6 research outputs found
To Extend or not to Extend: on the Uniqueness of Browser Extensions and Web Logins
Recent works showed that websites can detect browser extensions that users
install and websites they are logged into. This poses significant privacy
risks, since extensions and Web logins that reflect user's behavior, can be
used to uniquely identify users on the Web. This paper reports on the first
large-scale behavioral uniqueness study based on 16,393 users who visited our
website. We test and detect the presence of 16,743 Chrome extensions, covering
28% of all free Chrome extensions. We also detect whether the user is connected
to 60 different websites.
We analyze how unique users are based on their behavior, and find out that
54.86% of users that have installed at least one detectable extension are
unique; 19.53% of users are unique among those who have logged into one or more
detectable websites; and 89.23% are unique among users with at least one
extension and one login. We use an advanced fingerprinting algorithm and show
that it is possible to identify a user in less than 625 milliseconds by
selecting the most unique combinations of extensions.
Because privacy extensions contribute to the uniqueness of users, we study
the trade-off between the amount of trackers blocked by such extensions and how
unique the users of these extensions are. We have found that privacy extensions
should be considered more useful than harmful. The paper concludes with
possible countermeasures.Comment: accepted at WPES 201
Temporal and cultural limits of privacy in smartphone app usage
Large-scale collection of human behavioral data by companies raises serious
privacy concerns. We show that behavior captured in the form of application
usage data collected from smartphones is highly unique even in very large
datasets encompassing millions of individuals. This makes behavior-based
re-identification of users across datasets possible. We study 12 months of data
from 3.5 million users and show that four apps are enough to uniquely
re-identify 91.2% of users using a simple strategy based on public information.
Furthermore, we show that there is seasonal variability in uniqueness and that
application usage fingerprints drift over time at an average constant rate
HideMyApp: Hiding the Presence of Sensitive Apps on Android
Millions of users rely on mobile health (mHealth) apps to manage their wellness and medical conditions. Although the popularity of such apps continues to grow, several privacy and security challenges can hinder their potential. In particular, the simple fact that an mHealth app is installed on a user’s phone can reveal sensitive information about the user’s health. Due to Android’s open design, any app, even without permissions, can easily check for the presence of a specific app or collect the entire list of installed apps on the phone. Our analysis shows that Android apps expose a significant amount of metadata, which facilitates fingerprinting them. Many third parties are interested in such information: Our survey of 2917 popular apps in the Google Play Store shows that around 57% of these apps explicitly query for the list of installed apps. Therefore, we designed and implemented HideMyApp (HMA), an effective and practical solution for hiding the presence of sensitive apps from other apps. HMA does not require any changes to the Android operating system or to apps yet still supports their key functionalities. By using a diverse dataset of both free and paid mHealth apps, our experimental evaluation shows that HMA supports the main functionalities in most apps and introduces acceptable overheads at runtime (i.e., several milliseconds); these findings were validated by our user-study (N=30). In short, we show that the practice of collecting information about installed apps is widespread and that our solution, HMA, provides a robust protection against such a threat
HideMyApp : Hiding the Presence of Sensitive Apps on Android
Millions of users rely on mobile health (mHealth) apps to manage their wellness and medical conditions. Although the popularity of such apps continues to grow, several privacy and security challenges can hinder their potential. In particular, the simple fact that an mHealth app is installed on a user’s phone can reveal sensitive information about the user’s health. Due to Android’s open design, any app, even without per- missions, can easily check for the presence of a specific app or collect the entire list of installed apps on the phone. Our analysis shows that Android apps expose a significant amount of metadata, which facilitates fingerprinting them. Many third parties are interested in such information: Our survey of 2917 popular apps in the Google Play Store shows that around 57% of these apps explicitly query for the list of installed apps. Therefore, we designed and implemented HideMyApp (HMA), an effective and practical solution for hiding the presence of sensitive apps from other apps. HMA does not require any changes to the Android operating system or to apps yet still supports their key functionalities. By using a diverse dataset of both free and paid mHealth apps, our experimental eval- uation shows that HMA supports the main functionalities in most apps and introduces acceptable overheads at runtime (i.e., several milliseconds); these findings were validated by our user-study (N = 30). In short, we show that the practice of collecting information about installed apps is widespread and that our solution, HMA, provides a robust protection against such a threat