TY - GEN
T1 - Empirical security and privacy analysis of mobile symptom checking apps on Google Play
AU - Sentana, I. Wayan Budi
AU - Ikram, Muhammad
AU - Kaafar, Mohamed Ali
AU - Berkovsky, Shlomo
N1 - Version archived for private and non-commercial use with the permission of the author/s and according to publisher conditions. For further rights please contact the publisher.
PY - 2021
Y1 - 2021
N2 - Smartphone technology has drastically improved over the past decade. These improvements have seen the creation of specialized health applications, which offer consumers a range of health-related activities such as tracking and checking symptoms of health conditions or diseases through their smartphones. We term these applications as Symptom Checking apps or simply SymptomCheckers. Due to the sensitive nature of the private data they collect, store and manage, leakage of user information could result in significant consequences. In this paper, we use a combination of techniques from both static and dynamic analysis to detect, trace and categorize security and privacy issues in 36 popular SymptomCheckers on Google Play. Our analyses reveal that SymptomCheckers request a significantly higher number of sensitive permissions and embed a higher number of third-party tracking libraries for targeted advertisements and analytics exploiting the privileged access of the SymptomCheckers in which they exist, as a mean of collecting and sharing critically sensitive data about the user and their device. We find that these are sharing the data that they collect through unencrypted plain text to the third-party advertisers and, in some cases, to malicious domains. The results reveal that the exploitation of SymptomCheckers is present in popular apps, still readily available on Google Play.
AB - Smartphone technology has drastically improved over the past decade. These improvements have seen the creation of specialized health applications, which offer consumers a range of health-related activities such as tracking and checking symptoms of health conditions or diseases through their smartphones. We term these applications as Symptom Checking apps or simply SymptomCheckers. Due to the sensitive nature of the private data they collect, store and manage, leakage of user information could result in significant consequences. In this paper, we use a combination of techniques from both static and dynamic analysis to detect, trace and categorize security and privacy issues in 36 popular SymptomCheckers on Google Play. Our analyses reveal that SymptomCheckers request a significantly higher number of sensitive permissions and embed a higher number of third-party tracking libraries for targeted advertisements and analytics exploiting the privileged access of the SymptomCheckers in which they exist, as a mean of collecting and sharing critically sensitive data about the user and their device. We find that these are sharing the data that they collect through unencrypted plain text to the third-party advertisers and, in some cases, to malicious domains. The results reveal that the exploitation of SymptomCheckers is present in popular apps, still readily available on Google Play.
KW - Android Apps
KW - Privacy
KW - Security
KW - Static Analysis
KW - Dynamic Fingerprinting
UR - http://www.scopus.com/inward/record.url?scp=85111825551&partnerID=8YFLogxK
U2 - 10.5220/0010520106650673
DO - 10.5220/0010520106650673
M3 - Conference proceeding contribution
AN - SCOPUS:85111825551
T3 - Proceedings of the International Conference on Security and Cryptography
SP - 665
EP - 673
BT - Proceedings of the 18th International Conference on Security and Cryptography, SECRYPT 2021
A2 - di Vimercati, Sabrina De Capitani
A2 - Samarati, Pierangela
PB - SciTePress
CY - Setúbal, Portugal
T2 - 18th International Conference on Security and Cryptography, SECRYPT 2021
Y2 - 6 July 2021 through 8 July 2021
ER -