There are Many Apps for That: Quantifying the Availability of Privacy-Preserving Apps

Abstract

The adage "there's an app for that" holds true in modern app stores. Indeed, app stores usually go further and provide multiple apps with very similar functionality; examples range from flashlight apps to alarm clocks. We call these functionally-similar apps. When searching for these apps, users are often presented with a vast array of choices, but no distinction is made in the user interface to highlight the relative privacy risks inherent in choosing one app over another. Yet the availability of many functionally-similar apps raises the question of whether some apps are significantly less invasive than others. In this paper, we take several steps toward answering this question. We begin by enumerating 2 500 groups of functionally-similar apps in the Google Play Store. Within groups of apps, we use static analysis to understand the real-world risks coming from apps with aggressive permission usage. By leveraging an established ranking system, and combining it with real-world data from over 28 000 Android devices, we quantify the improvements that can be made if users installed apps with privacy in mind. We observe that at least 25.6% of apps contain libraries that gratuitously exploit available permissions and find that 43.5% of apps could be swapped for comparable alternatives that require fewer permissions. Permissions saved may deliver important privacy and security improvements, including preventing access to the calendar (in 24% of cases), sending text messages (12%) and recording audio (8%). This is particularly important for apps which embed third-party libraries, since library code executes with the same permissions as the app itself.