Apps vs. mobile websites: Which option offers users more privacy?

Do mobile applications or mobile websites offer more privacy? Until recently, the answer has been, “don’t know,” which can be troubling to those concerned about their online privacy. It also popped up on the radar of David Choffnes, assistant professor of Computer and Information Science and his fellow researchers at Northeastern University. Here’s an excerpt from a Northeastern University press release about the team’s research on the topic:

“The team investigated the degree to which each platform (mobile website and mobile app) leaks Personally Identifiable Information (PII) to advertisers and data analytics companies that the services rely on to help finance their operations.”

Before getting to the team’s results, let’s define what we’re talking about:

• Mobile website: A website designed for smartphones and tablets accessed using the mobile device’s web browser. Users type in the URL or click on a link to the mobile website, which then detects the mobile device and redirects the viewer to the appropriate version of the mobile internet site.
• Mobile Application: Unlike a mobile website, a mobile app must be downloaded and installed, typically from an app marketplace.

SEE: Securing Your Mobile Enterprise (ZDNet/TechRepublic special feature)

Test parameters

As to the answers, the Northeastern University researchers published their findings in the paper: Should You Use the App for That? (PDF) Typical of good academic research, the paper first explains how the tests were conducted. The team tested 50 of the most popular free online services (a variety of categories), each of which met the following requirements:

• Must be popular (featured in an app store)
• Must provide a free app in Google Play and/or the Apple app store
• Must provide equivalent functionality via a mobile web browser
• Must not implement certificate pinning

Must-read security coverage

• UK Police Convicts Pair in £5.5 Billion Bitcoin Launder Case
• Blackpoint Cyber vs. Arctic Wolf: Which MDR Solution is Right for You?
• How GitHub Is Securing the Software Supply Chain
• 8 Best Enterprise Password Managers

Next, a decision had to be made as to what constitutes a PII leak. The team determined their focus would be on PII that is:

• Transmitted over the internet unencrypted, thus exposing the data to eavesdroppers
• Sent to third parties (encrypted or plain text), and is not required for logging into the service, thus exposing users to profiling.

The research paper mentions one exception, “If a username, password, or e-mail address (often used as a username) is transmitted to a first-party site over HTTPS, then we do not consider them to be leaks.”

Something else determined to be important was testing each mobile app and mobile website manually, so as to simulate users by:

• Personally logging in
• Entering requested PII into the text fields
• Randomly navigating the digital environment

The answer, please

After all that, the answer is “It depends.” Choffnes continues, “We expected that apps would leak more identifiers because apps have more direct access to that information. And overall that’s true. But we found that typically apps leak just one more identifier than a website for the same service. In fact, we found that in 40 percent of cases websites leak more types of information than apps.”

The paper offers the following key findings:

• Should apps be used instead of mobile websites? There is no clear-cut answer. Choffnes mentions earlier that mobile apps are expected to leak more PII; however, in 40% of the tests, mobile websites leaked more types of information.
• What information leaks from each media type? Testing found that names and locations leaked more from mobile websites. And as can be expected, only mobile apps leaked unique identifiers and device-specific information.
• Websites directly contact more trackers and advertisers than apps. The research paper’s authors state, “Web sites often include content from multiple advertisers and third parties, and cause browsers to redirect through several more via real-time bidding. In contrast, most apps include a single advertisement library, which contacts fewer domains.”
• How much tracking is common between mobile apps and mobile websites for the same service? Mobile apps and mobile websites can and do leak locations, names, gender, phone numbers, and email addresses.

SEE: Executive’s guide to mobile security (free ebook)

Researchers offer online help

The researchers developed an interactive website that rates the leakiness of 50 free online services, from Airbnb to Zillow, based on each user’s privacy preferences. Figure A shows the leakiness for Priceline.

Figure A

The team’s aim is to help users make informed decisions about how best to access online services. “There’s no one answer to which platform is best for all users,” says Choffnes. “We wanted people to have the chance to do their own exploration and understand how their particular privacy preferences and priorities played into their interactions online.”

This November, the researchers will present their findings at the 2016 Internet Measurement Conference in Santa Monica, California.