1. bookVolume 2022 (2022): Issue 2 (April 2022)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps

Published Online: 03 Mar 2022
Page range: 6 - 24
Received: 31 Aug 2021
Accepted: 16 Dec 2021
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

While many studies have looked at privacy properties of the Android and Google Play app ecosystem, comparatively much less is known about iOS and the Apple App Store, the most widely used ecosystem in the US. At the same time, there is increasing competition around privacy between these smartphone operating system providers. In this paper, we present a study of 24k Android and iOS apps from 2020 along several dimensions relating to user privacy. We find that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children. In the children’s category, iOS apps tended to use fewer advertising-related tracking than their Android counterparts, but could more often access children’s location. Across all studied apps, our study highlights widespread potential violations of US, EU and UK privacy law, including 1) the use of third-party tracking without user consent, 2) the lack of parental consent before sharing personally identifiable information (PII) with third-parties in children’s apps, 3) the non-data-minimising configuration of tracking libraries, 4) the sending of personal data to countries without an adequate level of data protection, and 5) the continued absence of transparency around tracking, partly due to design decisions by Apple and Google. Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied.

Keywords

[1] Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso. Bugs in our Pockets: The Risks of Client-Side Scanning. arXiv preprint arXiv:2110.07450, 2021. Search in Google Scholar

[2] A. Acquisti, L. Brandimarte, and G. Loewenstein. Privacy and Human Behavior in the Age of Information. Science, 347(6221):509–514, 2015.10.1126/science.aaa1465 Search in Google Scholar

[3] Alessandro Acquisti. Nudging Privacy: The Behavioral Economics of Personal Information. IEEE Security & Privacy Magazine, 7(6):82–85, 2009. Search in Google Scholar

[4] Yuvraj Agarwal and Malcolm Hall. ProtectMyPrivacy: Detecting and Mitigating Privacy Leaks on iOS Devices Using Crowdsourcing. In Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services - MobiSys ’13, Taipei, Taiwan, 2013. ACM Press.10.1145/2462456.2464460 Search in Google Scholar

[5] Alphabet. FORM 10-K. https://abc.xyz/investor/static/pdf/20210203_alphabet_10K.pdf?cache=b44182d, 2020. Search in Google Scholar

[6] Apple. App Store Review Guidelines. https://developer.apple.com/app-store/review/guidelines/. Search in Google Scholar

[7] Apple. Updates to the App Store Review Guidelines. https://developer.apple.com/news/?id=06032019j, 2019. Search in Google Scholar

[8] Apple. Expanded Protections for Children. https://www.apple.com/child-safety/, 2021. Search in Google Scholar

[9] Michael Backes, Sven Bugiel, and Erik Derr. Reliable Third-Party Library Detection in Android and its Security Applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS ’16, pages 356–367, New York, NY, USA, 2016. ACM.10.1145/2976749.2978333 Search in Google Scholar

[10] David Barrera, H. Günes Kayacik, Paul C. van Oorschot, and Anil Somayaji. A Methodology for Empirical Analysis of Permission-Based Security Models and Its Application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS ’10, page 73–84, New York, NY, USA, 2010. Association for Computing Machinery.10.1145/1866307.1866317 Search in Google Scholar

[11] Birgitta Bergvall-Kåreborn and Debra Howcroft. ‘The future’s bright, the future’s mobile’: A study of Apple and Google mobile application developers. Work, Employment and Society, 27(6):964–981, 2013. Search in Google Scholar

[12] Reuben Binns, Ulrik Lyngs, Max Van Kleek, Jun Zhao, Timothy Libert, and Nigel Shadbolt. Third Party Tracking in the Mobile Ecosystem. In Proceedings of the 10th ACM Conference on Web Science, WebSci ’18, page 23–31, New York, NY, USA, 2018. Association for Computing Machinery.10.1145/3201064.3201089 Search in Google Scholar

[13] Reuben Binns, Jun Zhao, Max Van Kleek, and Nigel Shadbolt. Measuring third-party tracker power across web and mobile. ACM Transactions on Internet Technology, 18(4):1–22, 2018.10.1145/3176246 Search in Google Scholar

[14] Reuben Daniel Binns, David Millard, and Lisa Harris. Data Havens, or Privacy sans Frontières? A Study of International Personal Data Transfers. In Proceedings of the 2014 ACM Conference on Web Science, WebSci ’14, page 273–274, New York, NY, USA, 2014. Association for Computing Machinery. Search in Google Scholar

[15] Bundeskartellamt. Decision B6-22/16 (Facebook v Bundeskartellamt). http://www.bundeskartellamt.de/SharedDocs/Entscheidung/EN/Entscheidungen/Missbrauchsaufsicht/2019/B6-22-16.pdf%3F__blob%3DpublicationFile%26v%3D5. Search in Google Scholar

[16] Bundeskartellamt. Proceeding against Google based on new rules for large digital players. https://www.bundeskartellamt.de/SharedDocs/Meldung/EN/Pressemitteilungen/2021/25_05_2021_Google_19a.html, 2021. Search in Google Scholar

[17] Kai Chen, Xueqiang Wang, Yi Chen, Peng Wang, Yeonjoon Lee, XiaoFeng Wang, Bin Ma, Aohui Wang, Yingjun Zhang, and Wei Zou. Following Devil’s Footprints: Cross-Platform Analysis of Potentially Harmful Libraries on Android and iOS. In 2016 IEEE Symposium on Security and Privacy (SP), pages 357–376, San Jose, CA, 2016. IEEE.10.1109/SP.2016.29 Search in Google Scholar

[18] Saksham Chitkara, Nishad Gothoskar, Suhas Harish, Jason I. Hong, and Yuvraj Agarwal. Does this app really need my location?: Context-aware privacy management for smartphones. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 1(3):1–22, 2017. Search in Google Scholar

[19] Chris Mallet and others. AutoHotkey. https://www.autohotkey.com/. Search in Google Scholar

[20] CocoaPods. Master Repo. https://github.com/CocoaPods/Specs. Search in Google Scholar

[21] Competition and Markets Authority. Online platforms and digital advertising, 2020. Search in Google Scholar

[22] Counterpoint Research. US Monthly Smartphone Sell-Through Highlights Recovery, Device Spec Trends. https://www.counterpointresearch.com/us-monthly-smartphone-sell-highlights-recovery/, 2021. Search in Google Scholar

[23] Erik Derr, Sven Bugiel, Sascha Fahl, Yasemin Acar, and Michael Backes. Keep Me Updated: An Empirical Study of Third-Party Library Updatability on Android. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS ’17, pages 2187–2200, New York, NY, USA, 2017. ACM.10.1145/3133956.3134059 Search in Google Scholar

[24] Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of NDSS 2011, 2011. Search in Google Scholar

[25] Anirudh Ekambaranathan, Jun Zhao, and Max Van Kleek. “Money makes the world go around”: Identifying barriers to better privacy in children’s apps from developers’ perspectives. In Conference on Human Factors in Computing Systems (CHI ’21), pages 1–24. ACM Press, 2021.10.1145/3411764.3445599 Search in Google Scholar

[26] eMarketer. Mobile moves to majority share of Google’s worldwide ad revenues. https://www.emarketer.com/Article/Mobile-Moves-Majority-Share-of-Googles-Worldwide-Ad-Revenues/1014633, 2016. Search in Google Scholar

[27] William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-flow Tracking System for Real-time Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI’10, pages 393–407, 2010. Search in Google Scholar

[28] European Commission. Antitrust: Commission opens investigations into Apple’s App Store rules. https://ec.europa.eu/commission/presscorner/detail/en/ip_20_1073, 2020. Search in Google Scholar

[29] European Court of Justice. Breyer v Germany. https://curia.europa.eu/juris/document/document.jsf?docid=184668&doclang=EN, 2016. Search in Google Scholar

[30] European Parliament and Council. Regulation 2016/679 (General Data Protection Regulation). http://data.europa.eu/eli/reg/2016/679/oj, 2016. Search in Google Scholar

[31] Exodus. Statistics. https://reports.exodus-privacy.eu.org/en/trackers/stats/. Search in Google Scholar

[32] Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM Conference on Computer and Communications Security - CCS ’11, pages 627–637. ACM Press, 2011. Search in Google Scholar

[33] Adrienne Porter Felt, Kate Greenwood, and David Wagner. The Effectiveness of Application Permissions. In Proceedings of the 2Nd USENIX Conference on Web Application Development, WebApps’11, 2011. Search in Google Scholar

[34] Financial Times. China’s tech giants test way around Apple’s new privacy rules. https://www.ft.com/content/520ccdae-202f-45f9-a516-5cbe08361c34, 2021. Search in Google Scholar

[35] Google. Advertising ID - Play Console Help. https://support.google.com/googleplay/android-developer/answer/6048248. Search in Google Scholar

[36] Google. Developer Content Policy. https://play.google.com/about/developer-content-policy/. Search in Google Scholar

[37] Google. Device and network abuse. https://support.google.com/googleplay/android-developer/answer/9888379. Search in Google Scholar

[38] Daniel Greene and Katie Shilton. Platform privacies: Governance, collaboration, and the different meanings of “privacy” in iOS and Android development. New Media & Society, 20(4):1640–1657, 2018. Search in Google Scholar

[39] Irit Hadar, Tomer Hasson, Oshrat Ayalon, Eran Toch, Michael Birnhack, Sofia Sherman, and Arod Balissa. Privacy by designers: software developers’ privacy mindset. Empirical Software Engineering, 23(1):259–289, 2018. Search in Google Scholar

[40] Catherine Han, Irwin Reyes, Amit Elazari, Joel Reardon, Alvaro Feal, Kenneth A. Bamberger, Serge Egelman, and Narseo Vallina-Rodriguez. Do You Get What You Pay For? Comparing The Privacy Behaviors of Free vs. Paid Apps. In The Workshop on Technology and Consumer Protection (ConPro ’19), 2019. Search in Google Scholar

[41] Jin Han, Qiang Yan, Debin Gao, Jianying Zhou, and Robert H Deng. Comparing Mobile Privacy Protection through Cross-Platform Applications. In Proceedings 2013 Network and Distributed System Security Symposium. Internet Society, 2013. Search in Google Scholar

[42] Adrian Holzer and Jan Ondrus. Mobile application market: A developer’s perspective. Telematics and Informatics, 28(1):22–31, 2011. Search in Google Scholar

[43] ICO. Age appropriate design: a code of practice for online services. https://ico.org.uk/for-organisations/guide-to-data-protection/ico-codes-of-practice/age-appropriate-design-a-code-of-practice-for-online-services/, 2020. Search in Google Scholar

[44] Jinseong Jeon, Kristopher K. Micinski, Jeffrey A. Vaughan, Ari Fogel, Nikhilesh Reddy, Jeffrey S. Foster, and Todd Millstein. Dr. Android and Mr. Hide: Fine-Grained Permissions in Android Applications. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices - SPSM ’12. ACM Press, 2012.10.1145/2381934.2381938 Search in Google Scholar

[45] Konrad Kollnig, Reuben Binns, Pierre Dewitte, Max Van Kleek, Ge Wang, Daniel Omeiza, Helena Webb, and Nigel Shadbolt. A Fait Accompli? An Empirical Study into the Absence of Consent to Third-Party Tracking in Android Apps. Proceedings of the Seventeenth Symposium on Usable Privacy and Security, 2021. Search in Google Scholar

[46] Jialiu Lin, Bin Liu, Norman Sadeh, and Jason I Hong. Modeling Users’ Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings. Proceedings of the Fifteenth Symposium on Usable Privacy and Security, 2014. Search in Google Scholar

[47] Bin Liu, Mads Schaarup Andersen, Florian Schaub, Hazim Almuhimedi, Shikun Zhang, Norman Sadeh, Alessandro Acquisti, and Yuvraj Agarwal. Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions. Proceedings of the Fifteenth Symposium on Usable Privacy and Security, 2016. Search in Google Scholar

[48] Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. LibRadar: Fast and Accurate Detection of Third-Party Libraries in Android Apps. In 2016 IEEE/ACM 38th International Conference on Software Engineering Companion (ICSE-C), pages 653–656, 2016. Search in Google Scholar

[49] Kelly D. Martin and Patrick E. Murphy. The role of data privacy in marketing. Journal of the Academy of Marketing Science, 45(2):135–155, 2017.10.1007/s11747-016-0495-4 Search in Google Scholar

[50] matlink. Google Play Downloader via Command line. https://github.com/matlink/gplaycli. Search in Google Scholar

[51] Abraham H Mhaidli, Yixin Zou, and Florian Schaub. “We Can’t Live Without Them!” App Developers’ Adoption of Ad Networks and Their Considerations of Consumer Risks. Proceedings of the Fifteenth Symposium on Usable Privacy and Security, 2019. Search in Google Scholar

[52] Trung Tin Nguyen, Michael Backes, Ninja Marnau, and Ben Stock. Share First, Ask Later (or Never?) Studying Violations of GDPR’s Explicit Consent in Android Apps. In 30th USENIX Security Symposium (USENIX Security 21), pages 3667–3684. USENIX Association, 2021. Search in Google Scholar

[53] Ehimare Okoyomon, Nikita Samarin, Primal Wijesekera, Amit Elazari, Narseo Vallina-Rodriguez, Irwin Reyes, Álvaro Feal, and Serge Egelman. On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies. The Workshop on Technology and Consumer Protection (ConPro ’19), 2019. Search in Google Scholar

[54] Damilola Orikogbo, Matthias Büchler, and Manuel Egele. CRiOS: Toward large-scale iOS application analysis. In Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’16, page 33–42, New York, NY, USA, 2016. Association for Computing Machinery.10.1145/2994459.2994473 Search in Google Scholar

[55] Privacy International. How Apps on Android Share Data with Facebook. https://privacyinternational.org/campaigns/investigating-apps-interactions-facebook-android, 2018. Search in Google Scholar

[56] Abbas Razaghpanah, Rishab Nithyanand, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Mark Allman, Christian Kreibich, and Phillipa Gill. Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem. In Proceedings of NDSS 2018, 2018.10.14722/ndss.2018.23353 Search in Google Scholar

[57] Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System. In 28th USENIX Security Symposium (USENIX Security 19), pages 603–620, Santa Clara, CA, 2019. USENIX Association. Search in Google Scholar

[58] Joel R. Reidenberg, Jaspreet Bhatia, Travis D. Breaux, and Thomas B. Norton. Ambiguity in Privacy Policies and the Impact of Regulation. The Journal of Legal Studies, 45(S2):S163–S190, 2016.10.1086/688669 Search in Google Scholar

[59] Jingjing Ren, Ashwin Rao, Martina Lindorfer, Arnaud Legout, and David Choffnes. ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic. In Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services - MobiSys ’16, pages 361–374, Singapore, Singapore, 2016. ACM Press. Search in Google Scholar

[60] Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman. “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale. Proceedings on Privacy Enhancing Technologies, 2018(3):63–83, 2018.10.1515/popets-2018-0021 Search in Google Scholar

[61] Anastasia Shuba, Anh Le, Emmanouil Alimpertis, Minas Gjoka, and Athina Markopoulou. AntMonitor: A System for On-Device Mobile Network Monitoring and its Applications. arXiv preprint arXiv:1611.04268, 2016. Search in Google Scholar

[62] Anastasia Shuba and Athina Markopoulou. NoMoATS: Towards Automatic Detection of Mobile Tracking. Proceedings on Privacy Enhancing Technologies, 2020(2):45–66, 2020. Search in Google Scholar

[63] Anastasia Shuba, Athina Markopoulou, and Zubair Shafiq. NoMoAds: Effective and Efficient Cross-App Mobile Ad-Blocking. In Proceedings on Privacy Enhancing Technologies 2018, pages 125–140, 2018.10.1515/popets-2018-0035 Search in Google Scholar

[64] Nakatani Shuyo and Michal Danilák. langdetect. https://pypi.org/project/langdetect/. Search in Google Scholar

[65] SOCIAM. xray-archiver. https://github.com/sociam/xray-archiver, 2018. Search in Google Scholar

[66] Yihang Song and Urs Hengartner. PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices. In Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM ’15, pages 15–26, 2015.10.1145/2808117.2808120 Search in Google Scholar

[67] StatCounter. Mobile & Tablet Android Version Market Share United Kingdom. https://gs.statcounter.com/android-version-market-share/mobile-tablet/united-kingdom/#monthly-201912-202003, 2020. Search in Google Scholar

[68] StatCounter. Mobile Operating System Market Share in United States Of America - February 2021. https://gs.statcounter.com/os-market-share/mobile/united-states-of-america, 2021. Search in Google Scholar

[69] Zhushou Tang, Ke Tang, Minhui Xue, Yuan Tian, Sen Chen, Muhammad Ikram, Tielei Wang, and Haojin Zhu. iOS, Your OS, Everybody’s OS: Vetting and Analyzing Network Services of iOS Applications. In 29th USENIX Security Symposium (USENIX Security 20), pages 2415–2432. USENIX Association, 2020. Search in Google Scholar

[70] United States Congress. Children’s Online Privacy Protection Rule. https://www.ecfr.gov/current/title-16/part-312, 1998. Search in Google Scholar

[71] US Department of Justice. Complaint, United States v. Google LLC, No. 1:20-cv-03010. https://www.justice.gov/opa/press-release/file/1328941/download, 2020. Search in Google Scholar

[72] US House of Representatives Judiciary Subcommittee on Antitrust. Investigation of Competition in Digital Markets. https://judiciary.house.gov/uploadedfiles/competition_in_digital_markets.pdf?utm_campaign=4493-519, 2020. Search in Google Scholar

[73] Joris van Hoboken and R Ó Fathaigh. Smartphone platforms as privacy regulators. Computer Law & Security Review, 41, 2021.10.1016/j.clsr.2021.105557 Search in Google Scholar

[74] Max Van Kleek, Reuben Binns, Jun Zhao, Adam Slack, Sauyon Lee, Dean Ottewell, and Nigel Shadbolt. X-Ray Refine: Supporting the Exploration and Refinement of Information Exposure Resulting from Smartphone Apps. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems - CHI ’18, pages 1–13. ACM Press, 2018.10.1145/3173574.3173967 Search in Google Scholar

[75] Max Van Kleek, Ilaria Liccardi, Reuben Binns, Jun Zhao, Daniel J. Weitzner, and Nigel Shadbolt. Better the Devil You Know: Exposing the Data Sharing Practices of Smartphone Apps. In Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems - CHI ’17, pages 5208–5220. ACM Press, 2017.10.1145/3025453.3025556 Search in Google Scholar

[76] Nicolas Viennot, Edward Garcia, and Jason Nieh. A measurement study of Google Play. In The 2014 ACM International Conference on Measurement and Modeling of Computer Systems, SIGMETRICS ’14, pages 221–233, 2014.10.1145/2591971.2592003 Search in Google Scholar

[77] Paul Vines, Franziska Roesner, and Tadayoshi Kohno. Exploring ADINT: Using Ad Targeting for Surveillance on a Budget - or - How Alice Can Buy Ads to Track Bob. In Proceedings of the 2017 on Workshop on Privacy in the Electronic Society - WPES ’17, pages 153–164, Dallas, Texas, USA, 2017. ACM Press.10.1145/3139550.3139567 Search in Google Scholar

[78] Haoyu Wang, Zhe Liu, Jingyue Liang, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, and Guoai Xu. Beyond Google Play: A Large-Scale Comparative Study of Chinese Android App Markets. In Proceedings of the Internet Measurement Conference 2018, IMC ’18, pages 293–307, 2018.10.1145/3278532.3278558 Search in Google Scholar

[79] Primal Wijesekera, Arjun Baokar, Lynn Tsai, Joel Reardon, Serge Egelman, David Wagner, and Konstantin Beznosov. The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In 2017 IEEE Symposium on Security and Privacy (SP), pages 1077–1093. IEEE, 2017.10.1109/SP.2017.51 Search in Google Scholar

[80] Sebastian Zimmeck, Peter Story, Daniel Smullen, Abhilasha Ravichander, Ziqi Wang, Joel Reidenberg, N Cameron Russell, and Norman Sadeh. MAPS: Scaling privacy compliance analysis to a million apps. Privacy Enhancing Technologies Symposium 2019, 72, 2019.10.2478/popets-2019-0037 Search in Google Scholar

[81] Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg. Automated analysis of privacy requirements for mobile apps. In NDSS Symposium 2017, 2017.10.14722/ndss.2017.23034 Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo