A large-scale, dynamic analysis of user privacy in Android applications

Abstract

This paper presents a dynamic analysis of user privacy in 2425 Android applications. While previous studies make tradeoffs in depth of privacy investigation and scale, this project studies thousands of apps while focusing specifically on privacy-related questions. As a dynamic analysis, the project runs apps on an Android device while recording the network requests leaving the device. The apps are run with a novel software monkey called Chimp, which performs “social login” in apps that offer it. The collected network data is processed through a privacy heuristic pipeline that flags incidents of personal information being shared. In the results, we first present high-level metrics like popular data-collecting entities and apps. Then, we investigate specific cases of misleading and alarming security practices that can potentially compromise user privacy.