Our fingerprints don't fade from the Apps we touch: Fingerprinting the Android WebView

TL;DR

This study investigates how browser fingerprinting affects Android hybrid apps with embedded Chromium browsers, revealing significant privacy risks and security flaws in popular applications like Instagram.

Contribution

It provides the first large-scale analysis of fingerprinting in Android hybrid apps, exposing privacy leaks and non-compliance with browser privacy policies.

Findings

Fingerprinting can uniquely identify users across devices.

Popular apps like Instagram leak sensitive information.

Hybrid app browsers often violate standard privacy policies.

Abstract

Numerous studies demonstrated that browser fingerprinting is detrimental to users' security and privacy. However, little is known about the effects of browser fingerprinting on Android hybrid apps -- where a stripped-down Chromium browser is integrated into an app. These apps expand the attack surface by employing two-way communication between native apps and the web. This paper studies the impact of browser fingerprinting on these embedded browsers. To this end, we instrument the Android framework to record and extract information leveraged for fingerprinting. We study over 20,000 apps, including the most popular apps from the Google play store. We exemplify security flaws and severe information leaks in popular apps like Instagram. Our study reveals that fingerprints in hybrid apps potentially contain account-specific and device-specific information that identifies users across multiple devices uniquely. Besides, our results show that the hybrid app browser does not always adhere to standard browser-specific privacy policies.