ABSTRACT
Today, location-based services have become prevalent in the mobile platform, where mobile apps provide specific services to a user based on his or her location. Unfortunately, mobile apps can aggressively harvest location data with much higher accuracy and frequency than they need because the coarse-grained access control mechanism currently implemented in mobile operating systems (e.g., Android) cannot regulate such behavior. This unnecessary data collection violates the data minimization policy, yet no previous studies have investigated privacy violations from this perspective, and existing techniques are insufficient to address this violation. To fill this knowledge gap, we take the first step toward detecting and measuring this privacy risk in mobile apps at scale. Particularly, we annotate and release the first dataset to characterize those aggressive location harvesting apps and understand the challenges of automatic detection and classification. Next, we present a novel system, LocationScope, to address these challenges by (i) uncovering how an app collects locations and how to use such data through a fine-tuned value set analysis technique, (ii) recognizing the fine-grained location-based services an app provides via embedding data-flow paths, which is a combination of program analysis and machine learning techniques, extracted from its location data usages, and (iii) identifying aggressive apps with an outlier detection technique achieving a precision of 97% in aggressive app detection. Our technique has further been applied to millions of free Android apps from Google Play as of 2019 and 2021. Highlights of our measurements on detected aggressive apps include their growing trend from 2019 to 2021 and the app generators' significant contribution of aggressive location harvesting apps.
Supplemental Material
- CCPA. 2019. California Consumer Privacy Act. https://reciprocity.com/california-consumer-privacy-act-ccpa/.Google Scholar
- GDPR. 2022. Art.5: Principles relating to processing of personal data. https://gdpr-info.eu/art-5-gdpr/.Google Scholar
- Bo Liu, Wanlei Zhou, Tianqing Zhu, Longxiang Gao, and Yong Xiang. 2018. Location privacy and its applications: A systematic study. IEEE access, Vol. 6 (2018), 17606--17624.Google ScholarCross Ref
- Sam Schechner, Emily Glazer, and Patience Haggin. 2019. Political Campaigns Know Where You've Been. They're Tracking Your Phone. https://www.wsj.com/articles/political-campaigns-track-cellphones-to-identify-and-target-individual-voters-11570718889Google Scholar
- Jennifer Valentino-DeVries, Natasha Singer, Michael H Keller, and Aaron Krolik. 2018. Your apps know where you were last night, and they're not keeping it secret. New York Times, Vol. 10 (2018).Google Scholar
- Jice Wang, Yue Xiao, Xueqiang Wang, Yuhong Nan, Luyi Xing, Xiaojing Liao, JinWei Dong, Nicolas Serrano, Haoran Lu, XiaoFeng Wang, et al. 2021. Understanding malicious cross-library data harvesting on android. In 30th USENIX Security Symposium (USENIX Security 21). 4133--4150.Google Scholar
- Sebastian Zimmeck, Peter Story, Daniel Smullen, Abhilasha Ravichander, Ziqi Wang, Joel R Reidenberg, N Cameron Russell, and Norman Sadeh. 2019. Maps: Scaling privacy compliance analysis to a million apps. Proc. Priv. Enhancing Tech., Vol. 2019 (2019), 66.Google ScholarCross Ref
Index Terms
- Detecting and Measuring Aggressive Location Harvesting in Mobile Apps via Data-flow Path Embedding
Recommendations
Detecting and Measuring Aggressive Location Harvesting in Mobile Apps via Data-flow Path Embedding
POMACSToday, location-based services have become prevalent in the mobile platform, where mobile apps provide specific services to a user based on his or her location. Unfortunately, mobile apps can aggressively harvest location data with much higher accuracy ...
Detecting and Measuring Aggressive Location Harvesting in Mobile Apps via Data-flow Path Embedding
SIGMETRICS '23Today, location-based services have become prevalent in the mobile platform, where mobile apps provide specific services to a user based on his or her location. Unfortunately, mobile apps can aggressively harvest location data with much higher accuracy ...
Serving Mobile Apps: A Slice at a Time
EuroSys '19: Proceedings of the Fourteenth EuroSys Conference 2019End users wanting to do more and more with mobile apps has led to explosive growth in the number of available apps. This has widened the gap between developers making apps available and end users being able to install all the apps they want on their ...
Comments