Numerous studies demonstrated that browser fingerprinting is detrimental to users' security and privacy. However, little is known about the effects of browser fingerprinting on Android hybrid apps -- where a stripped-down Chromium browser is integrated into an app. These apps expand the attack surface by employing two-way communication between native apps and the web. This paper studies the impact of browser fingerprinting on these embedded browsers. To this end, we instrument the Android framework to record and extract information leveraged for fingerprinting. We study over 20,000 apps, including the most popular apps from the Google play store. We exemplify security flaws and severe information leaks in popular apps like Instagram. Our study reveals that fingerprints in hybrid apps potentially contain account-specific and device-specific information that identifies users across multiple devices uniquely. Besides, our results show that the hybrid app browser does not always adhere to standard browser-specific privacy policies.
翻译:许多研究表明,浏览器指纹对用户安全和隐私有害。然而,对于浏览器指纹对Android混合应用软件的影响知之甚少 -- -- 将一个脱光的铬浏览器纳入一个应用程序。这些应用程序通过使用本地应用程序和网络之间的双向通信扩大了攻击面。本文研究了浏览器指纹对这些嵌入浏览器的影响。为此,我们用Android框架来记录和提取用于指纹的信息。我们研究了20,000多个应用程序,包括谷歌游戏商店最受欢迎的应用程序。我们举例说明了像Instagram这样的流行应用程序中的安全缺陷和严重的信息泄漏。我们的研究显示,在混合应用中,指纹可能含有特定账户和特定装置的信息,可以识别不同设备的用户。此外,我们的研究结果显示,混合应用浏览器并不总是遵守标准的浏览器隐私政策。