App vs. Website: Which Best Protects Your Privacy?

Ever wondered if you should download the free app or visit the website and which is better for protecting your privacy? That's the ques­tion that North­eastern researchers ask in a new study exploring how free app- and web- based ser­vices on Android and iOS mobile devices com­pare.

The team inves­ti­gated the degree to which each plat­form leaks per­son­ally iden­ti­fi­able information--ranging from birth­dates and loca­tions to passwords--to the adver­tisers and data ana­lytics com­pa­nies that the ser­vices rely on to help finance their operations.

The answer? "It depends," says Choffnes, a mobile sys­tems expert in the Col­lege of Com­puter and Infor­ma­tion Sci­ence. "We expected that apps would leak more iden­ti­fiers because apps have more direct access to that infor­ma­tion. And overall that's true. But we found that typ­i­cally apps leak just one more iden­ti­fier than a web­site for the same ser­vice. In fact, we found that in 40 per­cent of cases web­sites leak more types of infor­ma­tion than apps."

Those types of infor­ma­tion vary, based on the plat­form. For example, the researchers found that web­sites more fre­quently leak loca­tions and names, whereas only apps were found to leak a device's unique iden­ti­fying number.

The researchers will present their find­ings in a paper at the 2016 Internet Mea­sure­ment Con­fer­ence, in Santa Monica, Cal­i­fornia, in November.

The team's aim is to help users make informed deci­sions about how best to access online ser­vices. To that end, they have inte­grated their find­ings into an easy- to- use inter­ac­tive web­site that rates the degree of leak­i­ness of 50 free online ser­vices, from Airbnb to Zillow, based on each user's pri­vacy preferences.

Here's how it works: Users select from a drop- down list of 50 ser­vices and check off whether their oper­ating system is Android or iOS. Next they're asked to rate var­ious types of per­sonal infor­ma­tion, from their birth­dates to their devices' unique iden­ti­fiers, they care most about keeping pri­vate. Then, auto­mat­i­cally, the site gen­er­ates two "leak­i­ness indexes" for the ser­vice selected--a sky blue bar for the app ver­sion, a lime green one for the web--and rec­om­mends which plat­form is best for that par­tic­ular user.

"There's no one answer to which plat­form is best for all users," says Choffnes. "We wanted people to have the chance to do their own explo­ration and under­stand how their par­tic­ular pri­vacy pref­er­ences and pri­or­i­ties played into their inter­ac­tions online.

For the study, the researchers selected 50 of the most pop­ular free online ser­vices in a variety of cat­e­gories, including busi­ness, enter­tain­ment, music, news, shop­ping, travel, and weather. Each ser­vice had to offer the same func­tion­ality on both its web­site and app. To ensure that they were inter­acting with the ser­vices as everyday users would, the researchers con­ducted manual, rather than auto­mated, tests, per­son­ally log­ging in, entering requested user data into text fields, and nav­i­gating the environment.

Both apps and web­sites, they found, leaked loca­tions, names, gender, phone num­bers, and e- mail addresses to varying degrees. But there were sur­prises. "We didn't expect to find the diver­sity of infor­ma­tion col­lected across the dif­ferent plat­forms even for the same ser­vice," says Choffnes. More­over, four ser­vices sent encrypted pass­words to another party: the Grubhub app, unin­ten­tion­ally, due to a bug, which has been fixed; the Jet­Blue app, for authen­ti­ca­tion pur­poses; the Food Net­work app and web­site, for iden­tity man­age­ment; and the NCAA web­site, for iden­tity management.

"The rea­sons for the inten­tional leaks are legit­i­mate, and I'm sure that the ser­vices have appro­priate agree­ments with the other par­ties to pro­tect the pass­words," says Choffnes. "But the prac­tice still raises an impor­tant issue: Users have no idea that their pass­words are being sent to another party." Con­sider: Jet­Blue cus­tomers making an air­line reser­va­tion likely assume they are sub­mit­ting their pass­words to Jet­Blue for authen­ti­ca­tion, when in fact their cre­den­tials are being man­aged by a third party, Useablenet.

Choffnes hopes that the find­ings will start a dia­logue between con­sumers and online ser­vices about the kinds of infor­ma­tion that should be col­lected, bal­ancing the ser­vices' rev­enue needs with con­sumers' pri­vacy needs. "My goal is not just to tell people a scary story but to issue a call to action," he says. "Part of that action could be that users start requesting or even demanding the pri­vacy and trans­parency con­sid­er­a­tions they want from the com­pa­nies they interact with."

So which do you prefer? App or website? Share your thoughts in the comments section below.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Nurse Bling: No Tricks—All Treats

You know what we love (aside from the obvious, chocolate) about Halloween? The fact that it’s basically become a month-long event, which means you can...

7 Tips To Stay Calm During A Patient Emergency

It’s an hour from the end of your shift, and you’re at the nurse’s station filling out some paperwork. It’s boring – and you’re...

5 Braid, Pony And Bun Hairstyles For Busy Nurses

As a nurse, you’ve got plenty of things to worry about at work…and fussing with your hair shouldn’t have to be one of them!...