Advertisement

Investigating Fingerprinters and Fingerprinting-Alike Behaviour of Android Applications

  • Christof Ferreira Torres
  • Hugo Jonker
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11099)

Abstract

Fingerprinting of browsers has been thoroughly investigated. In contrast, mobile phone applications offer a far wider array of attributes for profiling, yet fingerprinting practices on this platform have hardly received attention.

In this paper, we present the first (to our knowledge) investigation of Android libraries by commercial fingerprinters. Interestingly enough, there is a marked difference with fingerprinting desktop browsers. We did not find evidence of typical fingerprinting techniques such as canvas fingerprinting. Secondly, we searched for behaviour resembling that of commercial fingerprinters. We performed a detailed analysis of six similar libraries. Thirdly, we investigated \(\sim \)30,000 apps and found that roughly 19% of these apps is using one of the these libraries. Finally, we checked how often these libraries were used by apps subject to the Children’s Online Privacy Protection Act (i.e. apps targeted explicitly at children), and found that these libraries were included 21 times.

References

  1. 1.
    Acar, G., Juarez, M., Nikiforakis, N., Diaz, C., Gürses, S., Piessens, F., Preneel, B.: FPDetective: dusting the web for fingerprinters. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security (CCS 2013), pp. 1129–1140. ACM (2013)Google Scholar
  2. 2.
    Children’s Online Privacy Protection Act of 1998 (COPPA). United States federal law, 15 U.S.C. §§ 6501–6506, Pub.L. 105–277, 112 Stat. 2681-728, enacted October 21, 1998Google Scholar
  3. 3.
    Eckersley, P.: How unique is your web browser? In: Atallah, M.J., Hopper, N.J. (eds.) PETS 2010. LNCS, vol. 6205, pp. 1–18. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-14527-8_1CrossRefGoogle Scholar
  4. 4.
    Hupperich, T., Maiorca, D., Kührer, M., Holz, T., Giacinto, G.: On the robustness of mobile device fingerprinting: can mobile users escape modern web-tracking mechanisms? In: Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC 2015), pp. 191–200. ACM (2015)Google Scholar
  5. 5.
    Kurtz, A., Gascon, H., Becker, T., Rieck, K., Freiling, F.: Fingerprinting mobile devices using personalized configurations. Proc. Priv. Enhanc. Technol. (PETS) 2016(1), 4–19 (2016)CrossRefGoogle Scholar
  6. 6.
    Laperdrix, P., Rudametkin, W., Baudry, B.: Beauty and the beast: diverting modern web browsers to build unique browser fingerprints. In: Proceedings of the 2016 IEEE Symposium on Security and Privacy (S&P 2016), pp. 878–894. IEEE (2016)Google Scholar
  7. 7.
    Mayer, J.R., Mitchell, J.C.: Third-party web tracking: policy and technology. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy (S&P 2012), pp. 413–427. IEEE (2012)Google Scholar
  8. 8.
    Mowery, K., Shacham, H.: Pixel perfect: fingerprinting canvas in HTML5. In: Proceedings of 2012 Workshop on Web 2.0 Security and Privacy (W2SP 2012), pp. 1–12. IEEE (2012)Google Scholar
  9. 9.
    Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the 2013 IEEE Symposium on Security and privacy (S&P 2013), pp. 541–555. IEEE (2013)Google Scholar
  10. 10.
    Olejnik, Ł., Acar, G., Castelluccia, C., Diaz, C.: The leaking battery. In: Garcia-Alfaro, J., Navarro-Arribas, G., Aldini, A., Martinelli, F., Suri, N. (eds.) DPM/QASA -2015. LNCS, vol. 9481, pp. 254–263. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-29883-2_18CrossRefGoogle Scholar
  11. 11.
    Reyes, I., Wijesekera, P., Reardon, J., On, A.E.B., Razaghpanah, A., Vallina-Rodriguez, N., Egelman, S.: “Won’t somebody think of the children?” Examining coppa compliance at scale. PoPETs 2018(3), 63–83 (2018)Google Scholar
  12. 12.
    Spooren, J., Preuveneers, D., Joosen, W.: Mobile device fingerprinting considered harmful for risk-based authentication. In: Proceedings of the Eighth European Workshop on System Security (EuroSec 2015), pp. 6:1–6:6. ACM (2015)Google Scholar
  13. 13.
    Torres, C.F., Jonker, H., Mauw, S.: FP-Block: usable web privacy by controlling browser fingerprinting. In: Pernul, G., Ryan, P.Y.A., Weippl, E. (eds.) ESORICS 2015. LNCS, vol. 9327, pp. 3–19. Springer, Cham (2015).  https://doi.org/10.1007/978-3-319-24177-7_1CrossRefGoogle Scholar
  14. 14.
    Vallina-Rodriguez, N., Sundaresan, S., Razaghpanah, A., Nithyanand, R., Allman, M., Kreibich, C., Gill, P.: Tracking the trackers: towards understanding the mobile advertising and tracking ecosystem. CoRR abs/1609.07190 (2016)Google Scholar
  15. 15.
    Wu, W., Wu, J., Wang, Y., Ling, Z., Yang, M.: Efficient fingerprinting-based android device identification with zero-permission identifiers. IEEE Access 4, 8073–8083 (2016)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2018

Authors and Affiliations

  1. 1.Fraunhofer AISECMunichGermany
  2. 2.SnTUniversity of LuxembourgLuxembourgLuxembourg
  3. 3.Open University of the NetherlandsHeerlenNetherlands
  4. 4.Radboud UniversityNijmegenNetherlands

Personalised recommendations