Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps

Open access


The prevalence of mobile devices and their capability to access high speed internet has transformed them into a portable pocket cloud interface. Being home to a wide range of users’ personal data, mobile devices often use cloud servers for storage and processing. The sensitivity of a user’s personal data demands adequate level of protection at the back-end servers. In this regard, the European Union Data Protection regulations (e.g., article 25.1) impose restriction on the locations of European users’ personal data transfer. The matter of concern, however, is the enforcement of such regulations. The first step in this regard is to analyze mobile apps and identify the location of servers to which personal data is transferred. To this end, we design and implement an app analysis tool, PDTLoc (Personal Data Transfer Location Analyzer), to detect violation of the mentioned regulations. We analyze 1, 498 most popular apps in the EEA using PDTLoc to investigate the data recipient server locations. We found that 16.5% (242) of these apps transfer users’ personal data to servers located at places outside Europe without being under the control of a data protection framework. Moreover, we inspect the privacy policies of the apps revealing that 51% of these apps do not provide any privacy policy while almost all of them contact the servers hosted outside Europe.


  • [1] European commission - overview on binding corporate rules., 2016.

  • [2] European Commission - press release: EU-US Privacy Shield., 2016.

  • [3] Jagdish Prasad Achara, Franck Baudot, Claude Castelluccia, Geoffrey Delcroix, and Vincent Roca. Mobilitics: Analyzing privacy leaks in smartphones. ERCIM News, 2013(93), 2013.

  • [4] Tina Amirtha. Safe Harbor was for EU privacy: But how safe is US data in Europe?, 2015.

  • [5] AppFigures. A tracking platform to monitor the sales and downloads of apps.

  • [6] Steven Arzt, Siegfried Rasthofer, Christian Fritz, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves Le Traon, Damien Octeau, and Patrick McDaniel. Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In ACM SIGPLAN Notices, volume 49, pages 259-269. ACM, 2014.

  • [7] Monir Azraoui, Kaoutar Elkhiyaoui, Melek Önen, Karin Bernsmed, Anderson Santana Oliveira, and Jakub Sendor.Data Privacy Management, Autonomous Spontaneous Security, and Security Assurance: 9th International Workshop, DPM 2014, 7th International Workshop, SETOP 2014, and 3rd International Workshop, QASA 2014, Wroclaw, Poland, September 10-11, 2014. Revised Selected Papers, chapter A-PPL: An Accountability Policy Language, pages 319-326. Springer International Publishing, Cham, 2015.

  • [8] Walid Benghabrit, Hervé Grall, Jean-Claude Royer, Mohamed Sellami, Monir Azraoui, Kaoutar Elkhiyaoui, Melek Önen, Anderson Santana Oliveira, and Karin Bernsmed. Cloud Computing and Services Sciences: International Conference in Cloud Computing and Services Sciences, CLOSER 2014 Barcelona Spain, April 3-5, 2014 Revised Selected Papers, chapter From Regulatory Obligations to Enforceable Accountability Policies in the Cloud, pages 134-150. Springer International Publishing, Cham, 2015.

  • [9] Johnathon Burket, Lori Flynn, Will Klieber, Jonathan Lim, and William Snavely. Making DidFail Succeed: Enhancing the CERT Static Taint Analyzer for Android App Sets. 2015.

  • [10] Mary Carolan. Data protection commissioner to investigate max schrems claims., 2015.

  • [11] F. Di Cerbo, D. F. Some, L. Gomez, and S. Trabelsi. Ppl v2.0: Uniform data access and usage control on cloud and mobile. In TEchnical and LEgal aspects of data pRivacy and SEcurity, 2015 IEEE/ACM 1st International Workshop on, pages 2-7, May 2015.

  • [12] Shauvik Roy Choudhary, Alessandra Gorla, and Alessandro Orso. Automated Test Input Generation for Android: Are We There Yet?(E). In Automated Software Engineering (ASE), 2015 30th IEEE/ACM International Conference on, pages 429-440. IEEE, 2015.

  • [13] Fred Chung. Custom Class Loading in Dalvik. http: // in-dalvik.html.

  • [14] Court of Justice of the European Union. The court of justice declares that the commission’s us safe harbour decision is invalid. , 2015.

  • [15] Anthony Desnos and Patrik Lantz. Droidbox: An android application sandbox for dynamic analysis (2011)., 2014.

  • [16] Serge Egelman, Adrienne Porter Felt, and David Wagner.Choice architecture and smartphone privacy: There’sa price for that. In The economics of information security and privacy, pages 211-236. Springer, 2013.

  • [17] William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):5, 2014.

  • [18] Ericsson. Europe mobility report appendix. http://www. res/docs/2014/emr-november2014-regionalappendices- europe.pdf , 2014.

  • [19] European Court of Justice. Commission Decision of 26 july 2000 pursuant to directive 95/46/ec of the european parliament and of the council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the us department of commerce. Official Journal L 215 , 25/08/2000 P. 0007 - 0047 URL:, 2000.

  • [20] Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale. Springer, 2012.

  • [21] Google. Monkey Tool. help/monkey.html, 2015.

  • [22] Ben Gruver. Smali/Baksmali Tool., 2015.

  • [23] Dominik Herrmann and Jens Lindemann. Obtaining personal data and asking for erasure: Do app vendors and website owners honour your privacy rights? CoRR, abs/1602.01804, 2016.

  • [24] Paul De Hert and Vagelis Papakonstantinou. The proposed data protection Regulation replacing Directive 95/46/EC: A sound system for the protection of individuals. Computer Law & Security Review, 28(2):130-142, 2012.

  • [25] Johannes Hoffmann, Martin Ussath, Thorsten Holz, and Michael Spreitzenbarth. Slicing Droids: Program Slicing for Smali Code. In Proceedings of the 28th Annual ACM Symposium on Applied Computing, SAC ’13, pages 1844-1851, New York, NY, USA, 2013. ACM.

  • [26] IBM. Watson libraries for analysis.

  • [27] IDC Press Release. Smartphone os marketshare. http: //

  • [28] An ip location api solution. , 2015.

  • [29] Jinyung Kim, Yongho Yoon, Kwangkeun Yi, Junbum Shin, and SWRD Center. ScanDal: Static analyzer for detecting privacy leaks in android applications. MoST, 12, 2012.

  • [30] Li Li, Alexandre Bartel, Tegawendé F Bissyandé, Jacques Klein, Yves Le Traon, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Damien Octeau, and Patrick McDaniel. IccTA: Detecting inter-component privacy leaks in Android apps. In Proceedings of the 37th International Conference on Software Engineering-Volume 1, pages 280-291. IEEE Press, 2015.

  • [31] Long Lu, Zhichun Li, Zhenyu Wu, Wenke Lee, and Guofei Jiang. Chex: statically vetting android apps for component hijacking vulnerabilities. In Proceedings of the 2012ACM conference on Computer and communications security, pages 229-240. ACM, 2012.

  • [32] Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis.Effective Inter-Component Communication Mapping in Android with Epicc: An Essential Step Towards Holistic Security Analysis, 2013.

  • [33] Vaibhav Rastogi, Yan Chen, and William Enck. AppsPlayground: automatic security analysis of smartphone applications.In Proceedings of the third ACM conference on Data and application security and privacy, pages 209-220. ACM, 2013.

  • [34] European Parliament. Directive 95/46/ec of the european parliament and of the Council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

  • [35] IDC Press Release. Worldwide smartphone market will see the first single-digit growth year on record, according to idc., 2015.

  • [36] Brian Cantwell Smith. Procedural Reflection in Programming Languages. PhD thesis, Massachusetts Institute of Technology, Laboratory for Computer Science, 1982.

  • [37] David Sounthiraraj, Justin Sahs, Garret Greenwood, Zhiqiang Lin, and Latifur Khan. Smv-hunter: Large scale, automated detection of ssl/tls man-in-the-middle vulnerabilities in android apps. In In Proceedings of the 21st Annual Network and Distributed System Security Symposium (NDSS’14. Citeseer, 2014.

  • [38] The Tcpdump Group. TCP-Dump., 2015.

  • [39] Connor Tumbleson and Ryszard Wisniewski. APK tool - a tool for reverse engineering android apk files. http:// .

  • [40] Raja Vallée-Rai, Phong Co, Etienne Gagnon, Laurie Hendren, Patrick Lam, and Vijay Sundaresan. Soot-a Java bytecode optimization framework. In Proceedings of the 1999 conference of the Centre for Advanced Studies on Collaborative research, page 13. IBM Press, 1999.

  • [41] VirusTotal. Free online virus, malware and url scanner.

  • [42] Fengguo Wei, Sankardas Roy, Xinming Ou, et al. Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1329-1341. ACM, 2014.

  • [43] Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 1043-1054. ACM, 2013.

  • [44] Sara Zaske. Germany’s privacy leaders gather to discuss suspending us safe harbor., 2015.

  • [45] Yury Zhauniarovich, Maqsood Ahmad, Olga Gadyatskaya, Bruno Crispo, and Fabio Massacci. Stadyna: addressing the problem of dynamic code updates in the security analysis of android applications. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy, pages 37-48. ACM, 2015.

  • [46] Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, and Wei Zou. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices, pages 93-104. ACM, 2012.

  • [47] Yibing Zhongyang, Zhi Xin, Bing Mao, and Li Xie. DroidAlarm: an all-sided static analysis tool for Android privilege-escalation malware. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security, pages 353-358. ACM, 2013.

Journal Information


All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 25 25 25
PDF Downloads 3 3 3