Researchers create privacy wrapper for Android Web apps
On a mobile application, users typically have a single choice to protect their privacy: install the application or not.
The binary choice has left most users ignoring permission warnings and sacrificing personal data. Most applications aggressively eavesdrop on their users, from monitoring their online habits through the device identifier to tracking their movements in the real world via location information.
Now, a research group at North Carolina State University hopes to give the average user a third option. Dubbed NativeWrap, the technology allows Web pages to be wrapped in code and make them appear as a mobile application, but with user-controlled privacy. Because many applications just add a user interface around a Web application, the user should have equivalent functionality for many wrapped apps, said William Enck, assistant professor in the department of computer science at North Carolina State University.
“You can go to any Web site that you want to turn into an app and create your own custom version that can be installed to your phone,” he said. “Permissions are determined by you, the user.”
Numerous studies have found that applications routinely use unnecessary permissions to collect data on users. A study released in February by McAfee found that 82 percent of applications tracked their users. Ninety-nine of the top 100 free mobile applications on both Android and iOS had at least one risky behavior, according to application-reputation firm Appthority’s Summer 2014 App Reputation Report. Paid applications were not much more respectful of their users’ privacy: 87 percent of iOS and 78 percent of Android apps risked users’ privacy and security. Appthority defines risky behavior as the collection of location information and device identifiers, the allowing of in-app purchases, or the accessing of the contacts database or the user’s calendar.
The NCSU’s NativeWrap, which was presented at the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WISEC) in late July, adds a number of privacy enhancements, including an isolated cookie store to prevent tracking across Web sites by advertising networks and enforcement of Secure Socket Layer (SSL) encryption. In addition, the application defaults to Internet-only permissions, thus limiting the amount of information leaked to developers.
To do this, NativeWrap turns a URL into an application. Because about 8 percent of all mobile apps are actually just a way of viewing functionality on the Web, through the WebView component, those applications can be easily wrapped, according to the researchers. Such applications will have their own cookie stores to foil tracking by advertising services, such as Doubleclick.
“You can lock it down and say that this wrapped app will never be able to access certain permissions,” Enck said. “It gives us the isolation that we need, so that, even if a website were to ask for your location, it would never be able to get it.”
The utility of information leaked from mobile devices was spotlighted in January, when leaked classified documents showed the extent that US and British intelligence agencies collected data from cell phones. The US National Security Agency and its British counterpart, known as the Government Communications Headquarters (GCHQ), worked together to collect any data leaked by mobile applications, according to reports in January by ProPublica, The New York Times, and The Guardian.
The technique is not without its drawbacks. While 81 percent of applications surveyed by the researchers use the WebView component, only 8 percent represent true Web apps and can have their complete functionality included in a wrapped application. In addition, users will have to allow “side loading”—downloading an application from outside the Google Play store—to initially wrap an application, which could weaken security.
Listing image by Kārlis Dambrāns