posted on 2019-02-01, 00:00authored byFrancesco Marcantoni
The growth of smartphones diffusion in the last decade and the pervasiveness of the web in the current lifestyle pose the attention on the privacy and security of the users. While it is well known how browser-related data accessed during navigation can be used to harm the privacy of the user, this work aims to fill the knowledge gap concerning mobile-specific information retrieved by web-pages when visited from a smartphone.
In particular this study focuses on Firefox browser for Android devices. To detect the number of websites that have access to mobile-specific information we propose a crawler called FFAutomator, consisting in a Python script, that exploits the possibility to remotely control an Android device from the computer to instrument the browser and scrape the information we need from them. The script is able to open a new instance of the browser, load a website and simulate the user interaction with it. It take cares of injecting touch events corresponding to gestures on the touchscreen. We designed this program to be robust and to run for long time in order to analyze as many websites as possible. Plus, it was developed to successfully handle issues that can come up during simulation of web-navigation and that can compromise the results. An example is an unwanted redirection from the current website to an external
one.
Detection is done using a proxy server to intercept http traffic coming to the phones and to inject JavaScript code that can log whenever a method is called or a property is read by the website and the contained frames. To allowe the code to be run in pages it was necessary to turn off some policies that are enforced by the browser to prevent external JavaScript code to run in it.
We then elaborate the logs obtained after having crawled, through the script described before, the first 200k most popular websites according to Alexa ranking. Results are analyzed
in a quantitative way, showing the number of websites that exploit APIs retrieving mobile-specific data and which of them are the most used. We also study the source of the JavaScript
files that contain those APIs to look at the number of websites that execute external files to gather data. Given that, we differentiate the calls originated from frames and external sources from the one requested by main page.
In this study we propose also e mitigation technique, to protect who browse the web from smartphones without affecting the user-experience. This consists in an extension that can
be installed in Firefox browser for Android that detects all mobile-specific APIs accessing data from the smartphone and allows also the users to choose to block this data retrieval or not. Plus the user can create custom rules that applies only to some chosen domains and than the default settings applying for all the other pages. The technique used to detect APIs in the extension, is the same exploited for scraping for websites. JavaScript code is injected from external sources
loaded in the extension and, being the extension considered a trusted source by the websites, there is not any problem related to security policies.