Abstract
Most Internet of Things (IoT) devices provide access through mobile companion apps to configure, update, and control the devices. In many cases, these apps handle all user data moving in and out of devices and cloud endpoints. Thus, they constitute a critical component in the IoT ecosystem from a privacy standpoint, but they have historically been understudied. In this paper, we perform a latitudinal study and analysis of a sample of 455 IoT companion apps to understand their privacy posture using various methods and evaluate whether apps follow best practices. Specifically, we focus on three aspects: data privacy, securityOur findings indicate: (i) apps may over-request permissions, particularly for tasks that are not related to their functioning; and (ii) there is widespread use of programming and configuration practices which may reduce security, with the concerning extreme of two apps transmitting credentials in unencrypted form.
Shradha Neupane and Faiza Tazi contributed equally as first authors. This work was supported in part by funding from NSF under Award Number CNS 1822118, NIST, ARL, Statnett, AMI, Cyber Risk Research, NewPush, State of Colorado Cybersecurity Center, and a gift from Google.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Our raw metrics are anonymously available at https://osf.io/gf7cs/?view_only=c701039702f648849e32ecd4c2e1fd54.
References
Common vulnerability scoring system version 3.1: Specification document (2019). https://www.first.org/cvss/specification-document
GitHub - linkedin/qark: Tool to look for several security related Android application vulnerabilities (2019). https://github.com/linkedin/qark
Mobile security framework (2020). https://github.com/MobSF/Mobile-Security-Framework-MobSF
Cwe list version 4.6 (2021). https://cwe.mitre.org/data/index.html
Popular android apps with 142.5 million collective installs leak user data (2021). https://cybernews.com/security/research-popular-android-apps-with-142-5-million-collective-downloads-are-leaking-user-data/
Bulk domain blacklist checker (2022). https://www.bulkblacklist.com
Google play (2022). https://play.google.com/store
LFX insights (2022). https://insights.lfx.linuxfoundation.org/projects
Metrics - open source security foundation (2022). https://metrics.openssf.org
Permissions on android (2022). https://developer.android.com/guide/topics/permissions/overview
Play store downloader (2022). https://github.com/ClaudiuGeorgiu/PlaystoreDownloader
Url/ip lookup|webroot brightcloud (2022). https://www.brightcloud.com
Website reputation checker (2022). https://www.urlvoid.com
Aafer, Y., Tao, G., Huang, J., Zhang, X., Li, N.: Precise android API protection mapping derivation and reasoning. In: ACM CCS (2018)
Alhirabi, N., Rana, O., Perera, C.: Security and privacy requirements for the internet of things: a survey. ACM Trans. Internet Things 2(1), 1–37 (2021)
Allhoff, F., Henschke, A.: The internet of things: foundational ethical issues. Internet Things 1, 55–66 (2018)
Alshehri, A., Marcinek, P., Alzahrani, A., Alshahrani, H., Fu, H.: PUREDroid: permission usage and risk estimation for android applications. In: ICISDM (2019)
Arzt, S., et al.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: PLDI (2014)
Baalous, R., Poet, R.: How dangerous permissions are described in android apps’ privacy policies? In: SIN (2018)
Babun, L., Celik, Z.B., McDaniel, P., Uluagac, A.S.: Real-time analysis of privacy-(UN) aware IoT applications. In: PETS (2021)
Backes, M., Bugiel, S., Derr, E., McDaniel, P., Octeau, D., Weisgerber, S.: On demystifying the android application framework: re-visiting android permission specification analysis. In: USENIX Security Symposium (2016)
Biswas, D., Aad, I., Perrucci, G.P.: Privacy panel: usable and quantifiable mobile privacy. In: ARES (2013)
Catarinucci, L., et al.: An IoT-aware architecture for smart healthcare systems. IEEE Internet Things J. 2(6), 515–526 (2015)
Celik, Z.B., Fernandes, E., Pauley, E., Tan, G., McDaniel, P.: Program analysis of commodity IoT applications for security and privacy: challenges and opportunities. ACM Comput. Surv. (CSUR) 52(4), 1–30 (2019)
Chatzoglou, E., Kambourakis, G., Smiliotopoulos, C.: Let the cat out of the bag: popular android IoT apps under security scrutiny. Sensors 22(2), 513 (2022)
Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)
Ding, W., Hu, H.: On the safety of IoT device physical interaction control. In: ACM CCS (2018)
English, R., Schweik, C.M.: Identifying success and tragedy of floss commons: a preliminary classification of sourceforge.net projects. In: FLOSS ICSE Workshops (2007)
Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: IEEE S &P (2016)
Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: USENIX Security Symposium (2018)
Hinkle, D.E., Wiersma, W., Jurs, S.G.: Applied statistics for the behavioral sciences, vol. 663. Houghton Mifflin College Division (2003)
Holloway, D., Green, L.: The Internet of toys. Commun. Res. Pract. 2(4), 506–519 (2016)
ISO/IEC: ISO/IEC 20924:2018(EN), Information technology - Internet of Things (IoT) - Vocabulary. https://www.iso.org/obp/ui/#iso:std:iso-iec:20924:ed-1:v1:en
Jansen, W.: Research Directions in Security Metrics. Technical report 7564, NIST (2009)
Jha, A.K., Lee, S., Lee, W.J.: Developer mistakes in writing android manifests: an empirical study of configuration errors. In: IEEE/ACM MSR (2017)
Jiang, J., Li, S., Yu, M., Chen, K., Liu, C., Huang, W., Li, G.: MRDroid: a multi-act classification model for android malware risk assessment. In: IEEE MASS (2018)
Jing, Y., Ahn, G.J., Zhao, Z., Hu, H.: RiskMon: continuous and automated risk assessment of mobile applications. In: CODASPY (2014)
Kang, J., Kim, H., Cheong, Y.G., Huh, J.H.: Visualizing privacy risks of mobile applications through a privacy meter. In: ISPEC (2015)
Kapitsaki, G., Ioannou, M.: Examining the privacy vulnerability level of android applications. In: WEBIST (2019)
Krutz, D.E., Munaiah, N., Meneely, A., Malachowsky, S.A.: Examining the relationship between security metrics and user ratings of mobile apps: a case study. In: WAMA (2016)
Kumar, D., et al.: All things considered: an analysis of IoT devices on home networks. In: USENIX Security Symposium (2019)
Li, L., et al.: ICCTA: detecting inter-component privacy leaks in android apps. In: IEEE/ACM ICSE (2015)
Li, R., Diao, W., Li, Z., Du, J., Guo, S.: Android custom permissions demystified: from privilege escalation to design shortcomings. In: 2021 IEEE Symposium on Security and Privacy (SP), pp. 70–86. IEEE (2021)
Liu, D.: play-scraper. https://pypi.org/project/play-scraper/
Liu, H., Li, J., Gu, D.: Understanding the security of app-in-the-middle IoT. Comput. Secur. 97, 102000 (2020)
Marquez, J., Villanueva, J., Solarte, Z., Garcia, A.: IoT in education: integration of objects with virtual academic communities. In: New Advances in Information Systems and Technologies. AISC, vol. 444, pp. 201–212. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-31232-3_19
Matheu, S.N., Hernández-Ramos, J.L., Skarmeta, A.F., Baldini, G.: A survey of cybersecurity certification for the Internet of Things. ACM Comput. Surv. 53(6), 1–36 (2021)
Mathur, A., Malkin, N., Harbach, M., Peer, E., Egelman, S.: Quantifying users’ beliefs about software updates. In: Proceedings 2018 Workshop on Usable Security (2018)
Mauro Junior, D., Melo, L., Lu, H., d’Amorim, M., Prakash, A.: A study of vulnerability analysis of popular smart devices through their companion apps. In: IEEE SPW (2019)
Merlo, A., Georgiu, G.C.: RiskInDroid: machine learning-based risk analysis on android. In: De Capitani di Vimercati, S., Martinelli, F. (eds.) SEC 2017. IAICT, vol. 502, pp. 538–552. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-58469-0_36
Mohanty, A., Sridhar, M.: HybriDiagnostics: evaluating security issues in hybrid smarthome companion apps. In: IEEE SPW (2021)
Momen, N., Hatamian, M., Fritsch, L.: Did app privacy improve after the GDPR? IEEE Secur. Priv. 17(6), 10–20 (2019)
Mylonas, A., Theoharidou, M., Gritzalis, D.: Assessing privacy risks in android: a user-centric approach. In: Bauer, T., Großmann, J., Seehusen, F., Stølen, K., Wendland, M.-F. (eds.) RISK 2013. LNCS, vol. 8418, pp. 21–37. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-07076-6_2
Pandita, R., Xiao, X., Yang, W., Enck, W., Xie, T.: Whyper: towards automating risk assessment of mobile applications. In: USENIX Security (2013)
Peng, H., et al.: Using probabilistic generative models for ranking risks of android apps. In: ACM CCS (2012)
Piccolboni, L., Di Guglielmo, G., Carloni, L., Sethumadhavan, S.: Crylogger: detecting crypto misuses dynamically. In: IEEE S &P (2021)
Rahaman, S., et al.: Cryptoguard: high precision detection of cryptographic vulnerabilities in massive-sized java projects. In: ACM CCS (2019)
Ren, J., Dubois, D.J., Choffnes, D., Mandalari, A.M., Kolcun, R., Haddadi, H.: Information exposure from consumer IoT devices: a multidimensional, network-informed measurement approach. In: ACM IMC (2019)
Rivera, D., et al.: Secure communications and protected data for a internet of things smart toy platform. IEEE Internet Things J. 6(2), 3785–3795 (2019)
Tandel, S., Jamadar, A.: Impact of progressive web apps on web app development. Int. J. Innov. Res. Sci. Eng. Technol. 7(9), 9439–9444 (2018)
Utama, R.A., Sukarno, P., Jadied, E.M.: Analysis and classification of danger level in android applications using Naive Bayes algorithm. In: ICoICT (2018)
Vashi, S., Ram, J., Modi, J., Verma, S., Prakash, C.: Internet of Things (IoT): a vision, architectural elements, and security issues. In: I-SMAC (2017)
Wader, S.S.: How android application permissions impact user’s data privacy? Int. J. Res. Publ. Rev. 2(3), 498–502 (2021)
Wang, X., Sun, Y., Nanda, S., Wang, X.: Looking from the mirror: evaluating IoT device security through mobile companion apps. In: USENIX Security (2019)
Wilson, S., et al.: The creation and analysis of a website privacy policy corpus. In: Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pp. 1330–1340 (2016)
Wuyts, K., Joosen, W.: LINDDUN privacy threat modeling: a tutorial. CW Reports (2015)
Yermakov, M.: Understanding the android cleartexttrafficpermitted flag (2020). https://appsec-labs.com/portal/understanding-the-android-cleartexttrafficpermitted-flag/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 IFIP International Federation for Information Processing
About this paper
Cite this paper
Neupane, S. et al. (2022). On the Data Privacy, Security, and Risk Postures of IoT Mobile Companion Apps. In: Sural, S., Lu, H. (eds) Data and Applications Security and Privacy XXXVI. DBSec 2022. Lecture Notes in Computer Science, vol 13383. Springer, Cham. https://doi.org/10.1007/978-3-031-10684-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-031-10684-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-10683-5
Online ISBN: 978-3-031-10684-2
eBook Packages: Computer ScienceComputer Science (R0)