When we use the Internet, more often than not, information about us is being transmitted to other parties. Sometimes this information is simple, like a tracking identifier, and sometimes it's very personal, like your name, birth date, or credentials. This information is leaked differently when you use an online service via a Web site and an app, but which is worse, app or Web?
To understand this question, we conducted the first head-to-head study of 50 popular, free online services. We conduct manual tests, extract personally identifiable information (PII) shared over plaintext and encrypted connections, and analyze the data to understand differences in user-data collection across platforms for the same service. While we find that all platforms expose users’ data, there are still opportunities to significantly limit how much information is shared with other parties by selectively using the app or Web version of a service.
Tool Use our App vs. Web tool to determine which is better based on your privacy preferences.
The anonymized data for IMC 2016 paper "app-vs-web" is here. The file name is organized by serviceName_deviceOS_platform_protocol.json
serviceName: a short name for the tested service, unique
deviceOS: value can be "ios" or "android"
platform: value can be "app", "chrome"/"safari"
protocol: value can be "http" or "https"
Each test consisted of interacting with a given service via an app or Web site for about four minutes. We collected network traffic generated during each experiment using Meddle, and used Mitmproxy to capture both HTTP and the plaintext content of HTTPS flows. For each service requiring a login, we created a new account using a previously unused email address.
We used two phones (a Nexus 4 and a Nexus 5) running stock Android 4.4, and one phone (iPhone 5) running iOS 9.3.1. All three phones were factory reset before our experiments, and included no apps beyond the stock services and the 50 apps evaluated in this work.