Information leakage through mobile analytics services

Abstract

In this paper we investigate the risk of privacy leakage through mobile analytics services and demonstrate the ease with which an external adversary can extract individual's profile and mobile applications usage information, through two major mobile analytics services, i.e. Google Mobile App Analytics and Flurry. We also demonstrate that it is possible to exploit the vulnerability of analytics services, to influence the ads served to users' devices, by manipulating the profiles constructed by these services. Both attacks can be performed without the necessity of having an attacker controlled app on user's mobile device. Finally, we discuss potential countermeasures (from the perspectives of different parties) that may be utilized to mitigate the risk of individual's personal information leakage.