Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps

Mobile devices are usually a home to a wide range of users' personal data, they often use cloud servers for storage and processing. The sensitivity of a user's personal data demands adequate level of protection at the back-end servers. In this regard, the European Union Data Protection regulations (e.g., article 25.1) impose restriction on the locations of European users' personal data transfer. The matter of concern, however, is the enforcement of such regulations. The first step in this regard is to analyze mobile apps and identify the location of servers to which personal data is transferred. To this end, we design and implement an app analysis tool, PDTLoc (Personal Data Transfer Location Analyzer), to detect violation of the mentioned regulations. We analyze 1,498 most popular apps in the EEA using PDTLoc to investigate the data recipient server locations. We found that 16.5% (242) of these apps transfer users' personal data to servers located at places outside Europe without being under the control of a data protection framework. Moreover, we inspect the privacy policies of the apps revealing that 51% of these apps do not provide any privacy policy while almost all of them contact the servers hosted outside Europe.

[ Download the paper ]

Authors: Mojtaba Eskandari, Maqsood Ahmad, Anderson Santana de Oliveira, and Bruno Crispo

Mojtaba Eskandari: DISI, University of Trento, Italy and Fondazione Bruno Kessler, Trento, Italy, E-mail: [javascript protected email address]
Maqsood Ahmad: DISI, University of Trento, Italy, E-mail: [javascript protected email address]
Anderson Santana de Oliveira: SAP Labs, France, E-mail: [javascript protected email address]
Bruno Crispo: DISI, University of Trento, Italy and DistrNet, KULeuven, Belgium, E-mail: [javascript protected email address]

This study is part of SECENTIS project.

Analysis Results

We analyzed statically all 1,498 apps and out of these apps, 1,472 (98%) apps use reflection; therefore, we analyzed them also dynamically.

Personal Data Collection

Pieces of personal data stored on a user's device are categorized into three broader groups as shown in the table beside. These groups, Content; Device; and Network, represent user data stored on the device; device status data; and network data, respectively.

The figure below provides a graphical representation of the number of apps that access the various types of personal data. According to these results, device status data, marked as “Device”, such as device id, notifications and power information, etc., as shown in the table, is accessed by almost all apps. Further examination revealed that 75% of the apps request device location. Similarly, network information is of interest to 65% of the apps. What is alarming here is that over 70% of the apps read “Content”, which carries sensitive personal information.

Server Locations

The figure in right, illustrates the distribution of locations for servers engaged in the transmission of personal data. As it reveals, only 23% of the servers are hosted in the EEA and the majority of the servers (67%) is in the US. Therefore, it is expected that the major portion of personal data to travel outside the EEA.

The main focus of this work is to provide a location analysis of the servers contacted by the analyzed apps. This figure shows a graphical representation of the country-wise distribution of servers based on the number of apps. It illustrates that a reasonable portion of the apps contact (observed and potentially transfer data to) servers outside the EEA and US, especially China, Japan, India and Russia.

[ Full list of the analyzed apps with details ]