"Android Apps Are Invasive and Unsafe: Study"

According to researchers from Germany's University of Passau, the way apps fingerprint user behavior poses a greater risk to user privacy than browser fingerprinting. The researchers claimed in a preprint published on arXiv that fingerprints in hybrid apps could contain account-specific and device-specific information that uniquely identifies users across multiple devices. While browser fingerprinting is well known, there has been less research into hybrid apps, which are smartphone apps that combine web components like JavaScript with native components. The researchers examined Android hybrid apps that used WebView to provide browser functionality. According to the researchers, WebView provides an active communication channel between the native Android app component and JavaScript in the browser. Through shared objects, JavaScript can gain access to the functionality of the Android app. This gives web components powerful access to native Android Application Programming Interfaces (APIs) without the need to ask for Android permissions individually. The researchers combined Monkey, a well-known Android test environment, with WVProfiler, a custom-developed tool for analyzing WebView streams, to see what privacy leaks might occur. They examined 20,000 apps from the Google Play Store, identifying over 5,000 that used at least one instance of WebView's APIs, 1,000 of which they thoroughly examined. Since users cannot configure system-wide privacy policies in Android, the built-in browser used by hybrid apps allows more sensitive information leakage than the stand-alone browser. This article continues to discuss findings from the study on the effects of browser fingerprinting on Android hybrid apps. 

iTnews reports "Android Apps Are Invasive and Unsafe: Study"