Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
AppInspect Large-scale Evaluationof Social Networking Apps
ACM COSN Boston 10082013
Markus Huber Martin Mulazzani Sebastian Schrittwieser Edgar Weipplmhuber[AT]sba-research[DOT]org
Main Contributions
bull AppInspect privacy and security analysis of OSN apps
bull Prototype for Facebookrsquos application ecosystem
bull Detected informationleaks shortcomings in popular apps
bull Cooperated with Facebook to fix apps and protect users
bull AppInspect datasets available to the research community
228
Section 2
Background
328
OSN apps
bull Apps used by hundreds of millions of social networking users
bull Games horoscopes quizzes etc
bull Access sensitive personal information(date of birth email address personal messages etc)
bull Access to information of application userrsquos friends
428
Modus operandi of OSN apps
bull OSNs act as proxies between user and app developer
bull Personal information is transferred to developers
bull App developers themselves rely on third-parties(analytics advertising products)
bull Custom hosting infrastructures
bull Approval of apps with authentication dialog
528
Facebookrsquos application authorization dialog
(a) Unified AuthDialog April 2010
(b) Enhanced AuthDialog January 2012
(c) App Center Auth Dialog May 2012
628
Section 3
AppInspect Framework
728
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Main Contributions
bull AppInspect privacy and security analysis of OSN apps
bull Prototype for Facebookrsquos application ecosystem
bull Detected informationleaks shortcomings in popular apps
bull Cooperated with Facebook to fix apps and protect users
bull AppInspect datasets available to the research community
228
Section 2
Background
328
OSN apps
bull Apps used by hundreds of millions of social networking users
bull Games horoscopes quizzes etc
bull Access sensitive personal information(date of birth email address personal messages etc)
bull Access to information of application userrsquos friends
428
Modus operandi of OSN apps
bull OSNs act as proxies between user and app developer
bull Personal information is transferred to developers
bull App developers themselves rely on third-parties(analytics advertising products)
bull Custom hosting infrastructures
bull Approval of apps with authentication dialog
528
Facebookrsquos application authorization dialog
(a) Unified AuthDialog April 2010
(b) Enhanced AuthDialog January 2012
(c) App Center Auth Dialog May 2012
628
Section 3
AppInspect Framework
728
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Section 2
Background
328
OSN apps
bull Apps used by hundreds of millions of social networking users
bull Games horoscopes quizzes etc
bull Access sensitive personal information(date of birth email address personal messages etc)
bull Access to information of application userrsquos friends
428
Modus operandi of OSN apps
bull OSNs act as proxies between user and app developer
bull Personal information is transferred to developers
bull App developers themselves rely on third-parties(analytics advertising products)
bull Custom hosting infrastructures
bull Approval of apps with authentication dialog
528
Facebookrsquos application authorization dialog
(a) Unified AuthDialog April 2010
(b) Enhanced AuthDialog January 2012
(c) App Center Auth Dialog May 2012
628
Section 3
AppInspect Framework
728
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
OSN apps
bull Apps used by hundreds of millions of social networking users
bull Games horoscopes quizzes etc
bull Access sensitive personal information(date of birth email address personal messages etc)
bull Access to information of application userrsquos friends
428
Modus operandi of OSN apps
bull OSNs act as proxies between user and app developer
bull Personal information is transferred to developers
bull App developers themselves rely on third-parties(analytics advertising products)
bull Custom hosting infrastructures
bull Approval of apps with authentication dialog
528
Facebookrsquos application authorization dialog
(a) Unified AuthDialog April 2010
(b) Enhanced AuthDialog January 2012
(c) App Center Auth Dialog May 2012
628
Section 3
AppInspect Framework
728
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Modus operandi of OSN apps
bull OSNs act as proxies between user and app developer
bull Personal information is transferred to developers
bull App developers themselves rely on third-parties(analytics advertising products)
bull Custom hosting infrastructures
bull Approval of apps with authentication dialog
528
Facebookrsquos application authorization dialog
(a) Unified AuthDialog April 2010
(b) Enhanced AuthDialog January 2012
(c) App Center Auth Dialog May 2012
628
Section 3
AppInspect Framework
728
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Facebookrsquos application authorization dialog
(a) Unified AuthDialog April 2010
(b) Enhanced AuthDialog January 2012
(c) App Center Auth Dialog May 2012
628
Section 3
AppInspect Framework
728
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Section 3
AppInspect Framework
728
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
AppInspect Framework
Search Module
ClassifierModule
Analysis Module
Online Social Network (OSN)Start Analysis
App list App samples
TargetOSN
(1) Search Apps
App Directory
Fetchdirectory
Searchexhaustively
(3) Analyse networktraffic (4) Fingerprint
provider(2) Collect app details
Third-Party Applications
Figure AppInspect a framework for automated security and privacyanalysis of social network ecosystems
828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
(1) Search Module
bull Enumerate applications for target social networkbull Simple scrapers
I Google+ single HTML page with few applicationsI LinkedIn easy to enumerate via applicationId
bull FacebookI Majority of apps not in directoriesI Numeric identifier brute force not feasible (1014)I Exhaustive search character n-grams keywords etc
LinkedIn Example
GET opensocialInstallationpreview_applicationId =1000
Host https wwwlinkedincom
928
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
(2) Classifier Module
bull Application properties rating popularity permissions typeI Web scrapingI Redirection behavior
bull LanguageI Detect and translate non-english applications
Redirect example
GET appsapplicationphpid =194699337231859
Host wwwfacebookcom
=rArr Redirects to http yahoocom
1028
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
(3) Analysis Module
bull Traffic collectionI Applications are installed on test accountsI HTTP(S) proxy collects network traffic
bull Web tracker identificationI Detection of analytics and advertising products
bull Information leaksI Leakage of personal data auth tokens to third parties
bull Hosting infrastructure fingerprintI Fingerprint the underlying hosting infrastructureI Search vulnerability databases for detected services
1128
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Section 4
Evaluation
1228
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Prototype
bull Analysis of Facebookrsquos application ecosystem
bull Non-intrusive security audits
bull AppInspect PrototypeI Python with mechanize Mozilla Firefox + Adobe FlashI Fast crawling and realistic network samples
bull Traffic AnalysisI HTTP(S) interception proxyI XML parser for network samples
bull Web tracker identificationI Based on Ghostery DB
bull Hosting infrastructure fingerprintI Standard unix tools (dig nmap)I Exploit-DB metasploit-DB
1328
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Enumerated Apps
bull Exhaustive search with character trigrams
bull 434687 unique applications in two weeks
bull Validation against Socialbakersrsquo Facebook applications
0sdot100
1sdot107
2sdot107
3sdot107
4sdot107
5sdot107
6sdot107
1 10 100 1000 10000 100000 1e+060
10
20
30
40
50
60
70
80
90
100
Mo
nth
ly A
ctive
Use
rs (
MA
U)
Pe
rce
nt
of
Cu
mu
lative
MA
U
Enumerated Application Sample
cumulative application usageapplication usage
1428
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Application Sample
bull 10624 most popular apps 9407 of cumulative usage
bull In-depth analysis on 4747 apps which transfer user data
Application Type Applications Total
Authentication Dialog 4747 4468Canvas 2365 2226Connect 2260 2127Defect 865 814Page Add-ons 280 264Mobile 107 101Total 10624 10000
Table Classification of subsample with popular applications
1528
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Section 5
Results
1628
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Requested Permissions (n=4747)
App Category
Permission game app Total
Publish posts to stream 1617 819 5132Personal email address 1055 1132 4607Publish action 435 857 2722Access userrsquos birthday 582 428 2128Access userrsquos photos 721 99 1727Access data offline 517 120 1342Access user likes 438 153 1245Access user location 350 143 1039Read stream 409 80 103Access friendsrsquo photos 319 17 708
Table Most common requested permissions by third-party applications
1728
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Permissions per Provider
bull 4747 applications belonged to 1646 distinct providers
bull 6024 of all providers requested personal email address
0
5
10
15
20
25
30
35
40
45
50
0 200 400 600 800 1000 1200 1400 1600
Num
ber
of perm
issio
ns r
equeste
d
Mean = 291246
1828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Developers with ge 10 Permission Requests
bull 40 providers requested more than 10 permissions
bull Manually verified requested permissions vs app functionalitybull Legitimate uses
I Dating and job hunting applicationsI XBOX application (not available anymore)
bull Excessive permission requestsI Horoscopo Diario 25 million monthly usersI Would require data of birth 25 different permissionsI Request permission but do not use themI Users do not seem to verify requested permissions
1928
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Internet Hosting Services
bull 55 of applications hosted in the US
bull 64 different countries in total
Provider Location Total
Amazon EC2 US (755) IE (82) SG (52) 1872SoftLayer US (505) 1065
Peak Hosting US (244) 514Rackspace US (147) GB (11) HK (4) 341GoDaddy SG (51) US (29) NL (6) 182
Linode US (72) GB (6) JP (2) 169OVH FR (42) PL (7) ES (2) 104
Hetzner DE (47) 099Internap US (35) 073
2028
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Discovered Web Servicesbull 55 Apache httpd nginx (1563) Microsoft IIS (94)bull 2 hosts source code disclosure vulnerability (CVE-2010-2263)bull 8 hosts ProFTPD buffer overflow
(CVE-2006-5815 CVE-2010-4221)bull Host with 12 million monthly users and sensitive information
TCP Port Service Hosts Total
22 ssh 662 402221 ftp 640 388825 smtp 572 3475110 pop3 439 2667143 imap 417 2533
Table Most common additional services on application hosts
2128
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Tracking and Advertisement Products
Web bug Type Apps Total
Google Analytics analytics 3378 7116DoubleClick advertising 529 1114Google Adsense advertising 361 761AdMeld advertising 276 581Cubics advertising 153 322LifeStreet Media advertising 94 198Google AdWords advertising 91 192OpenX advertising 82 173Quantcast analytics 49 103ScoreCard Beacon analytics 48 101
Table Common web trackers included in third-party applications
2228
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Information Leaksbull 315 apps directly transferred personally identifiable
information (via HTTP parameter)
uuid birthdate gender
GET socialanalytic -web -restrestaction
161000000000000 wpclandingbirthday =52F22
F2013ampgender=male
Host removed from online version
uuid tracking
GET deliverybrandConnectphpcallback=siteUserId
=1000000000000amp siteId =1111amp popup=0
Host removed from online version
2328
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Information leaks II
bull 51 applications leaked unique user identifiers (HTTP Referer)
bull 14 out of 51 applications also leaked oAuth tokens
Example leak app with 47 million MAU
GET fnfflashphphbref =ampu=amppage=-1ampfrli=amp
oauth_token=AAAAAAAAAAAAAAAAAampfbid
=1000000000000amp issec =0amp locale=en_US
Host removed from online version
2428
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Section 6
Discussion and Conclusion
2528
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Discussion
bull Reported our findings to Facebook in november 2012I Facebook responded quicklyI Facebook acknowledged problems and contacted developersI Application issues fixed in May 2013
bull Security and privacy implicationsI Since January 2010 unproxied access to email addressI 60 of application providers request email addressI Social phishing context-aware spamI Users trackable with real name
bull HostingI Number of hosts possible vulnerableI FTPSSH bruteforce
2628
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Limitations
bull Limitation to Facebook canvas applicationsI AppInspect adaption to other OSNsI Mobile applications and websites
bull Detection of excessive permission requestsI App functionality vs requested permissionsI Requires manual reviews
bull Detection of information leaksI Obfuscated personal informationI Hidden back-ends for data transferI Offline passing on of data
2728
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828
Conclusion
bull Automated social app analysis is feasible
bull Helped to fix shortcomings in popular applicationsbull Framework and dataset
I Plan Release opensource version of codeI Datasets for social app research
httpaisba-researchorg
2828