1. bookVolume 2020 (2020): Issue 3 (July 2020)
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
access type Open Access

The Price is (Not) Right: Comparing Privacy in Free and Paid Apps

Published Online: 17 Aug 2020
Volume & Issue: Volume 2020 (2020) - Issue 3 (July 2020)
Page range: 222 - 242
Received: 30 Nov 2019
Accepted: 16 Mar 2020
Journal Details
License
Format
Journal
eISSN
2299-0984
First Published
16 Apr 2015
Publication timeframe
4 times per year
Languages
English
Abstract

It is commonly assumed that “free” mobile apps come at the cost of consumer privacy and that paying for apps could offer consumers protection from behavioral advertising and long-term tracking. This work empirically evaluates the validity of this assumption by comparing the privacy practices of free apps and their paid premium versions, while also gauging consumer expectations surrounding free and paid apps. We use both static and dynamic analysis to examine 5,877 pairs of free Android apps and their paid counterparts for differences in data collection practices and privacy policies between pairs. To understand user expectations for paid apps, we conducted a 998-participant online survey and found that consumers expect paid apps to have better security and privacy behaviors. However, there is no clear evidence that paying for an app will actually guarantee protection from extensive data collection in practice. Given that the free version had at least one thirdparty library or dangerous permission, respectively, we discovered that 45% of the paid versions reused all of the same third-party libraries as their free versions, and 74% of the paid versions had all of the dangerous permissions held by the free app. Likewise, our dynamic analysis revealed that 32% of the paid apps exhibit all of the same data collection and transmission behaviors as their free counterparts. Finally, we found that 40% of apps did not have a privacy policy link in the Google Play Store and that only 3.7% of the pairs that did reflected differences between the free and paid versions.

Keywords

[1] Domenico Amalfitano, Anna Rita Fasolino, Porfirio Tramontana, Bryan Dzung Ta, and Atif M. Memon. MobiGUITAR: Automated Model-Based Testing of Mobile Apps. IEEE Software, pages 53–59, 2015.10.1109/MS.2014.55Search in Google Scholar

[2] Amina Wagner, Nora Wessels, Peter Buxmann, Hanna Krasnova. Putting a Price Tag on Personal Information - A Literature Review. In Proc. of the 51st Hawaii International Conference on System Sciences, pages 3760–3769, 2018.10.24251/HICSS.2018.474Search in Google Scholar

[3] Sara Angeles. Are Free Apps Safe? https://www.businessnewsdaily.com/4868-free-app-security-risk.html. Archived at https://web.archive.org/web/20181129010454/https://www.businessnewsdaily.com/4868-free-app-securityrisk.html. Last Accessed: November 28, 2018.Search in Google Scholar

[4] App Annie. Digital App Economy Forecast: App Annie’s App Monetization Report. https://web.archive.org/web/20200218001956/https://www.appannie.com/en/insights/market-data/app-monetization-report-2016/. Last Accessed: February 17, 2020.Search in Google Scholar

[5] AppBrain. Number of Android apps on Google Play. https://www.appbrain.com/stats/number-of-android-apps. Archived at https://web.archive.org/web/20181129003859/https://www.appbrain.com/stats/number-of-android-apps. Last Accessed: August 26, 2019.Search in Google Scholar

[6] Appodeal. Now That In-App Header Bidding Is Finally Here, Is The Waterfall Era Truly Over? (Part 1). https://blog.appodeal.com/waterfall-parallel-bidding-part-one/. Archived at https://web.archive.org/save/https://blog.appodeal.com/waterfall-parallel-bidding-part-one/. Last Accessed: August 27, 2019.Search in Google Scholar

[7] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proc. of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI), pages 259–269, 2014.10.1145/2594291.2594299Search in Google Scholar

[8] Brian X. Chen. How to Protect Your Privacy as More Apps Harvest Your Data. https://www.nytimes.com/2017/05/03/technology/personaltech/how-to-protect-your-privacyas-more-apps-harvest-your-data.html. Archived at https://web.archive.org/web/20181129005245/https://www.nytimes.com/2017/05/03/technology/personaltech/how-toprotect-your-privacy-as-more-apps-harvest-your-data.html. Last Accessed: November 28, 2018.Search in Google Scholar

[9] Arytom Dogtiev. App Download and Usage Statistics (2018). http://www.businessofapps.com/data/appstatistics/. Archived at https://web.archive.org/web/20181130221155/http://www.businessofapps.com/data/app-statistics/. Last Accessed: November 30, 2018.Search in Google Scholar

[10] W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. Mc-Daniel, and A. N. Sheth. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. of the 9th USENIX conference on Operating systems design and implementation (OSDI), page 393–407, 2010.Search in Google Scholar

[11] Chris Fox. Google hit with £44m GDPR fine over ads. https://www.bbc.com/news/technology-46944696. Archived at https://web.archive.org/save/https://www.bbc.com/news/technology-46944696. Last Accessed: January 21, 2019.Search in Google Scholar

[12] Julien Gamba, Mohammed Rashed, Abbas Razaghpanah, Juan Tapiador, and Narseo Vallina-Rodriguez. An analysis of pre-installed android software. In Proc. of 41st IEEE Symposium on Security and Privacy (S&P), 2020.10.1109/SP40000.2020.00013Search in Google Scholar

[13] Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In Proc. of the 5th international conference on Trust and Trustworthy Computing (TRUST), pages 291–307. Springer-Verlag, 2012.10.1007/978-3-642-30921-2_17Search in Google Scholar

[14] Google, Inc. Dangerous permissions. https://developer.android.com/guide/topics/permissions/requesting.html#normal-dangerous. Accessed: August 17, 2017.Search in Google Scholar

[15] Google, Inc. Families - developer policy center. https://play.google.com/about/families/. Accessed: August 31, 2019.Search in Google Scholar

[16] Google, Inc. Permissions overview | Android Developers. https://developer.android.com/guide/topics/permissions/overview.html#normal-dangerous. Last Accessed: August 31, 2019.Search in Google Scholar

[17] Google, Inc. UI/Application Exerciser Monkey. https://developer.android.com/tools/help/monkey.html.Search in Google Scholar

[18] Google Play Store. Comcast cable corporation profile. https://play.google.com/store/apps/developer?id=Comcast+Cable+Corporation,+LLC.Search in Google Scholar

[19] Google Play Store. Comcast profile. https://play.google.com/store/apps/developer?id=Comcast.Search in Google Scholar

[20] Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, Serge Egelman. “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale. In Proceedings on the 2018 Privacy Enhancing Technologies Symposium (PETS), pages 63–83, 2018.10.1515/popets-2018-0021Search in Google Scholar

[21] Cecilia Kang. F.T.C. Approves Facebook Fine of About $5 Billion. https://www.nytimes.com/2019/07/12/technology/facebook-ftc-fine.html. Archived at https://web.archive.org/web/20190817002726/https://www.nytimes.com/2019/07/12/technology/facebook-ftc-fine.html. Last Accessed: August 16, 2019.Search in Google Scholar

[22] Jinyung Kim, Yongho Yoon, Kwangkeun Yi, and Junbum Shin. ScanDal: Static Analyzer for Detecting Privacy Leaks in Android Applications. IEEE Workshop on Mobile Security Technologies (MoST), 2012.Search in Google Scholar

[23] Jeffrey Knockel, Adam Senft, and Ronald Deibert. Privacy and security issues in bat web browsers. In 6th {USENIX} Workshop on Free and Open Communications on the Internet (FOCI), 2016.Search in Google Scholar

[24] Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. Iccta: Detecting inter-component privacy leaks in android apps. In Proc. of the 37th International Conference on Software Engineering (ICSE) Volume 1, pages 280–291. IEEE Press, 2015.10.1109/ICSE.2015.48Search in Google Scholar

[25] Martina Lindorfer, Matthias Neugschwandtner, Lukas Weichselbaum, Yanick Fratantonio, Victor van der Veen, and Christian Platzer. ANDRUBIS - 1,000,000 Apps Later: A View on Current Android Malware Behaviors. In Proc. of the Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pages 3–17, 2014.10.1109/BADGERS.2014.7Search in Google Scholar

[26] Meng Luo, Oleksii Starov, Nima Honarmand, and Nick Nikiforakis. Hindsight: Understanding the evolution of ui vulnerabilities in mobile browsers. In Proc. of the 2017 ACM SIGSAC Conference on Computer and Communications Security (CCS), pages 149–162. ACM, 2017.10.1145/3133956.3133987Search in Google Scholar

[27] Ziang Ma, Haoyu Wang, Yao Guo, and Xiangqun Chen. LibRadar: fast and accurate detection of third-party libraries in Android apps. In Proc. of the 38th International Conference on Software Engineering Companion (ICSE-C), pages 653–656. ACM, 2016.Search in Google Scholar

[28] Naresh K. Malhotra, Sung S. Kim, and James Agarwal. Internet Users’ Information Privacy Concerns (IUIPC): The Construct, The Scale, and A Causal Model. Information Systems Research, pages 336–355, 2004.10.1287/isre.1040.0032Search in Google Scholar

[29] Aleecia M. McDonald and Lorrie Faith Cranor. Americans’ attitudes about internet behavioral advertising practices. In Proceedings of the 9th annual ACM workshop on Privacy in the electronic society (WPES), pages 63–72. ACM, 2010.10.1145/1866919.1866929Search in Google Scholar

[30] Abraham H. Mhaidli, Yixin Zou, and Florian Schaub. “we can’t live without them!” app developers’ adoption of ad networks and their considerations of consumer risks. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, 2019.Search in Google Scholar

[31] Leo Mirani. The amount most people are willing to pay for an app is $0 - until they’ve actually downloaded it. https://qz.com/129699/the-amount-most-peopleare-willing-to-pay-for-an-app-is-0-until-theyve-actuallydownloaded-it/. Archived at https://web.archive.org/web/20181114231539/https://qz.com/129699/the-amountmost-people-are-willing-to-pay-for-an-app-is-0-until-theyveactually-downloaded-it/. Last Accessed: November 14, 2018.Search in Google Scholar

[32] Elleen Pan, Jingjing Ren, Martina Lindorfer, Christo Wilson, and David Choffnes. Panoptispy: Characterizing audio and video exfiltration from android applications. Proceedings on Privacy Enhancing Technologies, 2018(4):33–50, 2018.Search in Google Scholar

[33] Matthew Panzarino. Why you should want to pay for apps. https://thenextweb.com/apps/2011/04/24/why-you-shouldwant-to-pay-for-apps/. Archived at https://web.archive.org/web/20181129005820/https://thenextweb.com/apps/2011/04/24/why-you-should-want-to-pay-for-apps/. Last Accessed: November 28, 2018.Search in Google Scholar

[34] Rajiv Garg and Rahul Telang. Inferring App Demand from Publicly Available Data, 2013.10.25300/MISQ/2013/37.4.12Search in Google Scholar

[35] A. Razaghpanah, R. Nithyanand, N. Vallina-Rodriguez, S. Sundaresan, M. Allman, C. Kreibich, and P. Gill. Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem. In Proc. of NDSS Symposium, 2018.10.14722/ndss.2018.23353Search in Google Scholar

[36] A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, P. Gill, M. Allman, and V. Paxson. Haystack: In Situ Mobile Traffic Analysis in User Space. arXiv preprint arXiv:1510.01419, 2015.Search in Google Scholar

[37] Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. “studying tls usage in android apps”. In Proceedings of CoNEXT, New York, New York, December 2017. Association for Computing Machinery.10.1145/3232755.3232779Search in Google Scholar

[38] Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 50 ways to leak your data: An exploration of apps’ circumvention of the android permissions system. In 28th USENIX Security Symposium (USENIX Security 19), pages 603–620, Santa Clara, CA, August 2019. USENIX Association.Search in Google Scholar

[39] I. Reyes, P. Wijesekera, A. Razaghpanah, J. Reardon, N. Vallina-Rodriguez, S. Egelman, and S. Kreibich. “Is Our Children’s Apps Learning?” Automatically Detecting COPPA Violations. In IEEE ConPro, 2017.Search in Google Scholar

[40] E.J. Schwartz, T. Avgerinos, and D. Brumley. All You Ever Wanted to Know About Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask). In Proc. of the IEEE Symposium on Security and Privacy (SP), Oakland ’10, 2010.10.1109/SP.2010.26Search in Google Scholar

[41] Suranga Seneviratne, Harini Kolamunna, and Aruna Seneviratne. A Measurement Study of Tracking in Paid Mobile Applications. In Proc. of ACM WiSec, 2015.10.1145/2766498.2766523Search in Google Scholar

[42] State of California. Codes display text: Business and professions code - bpc division 8. special business regulations [18400 - 22948.25], chapter 22. internet privacy requirements [22575 - 22579]. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=8.&chapter=22.&lawCode=BPC. Accessed: March 25, 2020.Search in Google Scholar

[43] State of California Department of Justice. California Consumer Privacy Act (CCPA). https://www.oag.ca.gov/privacy/ccpa.Search in Google Scholar

[44] Statista. Distribution of free and paid Android apps in the Google Play Store as of June 2019. https://www.statista.com/statistics/266211/distribution-of-free-andpaid-android-apps/. Archived at https://web.archive.org/web/20190818205551/https://www.statista.com/statistics/266211/distribution-of-free-and-paid-android-apps/. Last Accessed: August 18, 2019.Search in Google Scholar

[45] Takuya Watanabe, Mitsuaki Akiyama, Fumihiro Kanei, Eitaro Shioji, Yuta Takata, Bo Sun, Yuta Ishi, Toshiki Shibahara, Takeshi Yagi, Tatsuya Mori. Understanding the origins of mobile app vulnerabilities: a large-scale measurement study of free and paid apps. In Proceedings of the 14th International Conference on Mining Software Repositories, pages 14–24, 2017.10.1109/MSR.2017.23Search in Google Scholar

[46] Ailie K. Y. Tang. Mobile App Monetization: App Business Models in the Digital Era, 2016.Search in Google Scholar

[47] Janice Tsai, Serge Egelman, Lorrie Cranor, and Alessandro Acquisti. The effect of online privacy information on purchasing behavior: An experimental study. In Proceedings of the 2007 Workshop on the Economics of Information Security (WEIS’07), Pittsburgh, PA, USA, 2007.Search in Google Scholar

[48] Connor Tumbleson and Ryszard Wisniewski. Apktool - A tool for reverse engineering 3rd party, closed, binary Android apps. https://ibotpeaches.github.io/Apktool/.Search in Google Scholar

[49] U.S. Federal Trade Commission. How to comply with the children’s online privacy protection rule. http://www.ftc.gov/bcp/conline/pubs/buspubs/coppa.htm.Search in Google Scholar

[50] Eline Vanrykel, Gunes Acar, Michael Herrmann, and Claudia Diaz. Leaky birds: Exploiting mobile application traffic for surveillance. In International Conference on Financial Cryptography and Data Security, pages 367–384. Springer, 2016.10.1007/978-3-662-54970-4_22Search in Google Scholar

[51] Giridhari Venkatadri, Piotr Sapiezynski, Elissa M Redmiles, Alan Mislove, Oana Goga, Michelle Mazurek, and Krishna P Gummadi. Auditing offline data brokers via facebook’s advertising platform. In The World Wide Web Conference, pages 1920–1930. ACM, 2019.10.1145/3308558.3313666Search in Google Scholar

[52] Yuta Ishii, Takuya Watanabe, Fumihiro Kanei, Yita Takata, Eitaro Shioji, Mitsuaki Akiyama, Takeshi Yagi, Bo Sun, Tatsuya Mori. Understanding the security management of global third-party Android marketplaces. In Proceedings of the 2nd ACM SIGSOFT International Workshop on App Market Analytics, pages 12–18, 2017.10.1145/3121264.3121267Search in Google Scholar

Recommended articles from Trend MD

Plan your remote conference with Sciendo