Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps

Authors: Mojtaba Eskandari (DISI, University of Trento, Italy and Fondazione Bruno Kessler, Trento, Italy), Maqsood Ahmad (DISI, University of Trento, Italy), Anderson Santana de Oliveira (SAP Labs, France), Bruno Crispo (DISI, University of Trento, Italy and DistriNet, KULeuven, Belgium)

Volume: 2017
Issue: 1
Pages: 118–131
DOI: https://doi.org/10.1515/popets-2017-0008

Download PDF

Abstract: The prevalence of mobile devices and their capability to access high speed internet has transformed them into a portable pocket cloud interface. Being home to a wide range of users’ personal data, mobile devices often use cloud servers for storage and processing. The sensitivity of a user’s personal data demands adequate level of protection at the back-end servers. In this regard, the European Union Data Protection regulations (e.g., article 25.1) impose restriction on the locations of European users’ personal data transfer. The matter of concern, however, is the enforcement of such regulations. The first step in this regard is to analyze mobile apps and identify the location of servers to which personal data is transferred. To this end, we design and implement an app analysis tool, PDTLoc (Personal Data Transfer Location Analyzer), to detect violation of the mentioned regulations. We analyze 1, 498 most popular apps in the EEA using PDTLoc to investigate the data recipient server locations. We found that 16.5% (242) of these apps transfer users’ personal data to servers located at places outside Europe without being under the control of a data protection framework. Moreover, we inspect the privacy policies of the apps revealing that 51% of these apps do not provide any privacy policy while almost all of them contact the servers hosted outside Europe.

Keywords: Personal Data, Privacy, Mobile Apps, Cloud, Information Flow Analysis

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.