CanaryTrap: Detecting Data Misuse by Third-Party Apps on Online Social Networks

Authors: Shehroze Farooqi (The University of Iowa), Maaz Musa (The University of Iowa/Lahore University of Management and Sciences), Zubair Shafiq (The University of Iowa), Fareed Zaffar (Lahore University of Management and Sciences)

Volume: 2020
Issue: 4
Pages: 336–354
DOI: https://doi.org/10.2478/popets-2020-0076

Download PDF

Abstract: Online social networks support a vibrant ecosystem of third-party apps that get access to personal information of a large number of users. Despite several recent high-profile incidents, methods to systematically detect data misuse by third-party apps on online social networks are lacking. We propose CanaryTrap to detect misuse of data shared with third-party apps. CanaryTrap associates a honeytoken to a user account and then monitors its unrecognized use via different channels after sharing it with the third-party app. We design and implement CanaryTrap to investigate misuse of data shared with third-party apps on Facebook. Specifically, we share the email address associated with a Facebook account as a honeytoken by installing a third-party app. We then monitor the received emails and use Facebook’s ad transparency tool to detect any unrecognized use of the shared honeytoken. Our deployment of CanaryTrap to monitor 1,024 Facebook apps has uncovered multiple cases of misuse of data shared with third-party apps on Facebook including ransomware, spam, and targeted advertising.

Keywords: third-party apps, data misuse, online social networks, privacy, honeytoken

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs license.