According to Germanys University of Passau researchers, the way apps can track users’ behaviour poses more privacy risks than browser fingerprinting. In a preprint posted on arXiv, the researchers argue that fingerprints in hybrid apps may contain account-specific information as well as device-specific information, identifying users uniquely on different devices. While browser fingerprinting is well known, research on hybrid apps, smartphone apps that blend Web components like JavaScript with native elements, is scarce.
In this study, researchers looked at hybrid apps on Android using WebViews to expose the functionality of a browser. To look into what privacy leaks could occur, the researchers combined the famous Android testing framework, Monkey, with the WVProfiler, a tool developed specifically for analysing WebView streams. The researchers evaluated 20,000 apps from the Play Store, finding over 5,000 that used at least one instance of WebViews API, 1,000 of which they studied in detail.