App vs. website: Which best protects your privacy? It depends

Should you use the app—or a web browser—for that? That’s the ques­tion that North­eastern researchers, led by assis­tant pro­fessor David Choffnes, ask in new research that explores how free app– and web-based ser­vices on Android and iOS mobile devices com­pare with respect to pro­tecting users’ privacy.

In par­tic­ular, the team inves­ti­gated the degree to which each plat­form leaks per­son­ally iden­ti­fi­able information—ranging from birth­dates and loca­tions to passwords—to the adver­tisers and data ana­lytics com­pa­nies that the ser­vices rely on to help finance their operations.

The answer? “It depends,” says Choffnes, a mobile sys­tems expert in the Col­lege of Com­puter and Infor­ma­tion Sci­ence. “We expected that apps would leak more iden­ti­fiers because apps have more direct access to that infor­ma­tion. And overall that’s true. But we found that typ­i­cally apps leak just one more iden­ti­fier than a web­site for the same ser­vice. In fact, we found that in 40 per­cent of cases web­sites leak more types of infor­ma­tion than apps.”

Those types of infor­ma­tion vary, based on the plat­form. For example, the researchers found that web­sites more fre­quently leak loca­tions and names, whereas only apps were found to leak a device’s unique iden­ti­fying number.

The researchers will present their find­ings in a paper at the 2016 Internet Mea­sure­ment Con­fer­ence, in Santa Monica, Cal­i­fornia, in November

The team’s aim is to help users make informed deci­sions about how best to access online ser­vices. To that end, they have inte­grated their find­ings into an easy-to-use inter­ac­tive web­site that rates the degree of leak­i­ness of 50 free online ser­vices, from Airbnb to Zillow, based on each user’s pri­vacy preferences.

Here’s how it works: Users select from a drop-down list of 50 ser­vices and check off whether their oper­ating system is Android or iOS. Next they’re asked to rate var­ious types of per­sonal infor­ma­tion, from their birth­dates to their devices’ unique iden­ti­fiers, they care most about keeping pri­vate. Then, auto­mat­i­cally, the site gen­er­ates two “leak­i­ness indexes” for the ser­vice selected—a sky blue bar for the app ver­sion, a lime green one for the web—and rec­om­mends which plat­form is best for that par­tic­ular user.

There’s no one answer to which plat­form is best for all users,” says Choffnes. “We wanted people to have the chance to do their own explo­ration and under­stand how their par­tic­ular pri­vacy pref­er­ences and pri­or­i­ties played into their inter­ac­tions online.”

A call to action

For the study, the researchers selected 50 of the most pop­ular free online ser­vices in a variety of cat­e­gories, including busi­ness, enter­tain­ment, music, news, shop­ping, travel, and weather. Each ser­vice had to offer the same func­tion­ality on both its web­site and app. To ensure that they were inter­acting with the ser­vices as everyday users would, the researchers con­ducted manual, rather than auto­mated, tests, per­son­ally log­ging in, entering requested user data into text fields, and nav­i­gating the environment.

My goal is not just to tell people a scary story but to issue a call to action. Users could start requesting the pri­vacy and trans­parency con­sid­er­a­tions they want from the com­pa­nies they interact with.
— David Choffnes, assis­tant professor

Both apps and web­sites, they found, leaked loca­tions, names, gender, phone num­bers, and e-mail addresses to varying degrees. But there were sur­prises. “We didn’t expect to find the diver­sity of infor­ma­tion col­lected across the dif­ferent plat­forms even for the same ser­vice,” says Choffnes. More­over, four ser­vices sent encrypted pass­words to another party: the Grubhub app, unin­ten­tion­ally, due to a bug, which has been fixed; the Jet­Blue app, for authen­ti­ca­tion pur­poses; the Food Net­work app and web­site, for iden­tity man­age­ment; and the NCAA web­site, for iden­tity management.

The rea­sons for the inten­tional leaks are legit­i­mate, and I’m sure that the ser­vices have appro­priate agree­ments with the other par­ties to pro­tect the pass­words,” says Choffnes. “But the prac­tice still raises an impor­tant issue: Users have no idea that their pass­words are being sent to another party.” Con­sider: Jet­Blue cus­tomers making an air­line reser­va­tion likely assume they are sub­mit­ting their pass­words to Jet­Blue for authen­ti­ca­tion, when in fact their cre­den­tials are being man­aged by a third party, Useablenet.

Choffnes hopes that the find­ings will start a dia­logue between con­sumers and online ser­vices about the kinds of infor­ma­tion that should be col­lected, bal­ancing the ser­vices’ rev­enue needs with con­sumers’ pri­vacy needs. “My goal is not just to tell people a scary story but to issue a call to action,” he says. “Part of that action could be that users start requesting or even demanding the pri­vacy and trans­parency con­sid­er­a­tions they want from the com­pa­nies they interact with.”

Substack subscription form sign up
The material in this press release comes from the originating research organization. Content may be edited for style and length. Want more? Sign up for our daily email.