• Login
    View Item 
    •   Shocker Open Access Repository Home
    • Office of Research
    • NIAR: National Institute for Aviation Research
    • NIAR Research Publications
    • View Item
    •   Shocker Open Access Repository Home
    • Office of Research
    • NIAR: National Institute for Aviation Research
    • NIAR Research Publications
    • View Item
    JavaScript is disabled for your browser. Some features of this site may not work without it.

    Scraping sticky leftovers: App user information left on servers after account deletion

    Date
    2022-07-27
    Author
    Santhanam, Preethi
    Dang, Hoang
    Shan, Zhiyong
    Metadata
    Show full item record
    Citation
    P. Santhanam, H. Dang, Z. Shan and I. Neamtiu, "Scraping Sticky Leftovers: App User Information Left on Servers After Account Deletion," 2022 IEEE Symposium on Security and Privacy (SP), 2022, pp. 2145-2160, doi: 10.1109/SP46214.2022.9833720.
    Abstract
    Sixty-five percent of mobile apps require user accounts for offering full-fledged functionality. Account information includes private data, e.g., address, phone number, credit card. Our concern is "leftover" account data kept on the server after account deletion, which can be a significant privacy violation. Specifically, we analyzed 1,435 popular apps from Google Play (and 771 associated websites), of which 678 have their own sign-up process, to answer questions such as: Can accounts be deleted at all? Following account deletion, will user data remain on the app's servers? If so, for how long? Do apps keep their promise to remove data? Answering these questions, and more generally, understanding and tackling the leftover account problem, is challenging. A fundamental obstacle is that leftover data is manipulated and retained in a private space, on the app's backend servers; we devised a novel, reverse-engineering approach to infer leftover data from app-server communication. Another obstacle is the distributed nature of this data: program analysis as well as information retrieval are required on both the app and its website. We have developed an end-to-end solution (static analysis, dynamic analysis, natural language processing) to the leftover account problem. First, our toolchain checks whether an app, or its website, support account deletion; next, it checks whether the app/website have a data retention policy, and whether the account is left on servers after deletion, or after the specified retention period; finally, it automatically cleans up leftover accounts. We found that 64.45% of apps do not offer any means for users to delete accounts; 2.5% of apps still keep account data on app servers even after accounts are deleted by users. Only 5%; of apps specify a retention period; some of these apps violate their own policy by still retaining data months after the period has ended. Experiments show that our approach is effective, with an F-measure 88%, and efficient, with a typical analysis time of 279 seconds per app/website.
    Description
    Click on the DOI link to view this conference paper (may not be free).
    URI
    https://doi.org/10.1109/SP46214.2022.9833720
    https://soar.wichita.edu/handle/10057/23771
    Collections
    • NIAR Research Publications

    Browse

    All of Shocker Open Access RepositoryCommunities & CollectionsBy Issue DateAuthorsTitlesSubjectsBy TypeThis CollectionBy Issue DateAuthorsTitlesSubjectsBy Type

    My Account

    LoginRegister

    Statistics

    Most Popular ItemsStatistics by CountryMost Popular Authors

    DSpace software copyright © 2002-2023  DuraSpace
    DSpace Express is a service operated by 
    Atmire NV