Understanding Privacy Over-collection in WeChat Sub-app Ecosystem

TL;DR

This study systematically investigates privacy over-collection in WeChat sub-apps, revealing widespread issues and proposing detection methods to improve privacy protection in the app-in-app ecosystem.

Contribution

It introduces SPOChecker, a framework for detecting privacy over-collection, and provides the first comprehensive measurement study of SPO in WeChat sub-apps.

Findings

Over half of studied sub-apps lack privacy policies.

19.47% of policies contain privacy over-collection issues.

The study offers insights into causes and defenses for SPO.

Abstract

Nowadays the app-in-app paradigm is becoming increasingly popular, and sub-apps have become an important form of mobile applications. WeChat, the leading app-in-app platform, provides millions of sub-apps that can be used for online shopping, financing, social networking, etc. However, privacy issues in this new ecosystem have not been well understood. This paper performs the first systematic study of privacy over-collection in sub-apps (denoted as SPO), where sub-apps actually collect more privacy data than they claim in their privacy policies. We propose a taxonomy of privacy for this ecosystem and a framework named SPOChecker to automatically detect SPO in real-world sub-apps. Based on SPOChecker, we collect 5,521 popular and representative WeChat sub-apps and conduct a measurement study to understand SPO from three aspects: its landscape, accountability, and defense methods. The result is worrisome, that more than half of all studied sub-apps do not provide users with privacy policies. Among 2,511 sub-apps that provide privacy policies, 489 (19.47%) of them contain SPO. We look into the detailed characteristics of SPO, figure out possible reasons and the responsibilities of stakeholders in the ecosystem, and rethink current defense methods. The measurement leads to several insightful findings that can help the community to better understand SPO and protect privacy in sub-apps.