AppCensus is created by an international collaboration of researchers with combined expertise in the fields of networking, privacy, security, and usability. We're centered in Berkeley, California.
Our mission is to give app users better transparency into how their mobile apps use and misuse their personally identifying information. We want to explore whether apps are following standard best practices when handling private data. We hope that by giving out this transparency, we will foster a better mobile app ecosystem, because users are exposed to hidden privacy costs and app developers are better made aware of best practices for their future apps.
How This Works
AppCensus analyzes Android mobile smartphone apps and reports the private and personally identifying information that different apps access and share with other parties over the Internet, who are usually ads and analytics services. Android developer's best practices specifically discourage the use of any device identifier for the purposes of advertising. It suggests that only the advertising identifier is used for such purposes. We find that many apps ignore this advise and send more hard coded identifiers, such as serial numbers, to better track users.
We collect our results using a technique called dynamic analysis. This means that we actually run each of the apps on real mobile phones in our laboratory. We install the app, grant the requested permissions, and proceed to use the app for a period of time. While we are using an app, we collect as much data about what the app is doing on the phone and what data it sends over the Internet. We collect this data with a bespoke version of the Android operating system and network monitoring tools that together observe what personal data is being accessed by the apps and what personal data is sent out by the apps as well as where it gets sent.
By exhaustively testing each app, our results reflect the actual behaviour of the apps when they are used. When we report that some app sent the phone's serial to an advertiser, this is not a possibility of something the app may do but rather actual app behaviour that we observed in our laboratory. Despite that, we may not actually detect all transmissions of private data: while we can be certain of what we do find, it may be incomplete, where some private data was sent undetected by our analysis.
AppCensus is a result of different research projects focused on mobile privacy and security. The following publications describe the technology behind AppCensus:
- Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman"Won't Somebody Think of the Children" Privacy Analysis at Scale: A Case Study With COPPA. In Proceedings of the Privacy Enhancing Technologies Symposium (PETS'18), 2018. (App List)
- Irwin Reyes, Primal Wijesekera, Abbas Razaghpanah, Joel Reardon, Narseo Vallina-Rodriguez, Serge Egelman, and Christian Kreibich. "Is Our Children's Apps Learning?" Automatically Detecting COPPA Violations. The IEEE Security & Privacy Workshop on Consumer Protection (ConPro'17), 2017.
- Primal Wijesekera, Arjun Baokar, Lynn Tsai, Joel Reardon, Serge Egelman, David Wagner, and Konstantin Beznosov. The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland'17), 2017.
- Abbas Razaghpanah, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian Kreibich, Phillipa Gill, Mark Allman, and Vern Paxson. Haystack: A Multi-Purpose Mobile Vantage Point in User Space. Technical Report, 2016.
- Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. Android Permissions Remystified: A Field Study on Contextual Integrity. In Proceedings of the 24th USENIX Security Symposium, 2015.
AppCensus is a collaboration between the following groups:
The International Computer Science Institute (ICSI) is a non-profit research institute affiliated with the University of California, Berkeley. As a 501(c)(3), ICSI is solely funded by grants and donations (the AppCensus Project is support by grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab). If you are interested in supporting this type of research, consider making a donation through Dr. Egelman's Benefunder page.