Where does all that data go?

Rédigé par Geoffrey Delcroix


10 avril 2017

Mobilitics had already shown that mobile apps are a thriving ecosystem where personal data are like the hidden part of the iceberg. A team of researchers from the University of Trento in Italy and from SAP Labs in France tried to answer a simple question: where do these data go? The PDTLoc project aimed at analyzing remote server locations for personal data transfers in mobile apps. 

LINC (Vincent Toubiana, Technologist, and Geoffrey Delcroix, Innovation & foresight): Your team developed a project called “PDTLoc” (Personal Data Transfer Location Analyzer) that focus on analyzing mobile apps and identifying the location of servers to which personal data is transferred. Why did you choose to create such a project, and to focus specifically on the location of servers?

PDTLoc Team : Data location is a central concern in the interplay of cloud computing and regulatory frameworks. We have conducted previous research about this topic as part of SECENTIS project. For this project we developed a technique to assert whether your virtual machine runs where it is supposed to be (according to your cloud service contract). In the work we will present at PETS this year, we were mostly motivated by the discussions about evolving regulatory framework for personal data protection in Europe. We wanted to quantify how many of the personal data transfers are made out of the European user’s smartphones and to which countries, such that we could verify if the reach of the current agreements for data transfers is adequate. 

How many applications did you analyzed with the tool you developed and what did you discover? 

We analyzed the 400 most used apps for each member state of the European Economic Area. In total we analyzed 2000 distinct apps, from which around 1800 where amenable to our automated analysis. We discovered that two thirds of the servers receiving our personal data are in the US. Most of the apps do not collect consent for that explicitly, since half of them did not even have a privacy policy. Second, around a quarter of the servers reached by the studied mobile apps are in countries considered not to have an adequate level of protection. The detailed results, including what data items are transferred and the location of the remote servers are available online. We consider that this set reflects extremely well the smartphone apps ecosystem, since more than 80% of these apps are also available for iOS. IPhone versions are likely to use the same backend remote servers for processing the personal data they collect. An important remark is that the apps may have been updated, since the time we conducted our study.

The readers can view the analysis data for each app on the web site http://titan.disi.unitn.it/pdtloc/.

For our more expert readers, can you go into the details of how the tool works?

PTDLoc has two main phases, first it performs static analysis to flag data flows from APIs that provide access to users' personal data (i.e., device id, location, contacts, media, etc.) to APIs that potentially transfer this data to remote servers. A deeper analysis of the code slices enables PTDLoc to determine the nature of the personal data and extract hard coded URLs. 

The second phase is a dynamic analysis, where we can observe actual network traffic containing personal data towards remote servers by simulating user interaction (using Monkey and other tools) in an emulator. We then use well known third party services to locate the remote servers contacted by each app. Finally we analyzed a very large sample of the privacy policies - for those apps which have one – unfortunately most of them do not mention where they are going to process personal data, nor the third parties that may have access to personal data.

The paper with full details is available in open access here: http://dx.doi.org/10.1515/popets-2017-0008

PDTLoc Project Team

Publié le 07 avril 2017

(Clockwise, from top left)

- Mojtaba Eskandari is a PhD candidate at University of Trento. His current research interests are privacy compliance for mobile and cloud services, malware analysis and IoT.

- Maqsood Ahmad is Doctoral Student at University of Trento, among other topics he is an expert in mobile application security analysis.

- Bruno Crispo is a professor at Professor at the University of Trento and KU Leuven. He has several years of experience in driving research projects in security and privacy.

- Anderson Santana de Oliveira is a senior researcher in the SAP Product Security Research team, working on cloud security, privacy and data protection related topics.

Illustration : Flickr "Where to next..." by Wes Peck (CC BY ND)

Article rédigé par Geoffrey Delcroix , Chargé des études prospectives