Our fingerprints don't fade from the Apps we touch: Fingerprinting the Android WebView

Numerous studies demonstrated that browser fingerprinting is detrimental to users' security and privacy. However, little is known about the effects of browser fingerprinting on Android hybrid apps -- where a stripped-down Chromium browser is integrated into an app. These apps expand the attack surface by employing two-way communication between native apps and the web. This paper studies the impact of browser fingerprinting on these embedded browsers. To this end, we instrument the Android framework to record and extract information leveraged for fingerprinting. We study over 20,000 apps, including the most popular apps from the Google play store. We exemplify security flaws and severe information leaks in popular apps like Instagram. Our study reveals that fingerprints in hybrid apps potentially contain account-specific and device-specific information that identifies users across multiple devices uniquely. Besides, our results show that the hybrid app browser does not always adhere to standard browser-specific privacy policies.