Android browsers threaten user privacy, says Khoury-led international research team
Author: Zorain Nizamani
Date: 08.17.23
Android users to the front! Regardless of which mobile browser you use, it may be collecting your personal data and compromising your security. But to what extent is it doing so, and what can you do about it?
That is what Khoury College doctoral student Amogh Pradeep has set out to find. Through his recent study “Not Your Average App: A Large-scale Privacy Analysis of Android Browsers,” Pradeep and his multinational research team set out to study the personal data collected by browsers, and how such collection can be prevented. After examining the largest dataset of these browsers ever assembled, the researchers found that numerous android browsers were indulging in privacy-harming behaviors.
For Pradeep, a study of this size was years in the making. His work in mobile security and privacy began during his undergraduate studies at the International Institute of Information Technology in Hyderabad, India. There, he worked on the TOR Project, an anonymous communication tool commonly used by journalists and activists for secure messaging.
“It is essentially a research tool used to maintain anonymity while exposing others, such as by leaking important documents. If you are a whistleblower, you have to use it because everything else is heavily surveilled,” Pradeep says. “When I worked on it, I got to travel a lot and met various people at security conferences.”
As he gained exposure, Pradeep started to work on his own projects and the topics that most interested him, leading him to mobile browsers.
“I did not know at first that there were so many browsers being used by people all around the world. So, it was fascinating to see if one of these browsers was doing something suspicious,” explains Pradeep, who is now a member of Northeastern’s Cybersecurity and Privacy Institute. “The idea first came from Chinese browsers. In China, the way they limit the internet is by limiting the network itself … I was just wondering if they were monitoring users through the browsers too … It’s a new avenue where it could possibly be done, but I was not quite sure.”
Pradeep knew that user data was regularly monitored by websites but didn’t see any data about whether Android mobile browsers were also compromised. The solution was an in-depth study where Pradeep and his team could analyze the browsers and determine whether they were collecting data on their users.
“The first step was getting our hands on these browsers from different app stores. After this, we looked at the code of these browsers to understand their functionality. This is referred to as static analysis,” Pradeep says. “You don’t run the browser; you only look at its code to see what kind of data is being collected.”
Aside from Khoury College, the team executing this analysis consisted of researchers from the IMDEA Networks Institute and Universidad Carlos III de Madrid in Spain, the Vienna University of Technology in Austria, and the University of Helsinki in Finland.
“We have a lot of collaborators who are like-minded and who want to explore these things. It just happens that Dave Choffnes, my advisor, is in collaboration with the other institutes. This was an idea they had at one of their conferences, and that’s how this academic collaboration happened.”
Pradeep and his team analyzed a whopping 424 browsers, including Google Chrome, UC Browser, Mozilla Firefox, and Opera. They ran each browser through a series of tests and hypothesized that the browsers were replacing or modifying content in ways that jeopardized user privacy.
“We found that data collection was happening, and a lot of these browsers were collecting web history that you browse with,” Pradeep says, acknowledging that users often click ‘agree’ to one-sided, consumer-unfriendly terms and conditions without understanding the fine print. “They say, ‘Oh, but it was in the policy’ but that’s a bit of an issue when you think of how that’s affecting user privacy. These browsers will say that they are anonymous and private, but then they will still collect your data. And how that data is being used is something we cannot say at this point; that’s a different ball game.”
In today’s technology-infused world, user data is among the biggest assets companies can own, as it helps predict trends and user behavior. But for the users, it is imperative that personal data is protected, and Pradeep is on a mission to make that happen.