Skip to main content
SpringerLink
Log in
Book cover

IFIP Annual Conference on Data and Applications Security and Privacy

DBSec 2022: Data and Applications Security and Privacy XXXVI pp 162–182Cite as

On the Data Privacy, Security, and Risk Postures of IoT Mobile Companion Apps

  • Conference paper
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13383))

Abstract

Most Internet of Things (IoT) devices provide access through mobile companion apps to configure, update, and control the devices. In many cases, these apps handle all user data moving in and out of devices and cloud endpoints. Thus, they constitute a critical component in the IoT ecosystem from a privacy standpoint, but they have historically been understudied. In this paper, we perform a latitudinal study and analysis of a sample of 455 IoT companion apps to understand their privacy posture using various methods and evaluate whether apps follow best practices. Specifically, we focus on three aspects: data privacy, securityOur findings indicate: (i) apps may over-request permissions, particularly for tasks that are not related to their functioning; and (ii) there is widespread use of programming and configuration practices which may reduce security, with the concerning extreme of two apps transmitting credentials in unencrypted form.

Shradha Neupane and Faiza Tazi contributed equally as first authors. This work was supported in part by funding from NSF under Award Number CNS 1822118, NIST, ARL, Statnett, AMI, Cyber Risk Research, NewPush, State of Colorado Cybersecurity Center, and a gift from Google.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Our raw metrics are anonymously available at https://osf.io/gf7cs/?view_only=c701039702f648849e32ecd4c2e1fd54.

References

  1. Common vulnerability scoring system version 3.1: Specification document (2019). https://www.first.org/cvss/specification-document

  2. GitHub - linkedin/qark: Tool to look for several security related Android application vulnerabilities (2019). https://github.com/linkedin/qark

  3. Mobile security framework (2020). https://github.com/MobSF/Mobile-Security-Framework-MobSF

  4. Cwe list version 4.6 (2021). https://cwe.mitre.org/data/index.html

  5. Popular android apps with 142.5 million collective installs leak user data (2021). https://cybernews.com/security/research-popular-android-apps-with-142-5-million-collective-downloads-are-leaking-user-data/

  6. Bulk domain blacklist checker (2022). https://www.bulkblacklist.com

  7. Google play (2022). https://play.google.com/store

  8. LFX insights (2022). https://insights.lfx.linuxfoundation.org/projects

  9. Metrics - open source security foundation (2022). https://metrics.openssf.org

  10. Permissions on android (2022). https://developer.android.com/guide/topics/permissions/overview

  11. Play store downloader (2022). https://github.com/ClaudiuGeorgiu/PlaystoreDownloader

  12. Url/ip lookup|webroot brightcloud (2022). https://www.brightcloud.com

  13. Website reputation checker (2022). https://www.urlvoid.com

  14. Aafer, Y., Tao, G., Huang, J., Zhang, X., Li, N.: Precise android API protection mapping derivation and reasoning. In: ACM CCS (2018)

    Google Scholar 

  15. Alhirabi, N., Rana, O., Perera, C.: Security and privacy requirements for the internet of things: a survey. ACM Trans. Internet Things 2(1), 1–37 (2021)

    Article  Google Scholar 

  16. Allhoff, F., Henschke, A.: The internet of things: foundational ethical issues. Internet Things 1, 55–66 (2018)

    Article  Google Scholar 

  17. Alshehri, A., Marcinek, P., Alzahrani, A., Alshahrani, H., Fu, H.: PUREDroid: permission usage and risk estimation for android applications. In: ICISDM (2019)

    Google Scholar 

  18. Arzt, S., et al.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI (2014)

    Google Scholar 

  19. Baalous, R., Poet, R.: How dangerous permissions are described in android apps’ privacy policies? In: SIN (2018)

    Google Scholar 

  20. Babun, L., Celik, Z.B., McDaniel, P., Uluagac, A.S.: Real-time analysis of privacy-(UN) aware IoT applications. In: PETS (2021)

    Google Scholar 

  21. Backes, M., Bugiel, S., Derr, E., McDaniel, P., Octeau, D., Weisgerber, S.: On demystifying the android application framework: re-visiting android permission specification analysis. In: USENIX Security Symposium (2016)

    Google Scholar 

  22. Biswas, D., Aad, I., Perrucci, G.P.: Privacy panel: usable and quantifiable mobile privacy. In: ARES (2013)

    Google Scholar 

  23. Catarinucci, L., et al.: An IoT-aware architecture for smart healthcare systems. IEEE Internet Things J. 2(6), 515–526 (2015)

    Article  Google Scholar 

  24. Celik, Z.B., Fernandes, E., Pauley, E., Tan, G., McDaniel, P.: Program analysis of commodity IoT applications for security and privacy: challenges and opportunities. ACM Comput. Surv. (CSUR) 52(4), 1–30 (2019)

    Article  Google Scholar 

  25. Chatzoglou, E., Kambourakis, G., Smiliotopoulos, C.: Let the cat out of the bag: popular android IoT apps under security scrutiny. Sensors 22(2), 513 (2022)

    Article  Google Scholar 

  26. Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)

  27. Ding, W., Hu, H.: On the safety of IoT device physical interaction control. In: ACM CCS (2018)

    Google Scholar 

  28. English, R., Schweik, C.M.: Identifying success and tragedy of floss commons: a preliminary classification of sourceforge.net projects. In: FLOSS ICSE Workshops (2007)

    Google Scholar 

  29. Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: IEEE S &P (2016)

    Google Scholar 

  30. Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: USENIX Security Symposium (2018)

    Google Scholar 

  31. Hinkle, D.E., Wiersma, W., Jurs, S.G.: Applied statistics for the behavioral sciences, vol. 663. Houghton Mifflin College Division (2003)

    Google Scholar 

  32. Holloway, D., Green, L.: The Internet of toys. Commun. Res. Pract. 2(4), 506–519 (2016)

    Article  Google Scholar 

  33. ISO/IEC: ISO/IEC 20924:2018(EN), Information technology - Internet of Things (IoT) - Vocabulary. https://www.iso.org/obp/ui/#iso:std:iso-iec:20924:ed-1:v1:en

  34. Jansen, W.: Research Directions in Security Metrics. Technical report 7564, NIST (2009)

    Google Scholar 

  35. Jha, A.K., Lee, S., Lee, W.J.: Developer mistakes in writing android manifests: an empirical study of configuration errors. In: IEEE/ACM MSR (2017)

    Google Scholar 

  36. Jiang, J., Li, S., Yu, M., Chen, K., Liu, C., Huang, W., Li, G.: MRDroid: a multi-act classification model for android malware risk assessment. In: IEEE MASS (2018)

    Google Scholar 

  37. Jing, Y., Ahn, G.J., Zhao, Z., Hu, H.: RiskMon: continuous and automated risk assessment of mobile applications. In: CODASPY (2014)

    Google Scholar 

  38. Kang, J., Kim, H., Cheong, Y.G., Huh, J.H.: Visualizing privacy risks of mobile applications through a privacy meter. In: ISPEC (2015)

    Google Scholar 

  39. Kapitsaki, G., Ioannou, M.: Examining the privacy vulnerability level of android applications. In: WEBIST (2019)

    Google Scholar 

  40. Krutz, D.E., Munaiah, N., Meneely, A., Malachowsky, S.A.: Examining the relationship between security metrics and user ratings of mobile apps: a case study. In: WAMA (2016)

    Google Scholar 

  41. Kumar, D., et al.: All things considered: an analysis of IoT devices on home networks. In: USENIX Security Symposium (2019)

    Google Scholar 

  42. Li, L., et al.: ICCTA: detecting inter-component privacy leaks in android apps. In: IEEE/ACM ICSE (2015)

    Google Scholar 

  43. Li, R., Diao, W., Li, Z., Du, J., Guo, S.: Android custom permissions demystified: from privilege escalation to design shortcomings. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 70–86. IEEE (2021)

    Google Scholar 

  44. Liu, D.: play-scraper. https://pypi.org/project/play-scraper/

  45. Liu, H., Li, J., Gu, D.: Understanding the security of app-in-the-middle IoT. Comput. Secur. 97, 102000 (2020)

    Article  Google Scholar 

  46. Marquez, J., Villanueva, J., Solarte, Z., Garcia, A.: IoT in education: integration of objects with virtual academic communities. In: New Advances in Information Systems and Technologies. AISC, vol. 444, pp. 201–212. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31232-3_19

    Chapter  Google Scholar 

  47. Matheu, S.N., Hernández-Ramos, J.L., Skarmeta, A.F., Baldini, G.: A survey of cybersecurity certification for the Internet of Things. ACM Comput. Surv. 53(6), 1–36 (2021)

    Article  Google Scholar 

  48. Mathur, A., Malkin, N., Harbach, M., Peer, E., Egelman, S.: Quantifying users’ beliefs about software updates. In: Proceedings 2018 Workshop on Usable Security (2018)

    Google Scholar 

  49. Mauro Junior, D., Melo, L., Lu, H., d’Amorim, M., Prakash, A.: A study of vulnerability analysis of popular smart devices through their companion apps. In: IEEE SPW (2019)

    Google Scholar 

  50. Merlo, A., Georgiu, G.C.: RiskInDroid: machine learning-based risk analysis on android. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 538–552. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_36

    Chapter  Google Scholar 

  51. Mohanty, A., Sridhar, M.: HybriDiagnostics: evaluating security issues in hybrid smarthome companion apps. In: IEEE SPW (2021)

    Google Scholar 

  52. Momen, N., Hatamian, M., Fritsch, L.: Did app privacy improve after the GDPR? IEEE Secur. Priv. 17(6), 10–20 (2019)

    Article  Google Scholar 

  53. Mylonas, A., Theoharidou, M., Gritzalis, D.: Assessing privacy risks in android: a user-centric approach. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, M.-F. (eds.) RISK 2013. LNCS, vol. 8418, pp. 21–37. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07076-6_2

    Chapter  Google Scholar 

  54. Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: Whyper: towards automating risk assessment of mobile applications. In: USENIX Security (2013)

    Google Scholar 

  55. Peng, H., et al.: Using probabilistic generative models for ranking risks of android apps. In: ACM CCS (2012)

    Google Scholar 

  56. Piccolboni, L., Di Guglielmo, G., Carloni, L., Sethumadhavan, S.: Crylogger: detecting crypto misuses dynamically. In: IEEE S &P (2021)

    Google Scholar 

  57. Rahaman, S., et al.: Cryptoguard: high precision detection of cryptographic vulnerabilities in massive-sized java projects. In: ACM CCS (2019)

    Google Scholar 

  58. Ren, J., Dubois, D.J., Choffnes, D., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: ACM IMC (2019)

    Google Scholar 

  59. Rivera, D., et al.: Secure communications and protected data for a internet of things smart toy platform. IEEE Internet Things J. 6(2), 3785–3795 (2019)

    Article  Google Scholar 

  60. Tandel, S., Jamadar, A.: Impact of progressive web apps on web app development. Int. J. Innov. Res. Sci. Eng. Technol. 7(9), 9439–9444 (2018)

    Google Scholar 

  61. Utama, R.A., Sukarno, P., Jadied, E.M.: Analysis and classification of danger level in android applications using Naive Bayes algorithm. In: ICoICT (2018)

    Google Scholar 

  62. Vashi, S., Ram, J., Modi, J., Verma, S., Prakash, C.: Internet of Things (IoT): a vision, architectural elements, and security issues. In: I-SMAC (2017)

    Google Scholar 

  63. Wader, S.S.: How android application permissions impact user’s data privacy? Int. J. Res. Publ. Rev. 2(3), 498–502 (2021)

    Google Scholar 

  64. Wang, X., Sun, Y., Nanda, S., Wang, X.: Looking from the mirror: evaluating IoT device security through mobile companion apps. In: USENIX Security (2019)

    Google Scholar 

  65. Wilson, S., et al.: The creation and analysis of a website privacy policy corpus. In: Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp. 1330–1340 (2016)

    Google Scholar 

  66. Wuyts, K., Joosen, W.: LINDDUN privacy threat modeling: a tutorial. CW Reports (2015)

    Google Scholar 

  67. Yermakov, M.: Understanding the android cleartexttrafficpermitted flag (2020). https://appsec-labs.com/portal/understanding-the-android-cleartexttrafficpermitted-flag/

Download references

Author information

Authors and Affiliations

  1. Worcester Polytechnic Institute, Worcester, MA, 01609, USA

    Shradha Neupane, Freddy Veloz Baez, Merzia Adamjee & Lorenzo De Carli

  2. University of Denver, Denver, CO, 80208, USA

    Faiza Tazi & Sanchari Das

  3. Colorado State University, Fort Collins, CO, 80523, USA

    Upakar Paudel & Indrakshi Ray

Authors
  1. Shradha Neupane
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Faiza Tazi
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Upakar Paudel
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Freddy Veloz Baez
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Merzia Adamjee
    View author publications

    You can also search for this author in PubMed Google Scholar

  6. Lorenzo De Carli
    View author publications

    You can also search for this author in PubMed Google Scholar

  7. Sanchari Das
    View author publications

    You can also search for this author in PubMed Google Scholar

  8. Indrakshi Ray
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Lorenzo De Carli .

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Indian Institute of Technology Kharagpur, Kharagpur, West Bengal, India

    Shamik Sural

  2. Department of Information Systems and Analytics, Santa Clara University, Santa Clara, CA, USA

    Haibing Lu

Rights and permissions

Reprints and permissions

Copyright information

© 2022 IFIP International Federation for Information Processing

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Neupane, S. et al. (2022). On the Data Privacy, Security, and Risk Postures of IoT Mobile Companion Apps. In: Sural, S., Lu, H. (eds) Data and Applications Security and Privacy XXXVI. DBSec 2022. Lecture Notes in Computer Science, vol 13383. Springer, Cham. https://doi.org/10.1007/978-3-031-10684-2_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-10684-2_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-10683-5

  • Online ISBN: 978-3-031-10684-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

Search

Navigation