Detecting Privacy Leaks in the RATP App: how we proceeded and what we found

Jagdish Achara 1 James-Douglass Lefruit 1 Vincent Roca 1, * Claude Castelluccia 1
* Corresponding author
1 PRIVATICS - Privacy Models, Architectures and Tools for the Information Society
Inria Grenoble - Rhône-Alpes, CITI - CITI Centre of Innovation in Telecommunications and Integration of services
Abstract : We analyzed the RATP App, both Android and iOS versions, using our instrumented versions of these mobile OSs. Our analysis reveals that both versions of this App leak private data to third-party servers, which is in total contradiction to the In-App privacy policy. The iOS version of this App doesn't even respect Apple guidelines on cross-App user tracking for advertising purposes and employs various other cross- App tracking mechanisms that are not supposed to be used by Apps. Even if this work is illustrated with a single App, we describe an approach that is generic and can be used to detect privacy leaks from other Apps. In addition, our findings are representative of a trend in Advertising and Analytics (A&A) libraries that try to collect as much information as possible regarding the smartphone and its user to have a better profile of the user's interests and behaviors. In fact, in case of iOS, these libraries even generate their own persistent identifiers and share it with other Apps through covert channels to better track the user, and this happens even if the user has opted-out of device tracking for advertising purposes. Above all, this happens without the user knowledge, and sometimes even without the App developer's knowledge who might naively include these libraries during the App development. Therefore this article raises many questions concerning both the bad practices employed in the world of smartphones and the limitations of the privacy control features proposed by Android/iOS Mobile OSs.
Document type :
Conference papers
Liste complète des métadonnées

Cited literature [10 references]  Display  Hide  Download

https://hal.inria.fr/hal-00872967
Contributor : Vincent Roca <>
Submitted on : Monday, October 14, 2013 - 5:59:02 PM
Last modification on : Saturday, October 27, 2018 - 1:19:00 AM
Document(s) archivé(s) le : Friday, April 7, 2017 - 10:50:58 AM

File

ratp_app_analysis.pdf
Files produced by the author(s)

Identifiers

  • HAL Id : hal-00872967, version 1

Collections

Citation

Jagdish Achara, James-Douglass Lefruit, Vincent Roca, Claude Castelluccia. Detecting Privacy Leaks in the RATP App: how we proceeded and what we found. GREHACK 2013, Guillaume Jeanne, Nov 2013, Grenoble, France. ⟨hal-00872967⟩

Share

Metrics

Record views

545

Files downloads

1835