Abstract
Like other segments of the population, elderly people are also rapidly adopting the use of various mobile apps, and numerous apps are also being developed exclusively focusing on their specific needs. Mobile apps help the elderly to improve their daily lives and connectivity, and their caregivers or family members to monitor the loved ones’ well-being and health-related activities. While very useful, these apps also deal with a lot of sensitive private data such as healthcare reports, live location, and Personally Identifiable Information (PII) of the elderly and caregivers. While the privacy and security issues in mobile applications for the general population have been widely analyzed, there is limited work that focuses on elderly apps. We shed light on the privacy and security issues in mobile apps intended for elderly users, using a combination of dynamic and static analysis on 146 popular Android apps from Google Play Store. To better understand some of these apps, we also test their corresponding IoT devices. Our analysis uncovers numerous security and privacy issues, leading to the leakage of private information and allowing adversaries to access user data. We find that 95/146 apps fail to adequately preserve the security and privacy of their users in one or more ways; specifically, 15 apps allow full account takeover, and 9 apps have an improper input validation check, where some of them allow an attacker to dump the database containing elderly and caregivers’ sensitive information. We hope our study will raise awareness about the security and privacy risks introduced by these apps, and direct the attention of developers to strengthen their defensive measures.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The term “vulnerable user” means a person “at-risk” due to his/her particular circumstances, and not to be confused with an app having a security “vulnerability”.
- 2.
The keywords include: “elderly”, “old”, “senior”, “dementia”, “Alzheimer’s”, “retirement”, “senior dating”, “pension”, “seniority”, “caregiver”, “memory”, “maturity”, “retiree”, “Electronic Visit Verification”, “EVV”, “senior health”, “memory games”.
- 3.
- 4.
- 5.
- 6.
- 7.
A domain is considered to be a third-party domain if an app from a developer connects to it to enable third-party functions. Thus, the domain certificate owner is not the same as the developer of the app.
- 8.
Enables communication between multiple apps of the same developer. Only granted if the requesting app is signed with the same certificate.
References
Arghire, I.: Thousands of mobile apps leak data from firebase databases (2018). https://www.securityweek.com/thousands-mobile-apps-leak-data-firebase-databases
Bengfort, J.: Senior care and mobility: why smartphones and tablets make sense. (2019). https://healthtechmagazine.net/article/2019/11/senior-care-and-mobility-why-smartphones-and-tablets-make-sense
Choi, H., Kim, Y.: Large-scale analysis of remote code injection attacks in Android apps. Secur. Commun. Netw. 2018, 1–17 (2018). https://doi.org/10.1155/2018/2489214
CNBC.com: Here’s how online scammers prey on older Americans, and what they should know to fight back, November 2019. https://www.cnbc.com/2019/11/23/new-research-pinpoints-how-elderly-people-are-targeted-in-online-scams.html
Columbus, L.: Roundup of internet of things forecasts (2017). https://www.forbes.com/sites/louiscolumbus/2017/12/10/2017-roundup-of-internet-of-things-forecasts/?sh=4f00f1d11480
CVE.mitre.org: Cve-2022-30083, May 2022. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30083
Davidson, J., Schimmele, C.: Evolving internet use among Canadian seniors. statistics Canada research paper series (2019). https://www150.statcan.gc.ca/n1/pub/11f0019m/11f0019m2019015-eng.htm
Easylist.to: Easylist (2022). https://easylist.to/
Frik, A., Nurgalieva, L., Bernd, J., Lee, J.S., Schaub, F., Egelman, S.: Privacy and security threat models and mitigation strategies of older adults. In: Proceedings of the Fifteenth USENIX Conference on Usable Privacy and Security, SOUPS 2019, pp. 21–40. USENIX Association, USA (2019)
Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_17
Github.com: graphiql, January 2022. https://github.com/graphql/graphiql
Hoyt, J.: Senior citizen apps (2020). https://www.seniorliving.org/cell-phone/apps/
Huckvale, K., Prieto, J.T., Tilney, M., Benghozi, P.J., Car, J.: Unaddressed privacy risks in accredited health and wellness apps: a cross-sectional systematic assessment. BMC Med. 13(1), 1–13 (2015)
Jindal, A., Madden, S.: Graphiql: a graph intuitive query language for relational databases. In: 2014 IEEE International Conference on Big Data (Big Data), pp. 441–450. IEEE (2014)
Kakulla, B.N.: Older adults keep pace on tech usage. AARP Research (2020). https://www.aarp.org/research/topics/technology/info-2019/2020-technology-trends-older-americans.html
Maaß, W.: The Elderly and the internet: how senior citizens deal with online privacy. In: Trepte, S., Reinecke, L. (eds.) Privacy Online, pp. 235–249. Springer, Berlin (2011). https://doi.org/10.1007/978-3-642-21521-6_17
Medium.com: Exploiting apps vulnerable to janus (cve-2017–13156), 26 March 2021. https://medium.com/mobis3c/exploiting-apps-vulnerable-to-janus-cve-2017-13156-8d52c983b4e0
Morrison, B., Coventry, L., Briggs, P.: How do older adults feel about engaging with cyber-security? Hum. Behav. Emerg. Technol. 3(5), 1033–1049 (2021)
Muscat, I.: What are injection attacks, April 2019. https://www.acunetix.com/blog/articles/injection-attacks
Oliveira, D., et al.: Dissecting spear phishing emails for older vs young adults: on the interplay of weapons of influence and life domains in predicting susceptibility to phishing. In: Proceedings of the 2017 Chi Conference on Human Factors in Computing Systems, pp. 6412–6424 (2017)
Razaghpanah, A., et al.: Apps, trackers, privacy, and regulators: a global study of the mobile tracking ecosystem. In: The 25th Annual Network and Distributed System Security Symposium (NDSS 2018) (2018)
Ren, J., Lindorfer, M., Dubois, D.J., Rao, A., Choffnes, D., Vallina-Rodriguez, N., et al.: Bug fixes, improvements,... and privacy leaks. In: The 25th Annual Network and Distributed System Security Symposium (NDSS 2018) (2018)
Sahni, S.: Firebase scanner, 28 February 2018. https://github.com/shivsahni/FireBaseScanner
Shirke, K.: Mobile security framework (mobsf) static analysis, January 2019. https://medium.com/@kshitishirke/mobile-security-framework-mobsf-static-analysis-df22fcdae46e
Slane, A., Pedersen, I., Hung, P.C.K.: Involving seniors in developing privacy best practices: towards the development of social support technologies for seniors. in: office of the privacy commissioner of Canada (2020). https://www.priv.gc.ca/en/opc-actions-and-decisions/research/funding-for-privacy-research-and-knowledge-translation/completed-contributions-program-projects/2019-2020/p_2019-20_03/
XDA-developers.com: android permissions & security explained. https://forum.xda-developers.com/t/android-permissions-security-explained.2312066/
Acknowledgements
This work was partly supported by a grant from the Office of the Privacy Commissioner of Canada (OPC) Contributions Program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Kapoor, P., Pagey, R., Mannan, M., Youssef, A. (2023). Silver Surfers on the Tech Wave: Privacy Analysis of Android Apps for the Elderly. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds) Security and Privacy in Communication Networks. SecureComm 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 462. Springer, Cham. https://doi.org/10.1007/978-3-031-25538-0_35
Download citation
DOI: https://doi.org/10.1007/978-3-031-25538-0_35
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25537-3
Online ISBN: 978-3-031-25538-0
eBook Packages: Computer ScienceComputer Science (R0)