Detecting and Measuring Aggressive Location Harvesting in Mobile Apps via Data-flow Path Embedding-Reference-Cited by-同舟云学术

Detecting and Measuring Aggressive Location Harvesting in Mobile Apps via Data-flow Path Embedding

Published:2023-02-27 Issue:1 Volume:7 Page:1-27
ISSN:2476-1249
Container-title:Proceedings of the ACM on Measurement and Analysis of Computing Systems
language:en
Short-container-title:Proc. ACM Meas. Anal. Comput. Syst.

Author:

Lu Haoran¹^ORCID,Zhao Qingchuan²^ORCID,Chen Yongliang²^ORCID,Liao Xiaojing¹^ORCID,Lin Zhiqiang³^ORCID

Affiliation:

1. Indiana University Bloomington, Bloomington, USA

2. City University of Hong Kong, Hong Kong, Hong Kong

3. Ohio State University, Columbus, USA

Abstract

Today, location-based services have become prevalent in the mobile platform, where mobile apps provide specific services to a user based on his or her location. Unfortunately, mobile apps can aggressively harvest location data with much higher accuracy and frequency than they need because the coarse-grained access control mechanism currently implemented in mobile operating systems (e.g., Android) cannot regulate such behavior. This unnecessary data collection violates the data minimization policy, yet no previous studies have investigated privacy violations from this perspective, and existing techniques are insufficient to address this violation. To fill this knowledge gap, we take the first step toward detecting and measuring this privacy risk in mobile apps at scale. Particularly, we annotate and release thefirst dataset to characterize those aggressive location harvesting apps and understand the challenges of automatic detection and classification. Next, we present a novel system, LocationScope, to address these challenges by(i) uncovering how an app collects locations and how to use such data through a fine-tuned value set analysis technique,(ii) recognizing the fine-grained location-based services an app provides via embedding data-flow paths, which is a combination of program analysis and machine learning techniques, extracted from its location data usages, and(iii) identifying aggressive apps with an outlier detection technique achieving a precision of 97% in aggressive app detection. Our technique has further been applied to millions of free Android apps from Google Play as of 2019 and 2021. Highlights of our measurements on detected aggressive apps include their growing trend from 2019 to 2021 and the app generators' significant contribution of aggressive location harvesting apps.

Funder

NSF

City University of Hong Kong

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications,Hardware and Architecture,Safety, Risk, Reliability and Quality,Computer Science (miscellaneous)

Link

https://dl.acm.org/doi/pdf/10.1145/3579447

Reference104 articles.

1. 2008. PlaceMask - Protecting Location Privacy. <a href="http://www.placemask.com/">http://www.placemask.com/</a> 2008. PlaceMask - Protecting Location Privacy. <a href="http://www.placemask.com/">http://www.placemask.com/</a>

2. 2012. Free mobile apps a threat to privacy study finds. <a href="https://www.computerweekly.com/news/2240169770/Free-mobile-apps-a-threat-to-privacy-study-finds">https://www.computerweekly.com/news/2240169770/Free-mobile-apps-a-threat-to-privacy-study-finds</a> 2012. Free mobile apps a threat to privacy study finds. <a href="https://www.computerweekly.com/news/2240169770/Free-mobile-apps-a-threat-to-privacy-study-finds">https://www.computerweekly.com/news/2240169770/Free-mobile-apps-a-threat-to-privacy-study-finds</a>

3. 2018. pkumza/LibRadar: LibRadar - A detecting tool for 3rd-party libraries in Android apps. <a href="https://github.com/pkumza/LibRadar">https://github.com/pkumza/LibRadar</a> ; 2018. pkumza/LibRadar: LibRadar - A detecting tool for 3rd-party libraries in Android apps. <a href="https://github.com/pkumza/LibRadar">https://github.com/pkumza/LibRadar</a>

4. 2020. App Monetization Lifehacks: Everything you wanted to know about the revenue from free apps. <a href="https://appsgeyser.com/blog/monetization-lifehacks-everything-you-wanted-to-know-about-the-revenue-from-apps-with-appsgeyser/">https://appsgeyser.com/blog/monetization-lifehacks-everything-you-wanted-to-know-about-the-revenue-from-apps-with-appsgeyser/</a> 2020. App Monetization Lifehacks: Everything you wanted to know about the revenue from free apps. <a href="https://appsgeyser.com/blog/monetization-lifehacks-everything-you-wanted-to-know-about-the-revenue-from-apps-with-appsgeyser/">https://appsgeyser.com/blog/monetization-lifehacks-everything-you-wanted-to-know-about-the-revenue-from-apps-with-appsgeyser/</a>

5. 2022a. androguard/androguard: Reverse engineering Malware and goodware analysis of Android applications ... and more (ninja !). <a href="https://github.com/androguard/androguard">https://github.com/androguard/androguard</a> 2022a. androguard/androguard: Reverse engineering Malware and goodware analysis of Android applications ... and more (ninja !). <a href="https://github.com/androguard/androguard">https://github.com/androguard/androguard</a>

Cited by 2 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Attention! Your Copied Data is Under Monitoring: A Systematic Study of Clipboard Usage in Android Apps;Proceedings of the 46th IEEE/ACM International Conference on Software Engineering;2024-02-06

2. Transparency in App Analytics: Analyzing the Collection of User Interaction Data;2023 20th Annual International Conference on Privacy, Security and Trust (PST);2023-08-21