AppCensus is created by an international collaboration of researchers with combined expertise in the fields of networking, privacy, security, and usability. We're centered in Berkeley, California.

Our mission is to give app users better transparency into how their mobile apps use and misuse their personally identifying information. We want to explore whether apps are following standard best practices when handling private data. We hope that by giving out this transparency, we will foster a better mobile app ecosystem, because users are exposed to hidden privacy costs and app developers are better made aware of best practices for their future apps.

AppCensus analyzes Android mobile smartphone apps and reports the private and personally identifying information that different apps access and share with other parties over the Internet, who are usually ads and analytics services. Android developer's best practices specifically discourage the use of any device identifier for the purposes of advertising. It suggests that only the advertising identifier is used for such purposes. We find that many apps ignore this advise and send more hard coded identifiers, such as serial numbers, to better track users.

We collect our results using a technique called dynamic analysis. This means that we actually run each of the apps on real mobile phones in our laboratory. We install the app, grant the requested permissions, and proceed to use the app for a period of time. While we are using an app, we collect as much data about what the app is doing on the phone and what data it sends over the Internet. We collect this data with a bespoke version of the Android operating system and network monitoring tools that together observe what personal data is being accessed by the apps and what personal data is sent out by the apps as well as where it gets sent.

By exhaustively testing each app, our results reflect the actual behaviour of the apps when they are used. When we report that some app sent the phone's serial to an advertiser, this is not a possibility of something the app may do but rather actual app behaviour that we observed in our laboratory. Despite that, we may not actually detect all transmissions of private data: while we can be certain of what we do find, it may be incomplete, where some private data was sent undetected by our analysis.

AppCensus is a result of different research projects focused on mobile privacy and security. The following publications describe the technology behind AppCensus:

AppCensus is a collaboration between the following groups:

Berkeley Laboratory for Usable and Experimental Security

Website / More Information

ICSI Usable Security & Privacy Group

Website / More Information

The Haystack Project

Website / More Information

The International Computer Science Institute (ICSI) is a non-profit research institute affiliated with the University of California, Berkeley. As a 501(c)(3), ICSI is solely funded by grants and donations (the AppCensus Project is support by grants from the National Science Foundation, the Department of Homeland Security, and the Data Transparency Lab). If you are interested in supporting this type of research, consider making a donation through Dr. Egelman's Benefunder page.