iOS: The “myth of privacy”

This paper published on Arxiv was much debated and discussed on the Hacker News forums. I decided to include it here:

Kollnig, Konrad, Anastasia Shuba, Reuben Binns, Max Van Kleek, and Nigel Shadbolt. 2021. “Are iPhones Really Better for Privacy? Comparative Study of iOS and Android Apps.” arXiv [cs.CR]. arXiv. http://arxiv.org/abs/2109.13722.

[embeddoc url=”https://arxiv.org/pdf/2109.13722.pdf”%5D

Keu Points:

The collection and processing of personal data has become a nearly ubiquitous part of digital life, and is dominated by a small number of powerful technology companies
Apple and Google govern their respective app ecosystems, but pursue different strategies with respect to revenue streams, and the freedoms and responsibilities they grant to app publishers and users
In terms of revenue streams, both platforms take a share of up to 30% from all direct revenues created from app sales and in-app purchases, but differ otherwise [38]
Google’s strategy, in contrast, is geared towards the global distribution of Android and Google Play on handsets manufactured by others [10]
A more significant source of revenue for Google is advertising; the parent company of Google, Alphabet, is estimated to have generated $147bn (80%) of its 2020 revenue from advertising [4], with more than half of revenue stemming from mobile devices [25]
This advertising business greatly relies on the collection of data about users, including from mobile devices
Using the privacy footprints built from our analyses, we find and discuss violations of privacy law and limited compliance with app stores’ data collection policies
Technical Contributions—We present a methodology for large-scale and automatic download, privacy analysis, and comparison of apps from the Google Play and Apple App Stores
While many studies have analysed privacy in the Android ecosystem, comparatively much less is known about iOS
Previous work managed to decompile a subset of iOS apps, but no universal decompilation tools exist [23, 73]
While we focus on a subset from the overall apps, our results can be extrapolated to the larger dataset, and across all apps on the app stores updated since 2018, with limited error
We further identified cross-platform apps, that is those with both an Android and iOS version, among the 24k downloaded apps, using a simple similarity algorithm that examined terms from both app titles and app identifiers as follows: We first tokenized, counted and frequency weighted terms from app titles and app identifiers for all 560k iOS and Android apps using TF-IDF, computed cosine similarities between pairs of the resulting vectors
Afterwards, we explore the complex network of companies behind tracking and their jurisdictions (Section 4.4)
We find that data sharing with tracker companies before any user interaction is common on both platforms
As suggested by our previous static analysis, more Android apps shared the Advertising Identifier (AdId) over the Internet (55.4% on Android, and 31.0% on iOS)
While it has been argued that the choice of smartphone architecture might protect user privacy, no clear winner between iOS and Android emerges from our analysis
Data sharing for tracking purposes was common on both platforms
Android apps tended to share the AdId, which can be used for tracking users across apps, more often than iOS apps
We found widespread potential compliance issues with US, EU and UK privacy law (e.g. by tracking users without the necessary consent, or by sending personal data to countries without an adequate level of data protection)
On Android, Google has banned the installation of root certificates in unmodified versions of Android, enabled app obfuscation in release builds by default, and been taking measures against those who modify their Android device with its SafetyNet
Since the platforms take a share of any sales through the app stores, both Apple and Google have a natural interest in creating business opportunities for app publishers, and letting them collect data about users to drive such sales