Abstract
Android has conquered the mobile market, reaching a market share above 85%. The post Lollipop versions have introduced radical changes in the platform, significantly improving the provided security and privacy of the users. Nonetheless, the platform offers several features that can be exploited to fingerprint users. Of specific interest are the fingerprinting capabilities which do not request any dangerous permission from the user, therefore they can be silently shipped with any application without the user being able to trace them, let alone blocking them. Having Android AOSP as our baseline we discuss various such methods and their applicability.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Android Developers: Best practices for unique identifiers. https://developer.android.com/training/articles/user-data-ids.html. Accessed 5 July 2017
Android Developers Blog: Changes to device identifiers in Android O. https://android-developers.googleblog.com/2017/04/changes-to-device-identifiers-in.html. Accessed 24 July 2017
Book, T., Pridgen, A., Wallach, D.S.: Longitudinal analysis of android ad library permissions. arXiv preprint arXiv:1303.0857 (2013)
Book, T., Wallach, D.S.: A case of collusion: a study of the interface between ad libraries and their apps. In: Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 79–86. ACM (2013)
Demetriou, S., Merrill, W., Yang, W., Zhang, A., Gunter, C.A.: Free for all! assessing user data exposure to advertising libraries on android. In: NDSS (2016)
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in)security. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 50–61. ACM (2012)
Fahl, S., Harbach, M., Oltrogge, M., Muders, T., Smith, M.: Hey, you, get off of my clipboard. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 144–161. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39884-1_12
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 3. ACM (2012)
Google: Android o behavior changes. https://developer.android.com/preview/behavior-changes.html. Accessed 24 July 2017
Google: Google privacy policy. https://www.google.com/intl/en/policies/privacy/. Accessed 24 July 2017
Haystack: The haystack project. https://haystack.mobi/. Accessed 24 July 2017
Hildebrandt, M., Gutwirth, S. (eds.): Profiling the European Citizen, Cross-Disciplinary Perspectives. Springer, Dordrecht (2008). https://doi.org/10.1007/978-1-4020-6914-7
Jia, Y.J., Chen, Q.A., Lin, Y., Kong, C., Mao, Z.M.: Open doors for bob and mallory: open port usage in android apps and security implications. In: 2017 IEEE European Symposium on Security and Privacy (EuroS&P), pp. 190–203. IEEE (2017)
Kohno, T. (ed.): Proceedings of the 21th USENIX Security Symposium, Bellevue, WA, USA, 8–10 August 2012. USENIX Association (2012). https://www.usenix.org/publications/proceedings/?f[0]=im_group_audience%3A334
Orthacker, C., Teufl, P., Kraxberger, S., Lackner, G., Gissing, M., Marsalek, A., Leibetseder, J., Prevenhueber, O.: Android security permissions – can we trust them? In: Prasad, R., Farkas, K., Schmidt, A.U., Lioy, A., Russello, G., Luccio, F.L. (eds.) MobiSec 2011. LNICST, vol. 94, pp. 40–51. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30244-2_4
Peles, O., Hay, R.: One class to rule them all 0-day deserialization vulnerabilities in android. In: Proceedings of the 9th USENIX Conference on Offensive Technologies, p. 5. USENIX Association (2015)
Son, S., Kim, D., Shmatikov, V.: What mobile ads know about mobile users. In: NDSS (2016)
Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in android ad libraries. In: Proceedings of the 2012 Workshop on Mobile Security Technologies (MoST) (2012)
The Guardian: Morality of mining for data in a world where nothing is sacred (2009). https://www.theguardian.com/uk/2009/feb/25/database-state-ippr-paper
Vallina-Rodriguez, N., Sundaresan, S., Razaghpanah, A., Nithyanand, R., Allman, M., Kreibich, C., Gill, P.: Tracking the trackers: towards understanding the mobile advertising and tracking ecosystem. CoRR abs/1609.07190 (2016). http://arxiv.org/abs/1609.07190
Vanrykel, E., Acar, G., Herrmann, M., Diaz, C.: Leaky birds: exploiting mobile application traffic for surveillance. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 367–384. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_22
Acknowledgments
This work was supported by the European Commission under the Horizon 2020 Programme (H2020), as part of the OPERANDO project (Grant Agreement no. 653704). The authors would like to thank ElevenPaths for their valuable feedback and granting them access to Tacyt.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
Appendix
Sample Code
Rights and permissions
Copyright information
© 2018 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Alepis, E., Patsakis, C. (2018). Persistent vs Service IDs in Android: Session Fingerprinting from Apps. In: Hu, J., Khalil, I., Tari, Z., Wen, S. (eds) Mobile Networks and Management. MONAMI 2017. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 235. Springer, Cham. https://doi.org/10.1007/978-3-319-90775-8_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-90775-8_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-90774-1
Online ISBN: 978-3-319-90775-8
eBook Packages: Computer ScienceComputer Science (R0)