Anderson Santana de Oliveira, and
This study is part of SECENTIS project.
We analyzed statically all 1,498 apps and out of these apps, 1,472 (98%) apps use reflection; therefore, we analyzed them also dynamically.
Pieces of personal data stored on a user's device are categorized into three broader groups as shown in the table beside. These groups, Content; Device; and Network, represent
user data stored on the device; device status data; and
network data, respectively.
The figure below provides a graphical representation of the number of apps that access the various types of personal data. According to these results, device status data, marked as “Device”, such as device id, notifications and power information, etc., as shown in the table, is accessed by almost all apps. Further examination revealed that 75% of the apps request device location. Similarly, network information is of interest to 65% of the apps. What is alarming here is that over 70% of the apps read “Content”, which carries sensitive personal information.
The figure in right, illustrates the distribution of locations for
servers engaged in the transmission of personal data.
As it reveals, only 23% of the servers are hosted in the EEA and the majority of the servers (67%) is in
the US. Therefore, it is expected that the major portion of personal data to travel outside the EEA.
The main focus of this work is to provide a location analysis of the servers contacted by the analyzed apps. This figure shows a graphical representation of the country-wise distribution of servers based on the number of apps. It illustrates that a reasonable portion of the apps contact (observed and potentially transfer data to) servers outside the EEA and US, especially China, Japan, India and Russia.