, X., Xue, L.: Autoppg: towards automatic generation of privacy policy for Android applications. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 39–50. ACM (2015)

    Google Scholar 

Download references

Acknowledgment

We thank the anonymous reviewers for their insightful comments. This work was supported in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China, under Grant K14C300020, in part by Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, and in part by the 111 Project under Grant B14005. The work of Sencun Zhu was partially supported by NSF CCF-1320605 and CNS-1618684.

Author information

Authors and Affiliations

  1. School of Computer and Information Technology, Beijing Jiaotong University, Beijing, China

    Xing Liu, Wei Wang & Jiqiang Liu

  2. Department of Computer Science and Engineering, The Pennsylvania State University, State College, PA, 16801, USA

    Sencun Zhu

  3. College of Information Sciences and Technology, The Pennsylvania State University, State College, PA, 16801, USA

    Sencun Zhu

Authors
  1. Xing Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sencun Zhu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Wei Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Jiqiang Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Wei Wang .

Editor information

Editors and Affiliations

  1. Singapore Management University, Singapore, Singapore

    Robert Deng

  2. Jinan University, Guangzhou, Guangdong, China

    Jian Weng

  3. University at Buffalo, Buffalo, New York, USA

    Kui Ren

  4. SRI International, Menlo Park, California, USA

    Vinod Yegneswaran

Rights and permissions

Reprints and permissions

Copyright information

© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering

About this paper

Cite this paper

Liu, X., Zhu, S., Wang, W., Liu, J. (2017). Alde: Privacy Risk Analysis of Analytics Libraries in the Android Ecosystem. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_36

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-59608-2_36

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-59607-5

  • Online ISBN: 978-3-319-59608-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation