Guardado en:
Detalles Bibliográficos
Autores principales: Specter, Michael A., Christodorescu, Mihai, Farr, Abbie, Ma, Bo, Lassonde, Robin, Xu, Xiaoyang, Pan, Xiang, Wei, Fengguo, Anand, Saswat, Kleidermacher, Dave
Formato: Preprint
Publicado: 2025
Materias:
Acceso en línea:https://arxiv.org/abs/2506.22639
Etiquetas: Agregar Etiqueta
Sin Etiquetas, Sea el primero en etiquetar este registro!
_version_ 1866916814465794048
author Specter, Michael A.
Christodorescu, Mihai
Farr, Abbie
Ma, Bo
Lassonde, Robin
Xu, Xiaoyang
Pan, Xiang
Wei, Fengguo
Anand, Saswat
Kleidermacher, Dave
author_facet Specter, Michael A.
Christodorescu, Mihai
Farr, Abbie
Ma, Bo
Lassonde, Robin
Xu, Xiaoyang
Pan, Xiang
Wei, Fengguo
Anand, Saswat
Kleidermacher, Dave
contents This paper presents a large-scale analysis of fingerprinting-like behavior in the mobile application ecosystem. We take a market-based approach, focusing on third-party tracking as enabled by applications' common use of third-party SDKs. Our dataset consists of over 228,000 SDKs from popular Maven repositories, 178,000 Android applications collected from the Google Play store, and our static analysis pipeline detects exfiltration of over 500 individual signals. To the best of our knowledge, this represents the largest-scale analysis of SDK behavior undertaken to date. We find that Ads SDKs (the ostensible focus of industry efforts such as Apple's App Tracking Transparency and Google's Privacy Sandbox) appear to be the source of only 30.56% of the fingerprinting behaviors. A surprising 23.92% originate from SDKs whose purpose was unknown or unclear. Furthermore, Security and Authentication SDKs are linked to only 11.7% of likely fingerprinting instances. These results suggest that addressing fingerprinting solely in specific market-segment contexts like advertising may offer incomplete benefit. Enforcing anti-fingerprinting policies is also complex, as we observe a sparse distribution of signals and APIs used by likely fingerprinting SDKs. For instance, only 2% of exfiltrated APIs are used by more than 75% of SDKs, making it difficult to rely on user permissions to control fingerprinting behavior.
format Preprint
id arxiv_https___arxiv_org_abs_2506_22639
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Fingerprinting SDKs for Mobile Apps and Where to Find Them: Understanding the Market for Device Fingerprinting
Specter, Michael A.
Christodorescu, Mihai
Farr, Abbie
Ma, Bo
Lassonde, Robin
Xu, Xiaoyang
Pan, Xiang
Wei, Fengguo
Anand, Saswat
Kleidermacher, Dave
Cryptography and Security
This paper presents a large-scale analysis of fingerprinting-like behavior in the mobile application ecosystem. We take a market-based approach, focusing on third-party tracking as enabled by applications' common use of third-party SDKs. Our dataset consists of over 228,000 SDKs from popular Maven repositories, 178,000 Android applications collected from the Google Play store, and our static analysis pipeline detects exfiltration of over 500 individual signals. To the best of our knowledge, this represents the largest-scale analysis of SDK behavior undertaken to date. We find that Ads SDKs (the ostensible focus of industry efforts such as Apple's App Tracking Transparency and Google's Privacy Sandbox) appear to be the source of only 30.56% of the fingerprinting behaviors. A surprising 23.92% originate from SDKs whose purpose was unknown or unclear. Furthermore, Security and Authentication SDKs are linked to only 11.7% of likely fingerprinting instances. These results suggest that addressing fingerprinting solely in specific market-segment contexts like advertising may offer incomplete benefit. Enforcing anti-fingerprinting policies is also complex, as we observe a sparse distribution of signals and APIs used by likely fingerprinting SDKs. For instance, only 2% of exfiltrated APIs are used by more than 75% of SDKs, making it difficult to rely on user permissions to control fingerprinting behavior.
title Fingerprinting SDKs for Mobile Apps and Where to Find Them: Understanding the Market for Device Fingerprinting
topic Cryptography and Security
url https://arxiv.org/abs/2506.22639