Detecting privacy leaks in the RATP App: how we proceeded and what we found

Abstract

We analyzed the RATP App, both Android and iOS versions, using our instrumented versions of these mobile OSs. Our analysis reveals that both versions of this App leak private data to third-party servers, which is in total contradiction to the In-App privacy policy. The iOS version of this App doesn’t even respect Apple guidelines on cross-App user tracking for advertising purposes and employs various other cross-App tracking mechanisms that are not supposed to be used by Apps. Even if this work is illustrated with a single App, we describe an approach that is generic and can be used to detect privacy leaks from other Apps. In addition, our findings are representative of a trend in Advertising and Analytics (A&A) libraries that try to collect as much information as possible regarding the smartphone and its user to have a better profile of the user’s interests and behaviors. In fact, in case of iOS, these libraries even generate their own persistent identifiers and share it with other Apps through covert channels to better track the user, and this happens even if the user has opted-out of device tracking for advertising purposes. Above all, this happens without the user knowledge, and sometimes even without the App developer’s knowledge who might have naively included these libraries during the App development. Therefore this article raises many questions concerning both the bad practices employed in the world of smartphones and the limitations of the privacy control features proposed by Android/iOS Mobile OSs.