Abstract
While much effort has been made to detect and measure the privacy leakage caused by the advertising (ad) libraries integrated in mobile applications (i.e., apps), analytics libraries, which are also widely used in mobile apps have not been systematically studied for their privacy risks. Different from ad libraries, the main function of analytics libraries is to collect users’ in-app actions. Hence, by design, analytics libraries are more likely to leak users’ private information.
In this work, we study what information is collected by the analytics libraries integrated in popular Android apps. We design and implement a tool called “Alde”. Given an app, Alde employs both static analysis and dynamic analysis to detect the data collected by analytics libraries. We also study what private information can be leaked by the apps that use the same analytics library. Moreover, we analyze apps’ privacy policies to see whether app developers have notified the users that their in-app action information is collected by analytics libraries. Finally, we select 8 widely used analytics libraries to study and apply our method on 300 apps downloaded from both Chinese app markets and Google play. Our experimental results request the emerging need for better regulating the use of analytics libraries in Android apps.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
“users’ in-app actions” means the users’ behaviors when they are using an app, such as opening the app, browsing different pages in the app, pressing a button in the app, etc.
- 2.
We download Chinese apps from “Wandoujia” market. “Wandoujia” is a famous Android app market in China.
- 3.
Some Chinese apps do not have corresponding English names, so we use their package names instead.
References
Admob: Admob by Google (2016). https://www.google.com/admob/
Admob: Admob quick start (2016). https://developers.google.com/admob/android/quick-start?hl=en
Android: Dalvik bytecode (2016). https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html
Android: Monkey runner (2016). https://developer.android.com/studio/test/monkeyrunner/index.html
Apktool: Apktool (2016). http://ibotpeaches.github.io/Apktool/
Appbrain: Appbrain stats, May 2016. http://www.appbrain.com/stats
Appsee: Appsee, 09 March 2016. https://www.appsee.com
Balebako, R., Marsh, A., Lin, J., Hong, J.I., Cranor, L.F.: The privacy and security behaviors of smartphone app developers (2014)
Book, T., Wallach, D.S.: A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 79–86. ACM (2013)
Book, T., Wallach, D.S.: An empirical study of mobile ad targeting. arXiv preprint arXiv:1502.06577 (2015)
Chen, T., Ullah, I., Ali Kaafar, M., Boreli, R.: Information leakage through mobile analytics services. In: Proceedings of the 15th Workshop on Mobile Computing Systems and Applications, p. 15. ACM (2014)
Demetriou, S., Merrill, W., Yang, W., Zhang, A., Gunter, C.A.: Free for all! Assessing user data exposure to advertising libraries on android. In: NDSS 2016 (2016)
Eguan: Eguan mobile apps top list, March 2016. http://qianfan.analysys.cn/user-radar/view/ranking/topRanking.html
Flurry: Custom events with flurry analytics for Android (2016). https://developer.yahoo.com/flurry/docs/analytics/gettingstarted/events/android/
Grace, M.C., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 101–112. ACM (2012)
Han, S., Jung, J., Wetherall, D.: A study of third-party tracking by mobile apps in the wild. Technical report, University of Washington (2012)
JesusFreke: Smali (2016). https://github.com/JesusFreke/smali
Meng, W., Ding, R., Chung, S.P., Han, S., Lee, W.: The price of free: privacy leakage in personalized mobile in-app ads. In: NDSS Symposium 2016 (2016)
Milano, D.T.: Androidviewclient (2016). https://github.com/dtmilano/AndroidViewClient
Mobyaffiliates: The best app analytics tools list (2015). http://www.mobyaffiliates.com/guides/best-app-analytics-tools-list/
Nath, S.: Madscope: characterizing mobile in-app targeted ads. In: Proceedings of the 13th Annual International Conference on Mobile Systems, Applications, and Services, pp. 59–73. ACM (2015)
LLC SaurikIT: Cydia substrate: the powerful code modification platform behind cydia (2016). http://www.cydiasubstrate.com/
Slavin, R., Wang, X., Hosseini, M.B., Hester, J., Krishnan, R., Bhatia, J., Breaux, T.D., Niu, J.: Toward a framework for detecting privacy policy violations in Android application code. In: Proceedings of the 38th International Conference on Software Engineering, pp. 25–36. ACM (2016)
Spreitzer, R.: Pin skimming: exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 51–62. ACM (2014)
Talkingdata: Talkingdata (2016). https://www.talkingdata.com/
Umeng: Umeng (2016). https://www.umeng.com/
UxCam: Uxcam, 09 March 2016. https://uxcam.com
Xu, Z., Bai, K., Zhu, S.: Taplogger: inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the Fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)
Yu, L., Zhang, T., Luo, X., Xue, L.: Autoppg: towards automatic generation of privacy policy for Android applications. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 39–50. ACM (2015)
Acknowledgment
We thank the anonymous reviewers for their insightful comments. This work was supported in part by the Scientific Research Foundation through the Returned Overseas Chinese Scholars, Ministry of Education of China, under Grant K14C300020, in part by Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, and in part by the 111 Project under Grant B14005. The work of Sencun Zhu was partially supported by NSF CCF-1320605 and CNS-1618684.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Liu, X., Zhu, S., Wang, W., Liu, J. (2017). Alde: Privacy Risk Analysis of Analytics Libraries in the Android Ecosystem. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_36
Download citation
DOI: https://doi.org/10.1007/978-3-319-59608-2_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59607-5
Online ISBN: 978-3-319-59608-2
eBook Packages: Computer ScienceComputer Science (R0)