A Measurement Study of Tracking in Paid Mobile Applications

Suranga Seneviratne ✪, Harini Kolamunna, Aruna Seneviratne ✪

UNSW

NICTA, Australia

✪ School of EET, University of New South Wales, Australia

NICTA Copyright 2012 From imagination to impact

• Number of apps in app markets are increasing rapidly

Motivation

2

• ~15% of apps are paid apps that are not investigated in detail

- By May, 2015 Google Play Store and Apple App Store hosts nearly 1.4 million apps each- ~20,000 new app submissions per month

• Tracking is happening in apps. What level of tracking is happening in aggregation?

- Need to purchase the apps and bulk crawling app markets for paid apps is not possible- Due to the difference in the business model paid apps are not expected to collect personal data

1) What type of tracking is happening is paid apps in comparison to free apps?

2) Overall as a user how much I am exposed with respect to tracking?

- Only limited number of trackers are available?- A single user can be tracked through multiple apps by the same tracker

NICTA Copyright 2012 From imagination to impact 3

Data Collection - I

Proxy Servers(Australia, Brazil, Germany, USA)

Top – 100 free apps

Top – 100 paid apps

APK Files

Raccoon – Google Play Desktop Client

Installs or Purchases

275 unique free apps234 unique paid apps

Cre

dent

ials

NICTA Copyright 2012 From imagination to impact 4

Data Collection - II

Lists of apps from 338 users5,857 unique apps

• Lists of apps installed by 338 users collected via the “Apptronomy” app

- Collected in related to one of our previous work [1]- Volunteers or the users recruited vi Amazon Mechanical Turk

• Downloaded the APK files for the free apps available in Play Store

• Used the paid apps that were downloaded previously and used by the users in the dataset

APK files of 3,605 unique apps (~62%)

[1] Seneviratne, S., Seneviratne, A., Mohapatra, P., & Mahanti, A. (2014). Predicting user traits from a snapshot of apps installed on a smartphone. ACM SIGMOBILE Mobile Computing and Communications Review, 18(2), 1-8.

NICTA Copyright 2012 From imagination to impact

Methodology

5

Tracker list is available at http://www.privmetrics.org/publications

APK File Class Hierarchy Integrated Trackers

E.g.com.flurrycom.jirbo

apktool Tracker Detection

APK File

Joe Sandbox Mobile

API Usage

APIs related to personal

informationTrackers collecting personal information

E.g.

com.flurry - API Call: android.location.Location.getLatitudecom.jirbo - API Call: android.net.wifi.WifiInfo.getMacAddress

124 Trackers

NICTA Copyright 2012 From imagination to impact 66

Number of Connected Trackers

85%-95% of the free apps were connected to at least

one tracker

NICTA Copyright 2012 From imagination to impact 777

Number of Connected Trackers

85%-95% of the free apps were connected to at least

one tracker

~60% of the paid apps were connected to at least

one tracker

NICTA Copyright 2012 From imagination to impact 8

Top Trackers

Google Ads and Flurry was highly popular among free apps

119 trackers

NICTA Copyright 2012 From imagination to impact 9

Top Trackers

Most of the trackers popular in free apps were present in paid apps

Google Ads and Flurry was highly popular among free apps

119 trackers 57 trackers

NICTA Copyright 2012 From imagination to impact 10

Tracker Categories

• We categorized the trackers according to their functionality

- Advertising: Trackers proving in-app advertisementsE.g. Google Ads, Millennial Media, Inmobi

- Analytics: Trackers providing analytics such as audience analysisE.g. Flurry, Google Analytics, Comscore

- Utilities: Trackers assisting developers in troubleshootingE.g. Crashlytics, Bugsense

• Checked the popularity of tracker categories in both free and paid apps

Advertising Analytics Utilities

0

10

20

30

40

50

60

70

Free Paid

Per

cent

age

NICTA Copyright 2012 From imagination to impact 11

Accessed Personal InformationP

erso

nal I

nfor

mat

ion

Trackers

NICTA Copyright 2012 From imagination to impact 12

Accessed Personal InformationP

erso

nal I

nfor

mat

ion

Trackers

Only few trackers addressed critical personal information E.g. Apps, Emails, Calendar

Non of the top trackers addressed information such as SMS, Browser history

NICTA Copyright 2012 From imagination to impact 1313

Accessed Personal InformationP

erso

nal I

nfor

mat

ion

Trackers

Still the unique ID collection was quite common17 out of 22 trackers collected at least one form of unique identifiers

NICTA Copyright 2012 From imagination to impact 141414

Accessed Personal InformationP

erso

nal I

nfor

mat

ion

Trackers

Trackers Tapjoy and Inmobi collected more information than the others

Tracker Prime31 collected less yet most critical personal information

NICTA Copyright 2012 From imagination to impact 15

Trackers per User

• An average user is having ~40 installed apps- How many trackers on average users share data with?

50% of users were connected to more than 25 trackers

25% of users were connected to more than 40 trackers !!

NICTA Copyright 2012 From imagination to impact 16

Trackers Penetration

• Top trackers are everywhere & it’s almost impossible to avoid contact.

In addition to the Google Trackers trackers over 80% of the users are connected to trackers such as Flurry, Millennial Media, and Crashlytics

NICTA Copyright 2012 From imagination to impact 17

Trackers Penetration

• Trackers can collect more information when they are present in more than one app among the apps user has installed.

E.g. When a users have at least one app connected to Google Ads, 78% of them had more than 5 apps connected to Google Ads

NICTA Copyright 2012 From imagination to impact 18

CrashlyticsNexage

Yozio

Kochava

Comscore

Nativex

Mobileaptracker

Google Ads

Appsflyer

Mopub

mDotm

GreyStripe

Millennial MediaTapjoy

Hockeyapp

Trialpay

ThreatMetrix

Chartboost

Flurry

Google Analytics

InMobi

Adjust

Crittercism

Vungle

Bugsense

Jibro

Pintrest Pet Rescue Saga

SongPop

MapQuest

Despicable Me

Avast Mobile Security

Draw Something Free

Candy Crush Saga

Subway Surf

Tango

Gmail

Trackers Apps Personal Information

Location

Installed Apps

Android ID

Calendar

An Example User

A user having only 11 apps sharing data with 26 trackers !!

NICTA Copyright 2012 From imagination to impact 19

Conclusion

• Tracking is happening in paid apps in an alarming scale despite having a different business model.

Tracker list is available for download at:

http://www.privmetrics.org/publications

~60% of the paid apps were connected to trackers.

• Top trackers in paid apps are almost same with free apps and thus expose the users to the same level of privacy risks.

• On average a user shares data with ~25 trackers when both free apps and paid apps are concerned.

• There only limited number of trackers and thus they can reach a significant portion of users

~ 6 trackers were able to reach or 80% of the users in our dataset

NICTA Copyright 2012 From imagination to impact 20

Questions?

Contact: Suranga.Seneviratne@nicta.com.au

Thank You !