Third-party apps on Facebook get access to personal information of users. The Cambridge Analytica incident showed that third-party apps on Facebook can seriously misuse user data.
We design and implement CanaryTrap to independently detect misuse of data shared with third-party apps on Facebook. At a high-level, CanaryTrap shares a honeytoken (e.g., email address) with a third-party app and monitors its unrecognized use via different channels (e.g., received emails).
We deployed CanaryTrap to monitor 1,024 Facebook apps for more than a year. Our main results are:
-
We found that data shared with 1.2% third-party apps on Facebook has been potentially misused.
-
We found that many third-party apps on Facebook apps do not fully comply with Facebook's TOS that require app developers to respond to data deletion requests by users.
Read our peer-reviewed manuscript for technical details or continue below to read a summary of our findings.
CanaryTrap detected 12 cases of potential misuse of our honeytokens that are shared with 1,024 Facebook apps. Below, we report these cases along with the severity of misuse where a darker color indicates a higher severity.
| Index | App Name | App's Website | Severity of Misuse |
|---|---|---|---|
| 1 | Safexbikes Motorsafexbikes cycle Superstore | safexbikes.com |   |
| 2 | Printi BR API | printi.com.br | |
| 3 | WeWanted 購車首選! | wewanted.com.tw | |
| 4 | JustFashionNow | justfashionnow.com |  |
| 5 | PopJulia | popjulia.com | |
| 6 | Nyx CA | nyxcosmetics.ca | |
| 7 | MyJapanBox | myjapanbox.com | |
| 8 | Alex's first app | beautymaker.com.sg |  |
| 9 | Thailand Property Login | thailand-property.com | |
| 10 | Hop-On, Hop-Off | hop-on-hop-off-bus.com | |
| 11 | Tom's Hardware Guide-IT Pro | tomshardware.com | |
| 12 | Leiturinha | leiturinha.com.br | |
Facebook's TOS require app developers to include links to their privacy policies in the app's dashboard (that appears in the user's installed apps page) as well as delete data if a user requests. We identify several third-party apps that do not include links to their privacy policies in the app dialog and/or honor user data deletion requests which result in potential violation of Facebook's TOS. Below, we list such Facebook apps:
- 61 Facebook apps that do not include links to their privacy policy
- 42 Facebook apps that do not respond to our data deletion requests
- 13 Facebook apps that continue sending emails after acknowledging data deletion
- Disclosed our findings to FTC (22nd June 2020)
- Disclosed our findings to Facebook (23rd June 2020)
- Our research covered by VentureBeat (1st July 2020) (https://bit.ly/2VQMsL6)
- Facebook announced that they are tightening data deletion practices and limiting sharing of data with other entities for developers (1st July 2020) (https://bit.ly/2BLS2aL)
- Our research covered by by ZDNet (2nd July 2020) (https://zd.net/3e1PBOs)
- Developer of app "Tom's Hardware Guide-IT Pro" informed us that they have deactived their app (3rd July 2020)
CanaryTrap shares a honeytoken email address with a third-party app. CanaryTrap then monitors the misuse of the shared honeytoken by analyzing received emails and Facebook’s ad transparency tool.
If the sender of a received email on the email account of a honeytoken shared with a third-party app do not match with the app, we label the email as unrecognized email and its sender as unrecognized sender.
We conclude that a honeytoken shared with a third-party app has been potentially misused if the sender of a received email cannot be recognized as the third-party app and the content of the email is also not relevant to the app.
We determine the severity of potential misuse of a honeytoken based on a disclosure test and content analysis.
- We perform a disclosure test to identify the relationship between an unrecognized sender and the app as disclosed or unknown. If we find a disclosure of the relationship between an unrecognized sender and the app on the app's website, privacy policy, or social media page, we identify the unrecognized sender as disclosed; otherwise, we identify the unrecognized sender as unknown.
- We perform a manual analysis of the content of unrecognized emails to label them as either malicious or unrelated. We label an email as malicious if the content of the email is clearly spam or scam. We label an unrecognized email as unrelated if the content of the email is not relevant to either the app or the app’s host website.
Below, we discuss the unrecognized use of our honeytoken based on the disclosure test and the content analysis that helps us determine the severity of misuse.
-
Malicious and Unknown
This type of unrecognized use of our honeytoken is the most egregious case of data misuse since the user data has been obtained by spammers or scammers who are sending malicious emails. For example, we receive a ransomware scam emails on the honeytokens shared with 2 apps ''Safexbikes Motorcycle Superstore'' and ''Printi BR API''. -
Unrelated and Unknown
While the content is not malicious, this type of unrecognized use is worrisome for users since user data shared with Facebook apps have been potentially misused by an unknown entity. -
Unrelated and Disclosed
An unrelated email from a disclosed sender appears less worrisome for users as compared to an unrelated email from an unknown sender. Yet, we argue that our honeytokens shared with the Facebook apps have been potentially misused by the unrecognized senders to send emails not relevant to the app.
Yes. We have proposed multiple variants of CanaryTrap that allows monitoring many more apps by reusing honeytokens and Facebook accounts. For example, one such proposed variant, matrix framework, can monitor 1,000,000 apps using only 2,000 honeytokens and 4 Facebook accounts. For more details, please refer to sections 3.3 and 5.3 of our paper.
Yes. The underlying methodology of CanaryTrap remains the same to monitor apps on other platforms. We only need to modify some parts of CanaryTrap’s existing implementation while we can still reuse various parts. For example, CanaryTrap can be adapted to monitor third-party apps on Twitter by modifying the existing implementation to associate a honeytoken to a Twitter account instead of a Facebook account and the automation of host websites to install twitter apps instead of Facebook apps. We can reuse the existing infrastructure to monitor apps once the honeytoken has been shared with a third-party app. For example, we can continue using our email server to monitor data misuse through received emails.
CanaryTrap: Detecting Data Misuse By Third-Party Apps on Online Social Networks
20th annual Privacy Enhancing Technologies Symposium (PETS), July 13–17, 2020
- Shehroze Farooqi: University of Iowa
- Maaz Musa: University of Iowa
- Zubair Shafiq: University of Iowa
- Fareed Zaffar: Lahore University of Management Sciences (LUMS)
Contact the lead author at [email protected] for any inquires.