Not only E.T. Phones Home: Analysing the Native User Tracking of Mobile Browsers

Contemporary browsers constitute a critical component of our everyday interactions with the Web. Similar to a small, but powerful
operating system, a browser is responsible to fetch and run web apps locally, on the user’s (mobile) device. Even though in the last few years, there has been an increased interest for tools and mechanisms to block potentially malicious behaviours of web domains against the users’ privacy (e.g., ad blockers, incognito browsing mode, etc.), it is still unclear if the user can browse the Web in private. In this paper, we analyse the natively generated network traffic of 15 mobile browser apps under different configurations to investigate if the users are capable of browsing the Web privately, without sharing their browsing history with remote servers. We develop a novel framework (Panoptes) to instrument and monitor separately the mobile browser traffic generated by (a) the web engine and (b) natively by the mobile app. By crawling a set of websites via Panoptes, and analyzing the native traffic of browsers, we find that there are browsers (i) who persistently track their users, and (ii) browsers that report to remote servers (geolocated outside EU), the exact page and content the user is browsing at that moment. Finally, we see browsers communicating with third-party ad servers while leaking personal and device identifiers.