Sixteen Facebook apps caught secretly sharing data with third-parties

Academic study used unique "honeytoken" emails to install Facebook apps and see which inboxes received emails from unrecognized senders.
Written by Catalin Cimpanu, Contributor
Image: Joshua Hoehne

A team of academics has described this week a method that can help identify when Facebook app developers surreptitiously share user data with third-parties.

Named CanaryTrap, the technique was detailed by academics from the University of Iowa in a whitepaper published on Monday, titled "CanaryTrap: Detecting Data Misuse by Third-Party Apps on Online Social Networks."

At its heart, CanaryTrap revolves around the concept of a honeytoken.

In the broad sense of the term, honeytokens represent fake data, tokens, or files that IT experts plant across their network. When the data is accessed or used, administrators can detect malicious activity.

In the context of the CanaryTrap whitepaper, honeytokens were unique email addresses that academics used to register Facebook accounts.

For the CanaryTrap research, after registering an account, researchers installed a Facebook app, used it for 15 minutes, and then uninstalled the app from the account.

Image: Farooqi et al.

Researchers then monitored the honeytoken email inbox for new traffic. If the inbox received new emails, then it was clear that the app shared the user's data with a third-party.

Furthermore, the research team also said it used Facebook's ad transparency tool 'Why Am I Seeing This?' to monitor if an advertiser used any honeytoken email to target users with Facebook ads.

Image: Farooqi et al.

The academic team said they tested 1,024 Facebook apps using their CanaryToken technique and identified 16 apps that shared email addresses with third-parties and resulted in users receiving emails from unknown senders.

Of the 16, only nine apps disclosed that they had a relationship with the email sender. This relationship was usually with an unrelated affiliate website or business partner, but even if the apps revealed data sharing agreements, the inboxes usually received emails not relevant to the app.

Nonetheless, seven apps did not disclose that they shared user data with outsiders. Of these seven, the research team said they were unable to determine if the app developers shared user data with a third-party on purpose and without the user's authorization, or if the user data leaked online as part of a security incident, such as an exposed server or a hacker intrusion.

Nonetheless, some bad email traffic happened as a result, researchers said, revealing that in the case of honeytokens shared by three apps, the email inboxes received emails with sextortion threats, spam, and other email scams.

Researchers said they only found 16 apps engaging in this behavior (listed below), but this was because they only used a small sample of 1,024 apps. If more apps are to be tested, researchers expect to find more apps sharing user data with third-parties.

Image: Farooqi et al.

Academics open-sourced the CanaryTrap research and associated tools on GitHub. They said they shared CanaryTrap "to help independent watchdogs detect misuse of data shared with third-party apps without needing cooperation from online social networks."

In addition, the research team also carried out additional research against the 1,024 apps, with the following findings:

A Facebook spokesperson acknowledged our request for comment but said the company was still analyzing the CanaryTrap paper.

However, the social network is well aware of its "rogue app developer" problem and, in recent years, has taken steps to cull bad apples from its developer base.

For the past year, Facebook has sued several developers and has modified its terms of service and developer policies to grant itself more power in enforcing strict user data controls.

The latest change in Facebook's fight against abuses by app developers took place on Wednesday when Facebook announced its most recent suite of updates to its Platform Terms and Developer Policies, set to enter into effect on August 31, 2020.

The company said the new terms limit the information developers can share with third parties without receiving explicit consent from users, and also ensure developers clearly understand that they have a responsibility to safeguard user data if they tap into Facebook's platform and userbase to build their own business. Theoretically, these new changes address the loopholes reported by the CanaryTrap team.

The research team will be presenting their paper later this year at annual Privacy Enhancing Technologies Symposium (PETS) conference.

Facebook's worst privacy scandals and data disasters

Editorial standards