Detecting Privacy Leaks in the RATP App: how we proceeded and what we found

Jagdish Achara 1 James-Douglass Lefruit 1 Vincent Roca 1, * Claude Castelluccia 1
* Auteur correspondant
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : We analyzed the RATP App, both Android and iOS versions, using our instrumented versions of these mobile OSs. Our analysis reveals that both versions of this App leak private data to third-party servers, which is in total contradiction to the In-App privacy policy. The iOS version of this App doesn't even respect Apple guidelines on cross-App user tracking for advertising purposes and employs various other cross- App tracking mechanisms that are not supposed to be used by Apps. Even if this work is illustrated with a single App, we describe an approach that is generic and can be used to detect privacy leaks from other Apps. In addition, our findings are representative of a trend in Advertising and Analytics (A&A) libraries that try to collect as much information as possible regarding the smartphone and its user to have a better profile of the user's interests and behaviors. In fact, in case of iOS, these libraries even generate their own persistent identifiers and share it with other Apps through covert channels to better track the user, and this happens even if the user has opted-out of device tracking for advertising purposes. Above all, this happens without the user knowledge, and sometimes even without the App developer's knowledge who might naively include these libraries during the App development. Therefore this article raises many questions concerning both the bad practices employed in the world of smartphones and the limitations of the privacy control features proposed by Android/iOS Mobile OSs.
Type de document :
Communication dans un congrès
GREHACK 2013, Nov 2013, Grenoble, France. 2013
Liste complète des métadonnées

Littérature citée [10 références]  Voir  Masquer  Télécharger

https://hal.inria.fr/hal-00872967
Contributeur : Vincent Roca <>
Soumis le : lundi 14 octobre 2013 - 17:59:02
Dernière modification le : mercredi 11 avril 2018 - 01:56:18
Document(s) archivé(s) le : vendredi 7 avril 2017 - 10:50:58

Fichier

ratp_app_analysis.pdf
Fichiers produits par l'(les) auteur(s)

Identifiants

  • HAL Id : hal-00872967, version 1

Collections

Citation

Jagdish Achara, James-Douglass Lefruit, Vincent Roca, Claude Castelluccia. Detecting Privacy Leaks in the RATP App: how we proceeded and what we found. GREHACK 2013, Nov 2013, Grenoble, France. 2013. 〈hal-00872967〉

Partager

Métriques

Consultations de la notice

516

Téléchargements de fichiers

1730