research-article

Comparative Privacy Analysis of Mobile Browsers

Authors:

Anupam DasAuthors Info & Claims

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

Pages 3 - 14

https://doi.org/10.1145/3577923.3583638

Published: 24 April 2023 Publication History

Abstract

Online trackers are invasive as they track our digital footprints, many of which are sensitive in nature, and when aggregated over time, they can help infer intricate details about our lifestyles and habits. Although much research has been conducted to understand the effectiveness of existing countermeasures for the desktop platform, little is known about how mobile browsers have evolved to handle online trackers. With mobile devices now generating more web traffic than their desktop counterparts, we fill this research gap through a large-scale comparative analysis of mobile web browsers. We crawl 10K valid websites from the Tranco list on real mobile devices. Our data collection process covers both popular generic browsers (e.g., Chrome, Firefox, and Safari) as well as privacy-focused browsers (e.g., Brave, Duck Duck Go, and Firefox-Focus). We use dynamic analysis of runtime execution traces and static analysis of source codes to highlight the tracking behavior of invasive fingerprinters. We also find evidence of tailored content being served to different browsers. In particular, we note that Firefox Focus sees altered script code, whereas Brave and Duck Duck Go have highly similar content. To test the privacy protection of browsers, we measure the responses of each browser in blocking trackers and advertisers and note the strengths and weaknesses of privacy browsers. To establish ground truth, we use well-known block lists, including EasyList, EasyPrivacy, Disconnect and WhoTracksMe and find that Brave generally blocks the highest number of content that should be blocked as per these lists. Focus performs better against social trackers, and Duck Duck Go restricts third-party trackers that perform email-based tracking.

References

[1]

2016. Adblock Parser. https://github.com/bbondy/abp-filter-parser

[2]

2018. Browser Feature Comparison. https://caniuse.com/ciu/comparison.

[3]

The Verge 2018. Duck Duck Go Email Protection features. The Verge. https://www.theverge.com/2021/7/20/22576352/duckduckgo-emailprotection- privacy-trackers-apple-alternative.

[4]

Duck Duck Go 2018. More Privacy and Transparency for DuckDuckGo Web Tracking Protections. Duck Duck Go. https://spreadprivacy.com/more-privacyand- transparency/.

[5]

Brave 2019. Supporting The Web Privacy Community. Brave. https://brave.com/ supporting-the-web-privacy-community/

[6]

Google Developers 2021. Android Debug Bridge (adb). Google Developers. https: //developer.android.com/studio/command-line/adb

[7]

2021. Blink. https://www.chromium.org/blink

[8]

2021. Brave Browser. https://brave.com/

[9]

2021. Disconnect. https://github.com/disconnectme/disconnect-trackingprotection

[10]

2021. DuckDuckgo: Privacy, simplified. https://duckduckgo.com/app

[11]

2021. EasyList. https://easylist.to

[12]

2021. EasyPrivacy. https://easylist.to

[13]

2021. Firefox Focus. https://support.mozilla.org/en-US/kb/focus

[14]

2021. Gecko. https://developer.mozilla.org/en-US/docs/Mozilla/Gecko

[15]

2021. OpenWPM-Mobile. https://github.com/sensor-js/OpenWPM-mobile

[16]

2021. mitmproxy is a free and open source interactive HTTPS proxy. https: //mitmproxy.org/

[17]

Cliqz 2021. Top most prevalent trackers on the web. Cliqz. https://whotracks.me/ trackers.html

[18]

2021. WhoTracksMe. https://whotracks.me/trackers.html

[19]

2022. Agglomerative Clustering. https://scikit-learn.org/stable/modules/ generated/sklearn.cluster.AgglomerativeClustering.html.

[20]

2022. Appium. https://appium.io/.

[21]

2022. Boost Next, Confection. https://confection.io/scripts/boost-next-co-jp/.

[22]

2022. [Bug] favicon.ico privacy leaks. https://github.com/duckduckgo/Android/ issues/2004.

[23]

Brave 2022. Ephemeral Third-party Site Storage. Brave. https://brave.com/privacyupdates/ 7-ephemeral-storage/.

[24]

Brave 2022. Fingerprint Randomization. Brave. https://brave.com/privacyupdates/ 3-fingerprint-randomization/.

[25]

Mozilla 2022. Firefox Focus and Klar Privacy Notice. Mozilla. https:// www.mozilla.org/en-US/privacy/firefox-focus/.

[26]

2022. Google Play Ranking: The Top Free Tools Apps in the United States. https://www.appbrain.com/stats/google-play-rankings/top_free/tools/us/.

[27]

Google 2022. Google Web Light. Google. https://developers.google.com/search/ docs/advanced/mobile/web-light.

[28]

2022. Mann Whitney U Test (Wilcoxon Rank Sum Test). https: //sphweb.bumc.bu.edu/otlt/mph-modules/bs/bs704_nonparametric/ bs704_nonparametric4.html.

[29]

2022. Nightmare: A high-level browser automation library. https://github.com/ segmentio/nightmare.

[30]

2022. Phantom JS: Scriptable Headless Browser. https://phantomjs.org/.

[31]

Apple 2022. Safari's Intelligent Tracking Prevention. Apple. https:// www.apple.com/safari/docs/Safari_White_Paper_Nov_2019.pdf.

[32]

2022. Selenium. https://www.seleniumhq.org/.

[33]

Gunes Acar, Christian Eubank, Steven Englehardt, Marc Juarez, Arvind Narayanan, and Claudia Diaz. 2014. The Web Never Forgets: Persistent Tracking Mechanisms in the Wild. In Proceedings of the 21st ACM SIGSAC Conference on Computer and Communications Security (CCS). 674--689.

Digital Library

[34]

Gunes Acar, Marc Juarez, Nick Nikiforakis, Claudia Diaz, Seda Gürses, Frank Piessens, and Bart Preneel. 2013. FPDetective: Dusting the Web for Fingerprinters. In Proceedings of the 20th ACM SIGSAC Conference on Computer and Communications Security (CCS). 1129--1140.

Digital Library

[35]

Mika Ayenson, Dietrich Wambach, Ashkan Soltani, Nathaniel Good, and Chris Hoofnagle. 2011. Flash cookies and privacy II: now with HTML5 and ETag respawning. SSRN Electronic Journal (07 2011). https://doi.org/10.2139/ ssrn.1898390

[36]

Tas Bindi. 2016. Mobile and tablet internet usage surpasses desktop for first time: StatCounter. ZDNet. https://www.zdnet.com/article/mobile-and-tablet-internetusage- exceeds-desktop-for-first-time-statcounter/

[37]

T. Bujlow, V. Carela-Español, J. Solé-Pareta, and P. Barlet-Ros. 2017. A Survey on Web Tracking: Mechanisms, Implications, and Defenses. Proc. IEEE 105, 8 (2017), 1476--1510.

[38]

Darion Cassel, Su-Chin Lin, Alessio Buraggina, William Wang, Andrew Zhang, Lujo Bauer, Hsu-Chun Hsiao, Limin Jia, and Timothy Libert. 2022. OmniCrawl: Comprehensive Measurement of Web Tracking With Real Desktop and Mobile Browsers. In Proceedings on Privacy Enhancing Technologies 2022 (01 2022), 227-- 252. https://doi.org/10.2478/popets-2022-0012

[39]

Quan Chen, Panagiotis Ilia, Michalis Polychronakis, and Alexandros Kapravelos. 2021. Cookie Swap Party: Abusing First-Party Cookies for Web Tracking. In Proceedings of the Web Conference (WWW). 2117--2129.

Digital Library

[40]

Anupam Das, Gunes Acar, Nikita Borisov, and Amogh Pradeep. 2018. The Web's Sixth Sense: A Study of Scripts Accessing Smartphone Sensors. In Proceedings of the 25th ACM SIGSAC Conference on Computer and Communication Security (CCS). 1515--1532.

Digital Library

[41]

Nurullah Demir, Matteo Große-Kampmann, Tobias Urban, ChristianWressnegger, Thorsten Holz, and Norbert Pohlmann. 2022. Reproducibility and replicability of web measurement studies. In Proceedings of the ACM Web Conference (WWW). 533--544.

Digital Library

[42]

Peter Eckersley. 2010. How Unique is Your Web Browser?. In Proceedings of the 10th Privacy Enhancing Technologies Symposium (PETS). 1--18.

[43]

Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-million-site Measurement and Analysis. In Proceedings of the 23rd ACM SIGSAC Conference on Computer and Communications Security (CCS). 1388--1401.

Digital Library

[44]

Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W. Felten. 2015. Cookies That Give You Away: The Surveillance Implications of Web Tracking. In Proceedings of the 24th International Conference on World Wide Web (WWW). 289--299.

[45]

Christian Eubank, Marcela Melara, Diego Perez-Botero, and A. Narayanan. 2013. Shining the Floodlights on Mobile Web Tracking - A Privacy Survey. https: //masomel.github.io/static/pubs/s2p2.pdf

[46]

Samuel Gibbs. 2016. Mobile web browsing overtakes desktop for the first time. https://www.theguardian.com/technology/2016/nov/02/mobile-webbrowsing- desktop-smartphones-tablets.

[47]

Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. 2018. Hiding in the Crowd: An Analysis of the Effectiveness of Browser Fingerprinting at Large Scale. In Proceedings of the 27th International Conference on World Wide Web (WWW). 309--318.

Digital Library

[48]

Michael C. Grace,Wu Zhou, Xuxian Jiang, and Ahmad-Reza Sadeghi. 2012. Unsafe Exposure Analysis of Mobile In-App Advertisements. In Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec). 101--112.

Digital Library

[49]

Thomas Hupperich, Davide Maiorca, Marc Kührer, Thorsten Holz, and Giorgio Giacinto. 2015. On the Robustness of Mobile Device Fingerprinting: Can Mobile Users Escape Modern Web-Tracking Mechanisms?. In Proceedings of the 31st Annual Computer Security Applications Conference (ACSAC). 191--200.

Digital Library

[50]

Umar Iqbal, Steven Englehardt, and Zubair Shafiq. 2021. Fingerprinting the Fingerprinters: Learning to Detect Browser Fingerprinting Behaviors. In Proceedings of the 42nd IEEE Symposium on Security & Privacy (S&P). 1143--1161.

[51]

B. Kondracki, A. Aliyeva, M. Egele, J. Polakis, and N. Nikiforakis. 2020. Meddling Middlemen: Empirical Analysis of the Risks of Data-Saving Mobile Browsers. In Proceedings of the 41st IEEE Symposium on Security and Privacy (SP). 810--824.

[52]

Balachander Krishnamurthy and Craig Wills. 2009. Privacy diffusion on the web: A longitudinal perspective. In Proceedings of the 18th International Conference on World Wide Web (WWW). 541--550.

Digital Library

[53]

P. Laperdrix,W. Rudametkin, and B. Baudry. 2016. Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints. In Proceedings of the 36th IEEE Symposium on Security and Privacy (S&P). 878--894.

[54]

Victor Le Pochat, Tom Van Goethem, Samaneh Tajalizadehkhoob, Maciej Korczynski, and Wouter Joosen. 2019. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. In Proceedings of the 26th Annual Network and Distributed System Security Symposium (NDSS).

[55]

Adam Lerner, Anna Kornfeld Simpson, Tadayoshi Kohno, and Franziska Roesner. 2016. Internet Jones and the Raiders of the Lost Trackers: An Archaeological Study of Web Tracking from 1996 to 2016. In Proceedings of the 25th USENIX Security Symposium (USENIX).

[56]

Tai-Ching Li, Huy Hang, Michalis Faloutsos, and Petros Efstathopoulos. 2015. TrackAdvisor: Taking Back Browsing Privacy from Third-Party Trackers. In Proceedings of the 16th International Conference on Passive and Active Measurement (PAM). 277--289.

[57]

Jonathan Mayer. 2011. FourthParty: Web Measurement Platform. http:// fourthparty.info/.

[58]

J. R. Mayer and J. C. Mitchell. 2012. Third-Party Web Tracking: Policy and Technology. In Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P). 413--427.

[59]

Nick Nguyen. 2018. Latest Firefox Rolls Out Enhanced Tracking Protec- tion. https://blog.mozilla.org/blog/2018/10/23/latest-firefox-rolls-out-enhancedtracking- protection/

[60]

N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. 2013. Cookieless Monster: Exploring the Ecosystem of Web-Based Device Fingerprinting. In Proceedings of the 34th IEEE Symposium on Security and Privacy (S&P). 541--555.

[61]

Elias P. Papadopoulos, Michalis Diamantaris, Panagiotis Papadopoulos, Thanasis Petsas, Sotiris Ioannidis, and Evangelos P. Markatos. 2017. The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps. In Proceedings of the 26th International Conference on World Wide Web (WWW). 153--162.

[62]

Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. 2018. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS).

[63]

Franziska Roesner, Tadayoshi Kohno, and David Wetherall. 2012. Detecting and Defending Against Third-Party Tracking on the Web. In Proceedings of the 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI). 155--168.

[64]

Suranga Seneviratne, Harini Kolamunna, and Aruna Seneviratne. 2015. A Measurement Study of Tracking in Paid Mobile Applications. In Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks (WiSec).

Digital Library

[65]

Vincent Toubiana, Arvind Narayanan, Dan Boneh, Helen F. Nissenbaum, and Solon Barocas. 2010. Adnostic: Privacy Preserving Targeted Advertising. Pro- ceedings of the 17th Network and Distributed System Symposium (NDSS).

[66]

Zhiju Yang and Chuan Yue. 2020. A Comparative Measurement Study of Web Tracking on Mobile and Desktop Environments. Proceedings on Privacy Enhancing Technologies 2020, 2 (2020).

[67]

Ahsan Zafar, Aafaq Sabir, Dilawer Ahmed, and Anupam Das. 2021. Understanding the Privacy Implications of Adblock Plus's Acceptable Ads. In Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security (ASIA CCS). 644--657.

Digital Library

Cited By

Pan RRuiz-Martínez A(2024)Evolution of web tracking protection in ChromeJournal of Information Security and Applications10.1016/j.jisa.2023.10364379:COnline publication date: 4-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2023.103643
Ahmad ZCalzavara SCasarin SStock B(2024)Information flow control for comparative privacy analysesInternational Journal of Information Security10.1007/s10207-024-00886-023:5(3199-3216)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1007/s10207-024-00886-0

Index Terms

Comparative Privacy Analysis of Mobile Browsers
1. Security and privacy
  1. Systems security
    1. Browser security

Recommendations

Not only E.T. Phones Home: Analysing the Native User Tracking of Mobile Browsers
IMC '23: Proceedings of the 2023 ACM on Internet Measurement Conference

Contemporary browsers constitute a critical component of our everyday interactions with the Web. Similar to a small, but powerful operating system, a browser is responsible to fetch and run web apps locally, on the user's (mobile) device. Even though in ...
The Long-Standing Privacy Debate: Mobile Websites vs Mobile Apps
WWW '17: Proceedings of the 26th International Conference on World Wide Web

The vast majority of online services nowadays, provide both a mobile friendly website and a mobile application to their users. Both of these choices are usually released for free, with their developers, usually gaining revenue by allowing advertisements ...
Enhancing Mobile Web Access Using Intelligent Recommendations

As mobile phones continue to infiltrate the world, they could easily become the Internet client of choice—especially considering widespread adoption of third-generation mobile services. Although the mobile phone's disproportionately small screen is ill-...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CODASPY '23: Proceedings of the Thirteenth ACM Conference on Data and Application Security and Privacy

April 2023

304 pages

ISBN:9798400700675

DOI:10.1145/3577923

General Chair:
Mohamed Shehab
University of North Carolina at Charlotte, USA
,
Program Chairs:
Maribel Fernandez
King's College London, UK
,
Ninghui Li
Purdue University, USA

Copyright © 2023 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 24 April 2023

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CODASPY '23

Sponsor:

SIGSAC

CODASPY '23: Thirteenth ACM Conference on Data and Application Security and Privacy

April 24 - 26, 2023

NC, Charlotte, USA

Acceptance Rates

Overall Acceptance Rate 149 of 789 submissions, 19%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
332
Total Downloads

Downloads (Last 12 months)121
Downloads (Last 6 weeks)4

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Pan RRuiz-Martínez A(2024)Evolution of web tracking protection in ChromeJournal of Information Security and Applications10.1016/j.jisa.2023.10364379:COnline publication date: 4-Mar-2024
https://dl.acm.org/doi/10.1016/j.jisa.2023.103643
Ahmad ZCalzavara SCasarin SStock B(2024)Information flow control for comparative privacy analysesInternational Journal of Information Security10.1007/s10207-024-00886-023:5(3199-3216)Online publication date: 1-Oct-2024
https://dl.acm.org/doi/10.1007/s10207-024-00886-0

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten