Following the Wi-Fi breadcrumbs: Network based mobile application privacy threats

Abstract

Users are concerned about the protection of personal information they share with mobile applications. Researchers have previously explored security threats to mobile applications through wireless network access, including the disclosure of personal information through unencrypted traffic, excessive information disclosure to service providers, and flaws in TLS security. This study replicates these security threats and performs an assessment of the potential privacy impact for a sample of 30 Android applications. The results show that disclosure of personal information through unencrypted traffic is a significant risk. Individual applications were found which disclosed a user's identity and application usage, and persistent device identifiers were leaked allowing user information to be linked across applications and wireless sessions. A small number of applications disclosed inappropriate amounts of personal information to service providers which could allow user tracking. TLS issues continue to pose a risk, with one application exhibiting a previously identified TLS certificate validation issue, and a potentially new encryption protocol downgrade flaw was identified triggered by an invalid certificate. Insecure authentication techniques were used by 30% of applications tested and pose a privacy risk even when applications use TLS.