Are iPhones Really Better for Privacy? Comparative Study of iOS and Android Apps (2109.13722v4)

Abstract: While many studies have looked at privacy properties of the Android and Google Play app ecosystem, comparatively much less is known about iOS and the Apple App Store, the most widely used ecosystem in the US. At the same time, there is increasing competition around privacy between these smartphone operating system providers. In this paper, we present a study of 24k Android and iOS apps from 2020 along several dimensions relating to user privacy. We find that third-party tracking and the sharing of unique user identifiers was widespread in apps from both ecosystems, even in apps aimed at children. In the children's category, iOS apps tended to use fewer advertising-related tracking than their Android counterparts, but could more often access children's location. Across all studied apps, our study highlights widespread potential violations of US, EU and UK privacy law, including 1) the use of third-party tracking without user consent, 2) the lack of parental consent before sharing personally identifiable information (PII) with third-parties in children's apps, 3) the non-data-minimising configuration of tracking libraries, 4) the sending of personal data to countries without an adequate level of data protection, and 5) the continued absence of transparency around tracking, partly due to design decisions by Apple and Google. Overall, we find that neither platform is clearly better than the other for privacy across the dimensions we studied.

• The paper presents a comprehensive analysis of 24,000 mobile apps across iOS and Android, employing code and network traffic analysis alongside company resolution.
• It finds both ecosystems widely integrate tracking libraries, with Android apps more frequently accessing AdId and iOS apps requesting more user permissions.
• The study highlights pervasive data sharing before consent, emphasizing the urgent need for stronger privacy regulations and enhanced transparency.

Comparative Analysis of Privacy in iOS and Android Apps

The paper "Are iPhones Really Better for Privacy? A Comparative Study of iOS and Android Apps" provides a detailed examination of privacy practices in mobile applications across the iOS and Android ecosystems. The focus of this paper is a comparative analysis of 24,000 apps—12,000 from each platform—highlighting their privacy implications and compliance with privacy laws across multiple regions, including the US, EU, and UK.

Methodological Approach

The research adopts a multifaceted approach comprising code analysis, network traffic analysis, and company resolution. These methods explore various dimensions of privacy:

1. Code Analysis: Identifies and assesses the presence of tracking libraries in applications, including their configurations to potentially minimize data collection. This is achieved without the decryption of iOS apps, using Frida for dynamic analysis of iOS applications.
2. Network Traffic Analysis: Involves capturing and examining apps' HTTPS traffic to paper real-world data sharing, including the sharing of personal identifiers such as the Advertising ID (AdId).
3. Company Resolution: This involves determining the companies behind the tracking libraries and domains, as well as understanding their corporate structures and jurisdictions. This component is facilitated by the X-Ray 2020 database update, which includes information on tracker companies and their parent organizations.

Key Findings

The paper provides several insights into the privacy landscape across iOS and Android apps:

• Widespread Use of Trackers: Both ecosystems demonstrate significant integration with tracking libraries. Google maintains a dominant presence across both platforms, particularly with its Google Play Services on Android and Firebase on iOS.
• AdId Access: Android apps were more inclined towards accessing the AdId than iOS apps. This difference might be attributed to stricter policy implementations by Apple regarding AdId usage and the requirement for user opt-in starting with iOS 14.5.
• Permissions: Apps on iOS tend to request more permissions that both platforms categorize as requiring user opt-in (termed "dangerous permissions" on Android). Furthermore, Android exhibits a broader array of permissions but generally requires opt-in only for these dangerous permissions.
• Data Sharing Without Consent: The capture and sharing of user data prior to consent is a pervasive issue. This practice potentially contravenes existing privacy laws in the jurisdictions studied, highlighting a significant compliance gap.
• Privacy in Children’s Apps: The paper highlights substantial privacy concerns in applications targeted toward children, with both platforms showing inadequate compliance with legal protections for children’s privacy.

Implications and Future Developments

The findings suggest no clear privacy advantage for either platform, disputing the common perception that iOS might inherently offer better user privacy controls compared to Android. Both ecosystems manifest distinct privacy challenges, exacerbated by varying platform policies and the global distribution strategies adopted by Google and Apple.

The paper accentuates the necessity for enhanced transparency in app development practices and the enforcement of privacy regulations. Regulatory bodies are encouraged to scrutinize the nuanced privacy issues surrounding app ecosystems, especially given the complex interplay of platform governance with user privacy.

Future research might explore the impact of Apple's subsequent privacy policy implementations, assess cross-platform integration of apps further, and develop comprehensive methodologies for assessing app compliance with evolving privacy standards. Additionally, the adaptation of methodologies to tackle the ever-evolving privacy landscape, including the emergence of new trackers and data-sharing strategies, remains critical.

This paper serves as a substantive contribution to the debate on privacy within mobile ecosystems, providing empirical evidence that emphasizes the need for systemic changes both in regulatory frameworks and platform design to better safeguard user data.