Image: Joshua Hoehne
A team of academics this week described a method that can help identify when Facebook app developers surreptitiously share user data with third parties.
Called CanaryTrap, the technique was detailed by academics at the University of Iowa in a document released Monday, titled “CanaryTrap: Detecting Data Misuse by Third-Party Applications on Online Social Networks.”
At its core, CanaryTrap revolves around the concept of a honeytoken.
In the broad sense of the term, honeytokens represent bogus data, tokens, or files that IT experts plant on your network. When information is accessed or used, administrators can detect malicious activity.
In the context of the CanaryTrap white paper, honeytokens were unique email addresses that academics used to register Facebook accounts.
For CanaryTrap’s investigation, after registering an account, researchers installed a Facebook app, used it for 15 minutes, and then uninstalled it from the account.
Image: Farooqi et al.
The researchers then monitored Honeytoken’s email inbox for new traffic. If the inbox received new emails, it was clear that the app shared the user’s data with a third party.
Furthermore, the research team also said that it used Facebook’s advertising transparency tool “Why am I seeing this?” to monitor whether an advertiser used any Honeytoken email to target users with Facebook ads.
Image: Farooqi et al.
The academic team said they tested 1,024 Facebook applications using their CanaryToken technique and identified 16 applications that shared email addresses with third parties and that users received emails from unknown senders.
Of the 16, only nine apps revealed they had a relationship with the sender of the email. This relationship was generally with an unrelated affiliate website or business partner, but even if apps revealed data sharing agreements, inboxes generally received emails not relevant to the app.
However, seven apps did not reveal that they shared user data with strangers. Of these seven, the research team said they were unable to determine whether app developers shared user data with a third party on purpose and without user authorization, or if user data was leaked online as part of a security incident, such as an exposed server or a hacker intrusion.
However, as a result, there was poor email traffic, the researchers said, revealing that in the case of honeytokens shared by three apps, email inboxes received emails with threats of sextortion, spam and other threats. email scams.
The researchers said they found only 16 apps involved in this behavior (listed below), but this was because they only used a small sample of 1,024 apps. If more applications are to be tested, the researchers hope to find more applications that share user data with third parties.
Image: Farooqi et al.
Academics published CanaryTrap research and associated tools on GitHub. They said they shared CanaryTrap “to help independent watchers detect misuse of shared data with third-party apps without the cooperation of online social media.”
Additionally, the research team also conducted additional investigation against the 1,024 applications, with the following findings:
A Facebook spokesperson acknowledged our request for comment, but said the company was still reviewing the CanaryTrap document.
However, the social network is well aware of its “unauthorized app developer” problem and, in recent years, has taken steps to remove bad apples from its developer base.
Over the past year, Facebook has sued multiple developers and modified its terms of service and developer policies to give itself more power to enforce strict user data controls.
The last change in Facebook’s fight against abuse by app developers occurred on Wednesday when Facebook announced its latest set of updates to its Platform Terms and Developer Policies, which will take effect on August 31, 2020.
The company said the new terms limit the information that developers can share with third parties without receiving the explicit consent of users, and also ensure that developers clearly understand that they have a responsibility to protect user data if they take advantage of the platform and Facebook user base to build your own business. . Theoretically, these new changes address the gaps reported by the CanaryTrap team.
