Do You Get What You Pay For? Comparing The Privacy Behaviors of Free vs. Paid Apps

TitleDo You Get What You Pay For? Comparing The Privacy Behaviors of Free vs. Paid Apps
Publication TypeConference Paper
Year of PublicationIn Press
AuthorsHan, C., Reyes I., Bar On A. Elazari, Reardon J., Feal Á., Bamberger K. A., Egelman S., & Vallina-Rodriguez N.
Published inProceedings of the Workshop on Technology and Consumer Protection (ConPro 2019)
Abstract

It is commonly assumed that the availability of “free” mobile apps comes at the cost of consumer privacy, and that paying for apps could offer consumers protection from behavioral advertising and long-term tracking. This work empirically evaluates the validity of this assumption by investigating the degree to which “free” apps and their paid premium versions differ in their bundled code, their declared permissions, and their data collection behaviors and privacy practices. We compare pairs of free and paid apps using a combination of static and dynamic analysis. We also examine the differences in the privacy policies within pairs. We rely on static analysis to determine the requested permissions and third-party SDKs in each app; we use dynamic analysis to detect sensitive data collected by remote services at the network traffic level; and we compare text versions of privacy policies to identify differences in the disclosure of data collection behaviors. In total, we analyzed 1,505 pairs of free Android apps and their paid counterparts, with free apps randomly drawn from the Google Play Store’s category-level top charts. Our results show that over our corpus of free and paid pairs, there is no clear evidence that paying for an app will guarantee protection from extensive data collection. Specifically, 48% of the paid versions reused all of the same third-party libraries as their free versions, while 56% of the paid versions inherited all of the free versions’ Android permissions to access sensitive device resources (when considering free apps that include at least one third-party library and request at least one Android permission). Additionally, our dynamic analysis reveals that 38% of the paid apps exhibit all of the same data collection and transmission behaviors as their free counterparts. Our exploration of privacy policies reveals that only 45% of the pairs provide a privacy policy of some sort, and less than 1% of the pairs overall have policies that differ between free and paid versions.

Acknowledgment

This work was supported by the U.S. National Security Agency’s Science of Security program (contract H98230- 18-D-0006), the Department of Homeland Security (contract FA8750-18-2-0096), the National Science Foundation (grants CNS-1817248 and CNS-1564329), the European Union’s Horizon 2020 Innovation Action program (grant Agreement No. 786741, SMOOTH Project), the Rose Foundation, the Data Transparency Lab, and the Center for Long-Term Cybersecurity at U.C. Berkeley. The authors would like to thank Primal Wijesekera for feedback, as well as Refjohürs Lykkewe

URLhttp://eprints.networks.imdea.org/1969/1/Do_You_Get_What_You_Pay_For_2019_EN.pdf
ICSI Research Group

Usable Security and Privacy