Investigating Fingerprinters and Fingerprinting-Alike Behaviour of Android Applications
Fingerprinting of browsers has been thoroughly investigated. In contrast, mobile phone applications offer a far wider array of attributes for profiling, yet fingerprinting practices on this platform have hardly received attention.
In this paper, we present the first (to our knowledge) investigation of Android libraries by commercial fingerprinters. Interestingly enough, there is a marked difference with fingerprinting desktop browsers. We did not find evidence of typical fingerprinting techniques such as canvas fingerprinting. Secondly, we searched for behaviour resembling that of commercial fingerprinters. We performed a detailed analysis of six similar libraries. Thirdly, we investigated \(\sim \)30,000 apps and found that roughly 19% of these apps is using one of the these libraries. Finally, we checked how often these libraries were used by apps subject to the Children’s Online Privacy Protection Act (i.e. apps targeted explicitly at children), and found that these libraries were included 21 times.
- 1.Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS 2013), pp. 1129–1140. ACM (2013)Google Scholar
- 2.Children’s Online Privacy Protection Act of 1998 (COPPA). United States federal law, 15 U.S.C. §§ 6501–6506, Pub.L. 105–277, 112 Stat. 2681-728, enacted October 21, 1998Google Scholar
- 4.Hupperich, T., Maiorca, D., Kührer, M., Holz, T., Giacinto, G.: On the robustness of mobile device fingerprinting: can mobile users escape modern web-tracking mechanisms? In: Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015), pp. 191–200. ACM (2015)Google Scholar
- 6.Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy (S&P 2016), pp. 878–894. IEEE (2016)Google Scholar
- 7.Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P 2012), pp. 413–427. IEEE (2012)Google Scholar
- 8.Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Proceedings of 2012 Workshop on Web 2.0 Security and Privacy (W2SP 2012), pp. 1–12. IEEE (2012)Google Scholar
- 9.Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE Symposium on Security and privacy (S&P 2013), pp. 541–555. IEEE (2013)Google Scholar
- 11.Reyes, I., Wijesekera, P., Reardon, J., On, A.E.B., Razaghpanah, A., Vallina-Rodriguez, N., Egelman, S.: “Won’t somebody think of the children?” Examining coppa compliance at scale. PoPETs 2018(3), 63–83 (2018)Google Scholar
- 12.Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: Proceedings of the Eighth European Workshop on System Security (EuroSec 2015), pp. 6:1–6:6. ACM (2015)Google Scholar
- 14.Vallina-Rodriguez, N., Sundaresan, S., Razaghpanah, A., Nithyanand, R., Allman, M., Kreibich, C., Gill, P.: Tracking the trackers: towards understanding the mobile advertising and tracking ecosystem. CoRR abs/1609.07190 (2016)Google Scholar