Exposures Exposed: A Measurement and User Study to Assess Mobile Data Privacy in Context

TL;DR

This paper investigates mobile data privacy by measuring PII exposure in popular Android apps and assessing user perceptions and understanding of privacy risks through a detailed user study.

Contribution

It provides a comprehensive measurement of PII sharing in Android apps and offers novel insights into user awareness and attitudes towards mobile privacy risks.

Findings

16 types of PII exposed in 400 apps

Users' understanding of privacy risks improved after the study

Many users remain concerned about privacy exposure

Abstract

Mobile devices have access to personal, potentially sensitive data, and there is a large number of mobile applications and third-party libraries that transmit this information over the network to remote servers (including app developer servers and third party servers). In this paper, we are interested in better understanding of not just the extent of personally identifiable information (PII) exposure, but also its context i.e., functionality of the app, destination server, encryption used, etc.) and the risk perceived by mobile users today. To that end we take two steps. First, we perform a measurement study: we collect a new dataset via manual and automatic testing and capture the exposure of 16 PII types from 400 most popular Android apps. We analyze these exposures and provide insights into the extent and patterns of mobile apps sharing PII, which can be later used for prediction and prevention. Second, we perform a user study with 220 participants on Amazon Mechanical Turk: we summarize the results of the measurement study in categories, present them in a realistic context, and assess users' understanding, concern, and willingness to take action. To the best of our knowledge, our user study is the first to collect and analyze user input in such fine granularity and on actual (not just potential or permitted) privacy exposures on mobile devices. Although many users did not initially understand the full implications of their PII being exposed, after being better informed through the study, they became appreciative and interested in better privacy practices.