The way apps fingerprint user behaviour poses a greater risk to user privacy than browser fingerprinting, according to researchers from Germany’s University of Passau.
In a preprint published at arXiv, the researchers claimed “fingerprints in hybrid apps potentially contain account-specific and device-specific information that identifies users across multiple devices uniquely”.
While browser fingerprinting is well known, there’s less research into hybrid apps – smartphone apps that combine web components such as JavaScript and native components.
In this study, the researchers looked at Android hybrid apps using WebView to provide the browser functionality.
As the researchers stated: “WebView … provides an active communication channel between the native Android app component and JavaScript in the browser”.
“JavaScript can access the Android app’s functionality through shared objects,” they said.
“This grants web components strong capabilities of accessing native Android APIs without having to ask for the Android permissions individually.”
To see what privacy leaks might take place, the researchers combined a well-known Android test environment, Monkey, with WVProfiler, a custom-developed tool to analyse WebView streams.
The researchers evaluated 20,000 apps from the Play Store, identifying more than 5000 which used at least one instance of WebView’s APIs, 1000 of which they studied in depth.
Their first finding was that because users can’t configure system-wide privacy policies in Android, the built-in browser used by hybrid apps “permits more sensitive information leakage than the stand-alone browser.
At a minimum: “All hybrid apps in our dataset expose the build number and phone model in their fingerprints.”
Second, hybrid apps often violate standard privacy policies”, the study claimed.
“Famous apps like Instagram provide less to no control to their users over the amount of sensitive information released via web components.”
The Instagram app, for example, collects phone model, build number, localisation info, SDK, Android version, and processor.
Third: sensitive device and user-specific information can be gathered by combining cookies and user agent information.
“This information can be exploited to profile a user uniquely, such as identifying the origin
and estimating the personal financial status”, the study said.
“Besides, a few apps in our dataset attach their users’ account IDs (unique for a user) to the cookies making their users uniquely identified over different devices.”
Fourth: “(Potentially) Unsafe web components infringe the integrity of a native app’s object.”
And finally, while most of the web has switched to HTTPS to protect information passed in URLs, hybrid apps haven’t caught up: “32 percent of the apps in our dataset leak sensitive information via unencrypted communication protocols like HTTP”.
“These URLs contain sensitive data such as device IDs, IP addresses, ad identifiers,
locale information, and other sensitive data,” the researchers said.
The study was authored by Abhishek Tiwari and Jyoti Prakash, with co-researchers Alimerdan Rahimov and Christian Hammer.
