Keep your partners at bay: On the importance of validating third-party SDKs

Keep your partners at bay: On the importance of validating third-party SDKs

by Narseo Vallina and Álvaro Feal (IMDEA Networks)

In Android, most apps include functionality from third-party libraries (SDKs) in an attempt by developers to reduce the cost of building an app. However, it is important to understand the privacy risks that these SDKs can pose to the users of the app. In this blog post, we discuss these risks, as well as why it is important that developers understand the type of content that third-party libraries are including in their app.

Nowadays, millions of users own and use an Android smartphone in their daily life. In fact, it is estimated that there are over 3 billion active devices with a wide range of mobile apps installed on them. The mobile revolution, however, has opened a wide range of privacy threats for end-users. 

Modern smartphones come with a number of sensors that generate sensitive information, such as the current location of the user. Not only that, but the type of content that a user consumes on the phone (in terms of visited webpages or used apps) can provide a lot of information about their likes and behaviour. Due to the complexity of writing complete, accurate, and reliable software Android developers often include third-party services or SDKs (Software Development Kit) to include extra functionality without the need to develop it in-house.

For instance, many developers might be interested in allowing their users to log in their mobile app using their Facebook credentials. To that end, Facebook allows developers to download an SDK that includes the logic for this functionality and include it in their apps as a third-party library. However, some of these SDKs are developed by companies that rely on this type of sensitive data for their business model.

This is the case of most companies offering advertising and analytics products as SDKs so that they can be integrated by mobile app developers. Nevertheless, advertising and analytics companies are interested in monitoring users to learn about their interests and habits to maximise ads revenues. For instance, a given user is more likely to click on an ad if it shows a product that the user is interested in. While this is the general approach, more complex monetization models exist.

Due to the limitations of the permission models implemented in mobile Operating Systems, the presence of SDKs on mobile apps can cause privacy harm to users. In Android, if a given app wants to access a particular piece of sensitive data, it must request the permission that provides access to it. Then, the user must grant it access.  However, the way in which the Android’s permission model is designed opens the surface for third-party libraries to piggyback over the permissions granted to apps.

Because of the lack of privilege isolation in Android apps,  SDKs have access to the same information and permissions that the host apps have. Therefore, it is common to find data collection and sharing practices by third-party services in Android without user awareness and consent [1].

Furthermore, apps and SDKs have been found to exploit the permission system to access sensitive data even when users deny the permission [2]. Namely, apps and SDKs rely on two types of attacks: covert channels and side channels. Covert channels rely on two entities collaborating to share restricted data when only one of the two has access to it. Side channels, on the other hand, rely on an entity finding an alternative way to access a piece of sensitive data that is not regulated by the permission system.

New regulatory frameworks such as the GDPR, in most common cases, require informed consent from the users when accessing data for secondary purposes such as advertising. They also make the app developers liable for any privacy malpractice by SDKs present on their software, but this is difficult to assess by the average mobile developer. SDKs rarely open their code for independent inspection, and thus app developers (and therefore users) have to blindly believe that they will respect users’ privacy and only collect the data stipulated in their privacy policy.

Research evidence, however, has shown that the behavior of mobile apps and their data collection practices (mostly the dissemination of personal data to third parties for secondary purposes) contradicts their own privacy policy [3]. It is extremely important for users’ privacy that techniques for independently assessing the privacy risks of mobile apps exist. But these tools can be also used by app developers to validate the collection practices of third parties integrated into their mobile apps are not privacy-intrusive and honor users’ privacy choices. One example of such behavior would be that developers of children-oriented apps only include third-party libraries complying with GDPR and COPPA rules and that they configure these SDKs properly [4,5].

Related research:

[1] Razaghpanah, Abbas, et al. “Apps, trackers, privacy, and regulators: A global study of the mobile tracking ecosystem.” The 25th Annual Network and Distributed System Security Symposium (NDSS 2018). 2018.

[2] Reardon, Joel, et al. “50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system.” 28th USENIX security symposium (USENIX security 19). 2019.

[3] Okoyomon, Ehimare, et al. “On the ridiculousness of notice and consent: Contradictions in app privacy policies.” Workshop on Technology and Consumer Protection (ConPro 2019), in conjunction with the 39th IEEE Symposium on Security and Privacy. 2019.

[4] Reyes, Irwin, et al. ““Won’t somebody think of the children?” examining COPPA compliance at scale.” Proceedings on Privacy Enhancing Technologies 2018.3 (2018): 63-83. [5] Feal, Álvaro, et al. “Angel or devil? a privacy study of mobile parental control apps.” Proceedings on Privacy Enhancing Technologies 2020.2 (2020): 314-335.

error: Content is protected !!