How This Works

AppCensus AppSearch analyzes free publicly-available Android apps and reports the private and personally identifying information that different apps access and share with other parties over the Internet. We collect our results using a technique called dynamic analysis. This means that we actually run each of the apps on real mobile phones in our testing laboratory. We install the app, grant the requested permissions, and proceed to use the app for a period of time. While we are using an app, we collect as much data about what the app is doing on the phone and what data it sends over the Internet. We collect this data with a bespoke version of the Android operating system and network monitoring tools that together observe what personal data is being accessed by an app and then with whom that app shares it.

By exhaustively testing each app, our results reflect the actual behaviour of the apps when they are used. When we report that an app sent the phone's serial number to an advertising network, this is not a possibility of something the app may do, but rather actual app behaviour that we observed in our laboratory. Despite that, we may not actually detect all transmissions of private data: while we can be fairly certain of what we do find, it may be incomplete (i.e., it is possible that the app did not engage in certain behaviors during the testing period, but otherwise might if played for longer or under different circumstances).

AppCensus, Inc. is the fusion of multiple research projects focused on mobile privacy and security. The following publications describe the technology behind AppCensus:

• Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman"Won't Somebody Think of the Children" Privacy Analysis at Scale: A Case Study With COPPA. In Proceedings of the Privacy Enhancing Technologies Symposium (PETS'18), 2018. (App List)
• Irwin Reyes, Primal Wijesekera, Abbas Razaghpanah, Joel Reardon, Narseo Vallina-Rodriguez, Serge Egelman, and Christian Kreibich. "Is Our Children's Apps Learning?" Automatically Detecting COPPA Violations. The IEEE Security & Privacy Workshop on Consumer Protection (ConPro'17), 2017.
• Primal Wijesekera, Arjun Baokar, Lynn Tsai, Joel Reardon, Serge Egelman, David Wagner, and Konstantin Beznosov. The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences. In Proceedings of the IEEE Symposium on Security and Privacy (Oakland'17), 2017.
• Abbas Razaghpanah, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Christian Kreibich, Phillipa Gill, Mark Allman, and Vern Paxson. Haystack: A Multi-Purpose Mobile Vantage Point in User Space. Technical Report, 2016.
• Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, David Wagner, and Konstantin Beznosov. Android Permissions Remystified: A Field Study on Contextual Integrity. In Proceedings of the 24th USENIX Security Symposium, 2015.