Authors: Scott Harper, Maryam Mehrnezhad, and Ehsan Toreini
You may be one of many who use a smart security camera in or around your home. Our study investigates how these systems respect the user’s privacy, focusing on interactions with their companion apps on the Android and iOS platforms. We find clear differences between the two platforms, with iOS contacting far more domains, including additional third-party domains, whilst Android requests a lot more permissions, including dangerous permissions.
Smart Cameras are being introduced into people’s homes to provide a sense of security and protection, however, given the data they collected they may introduce a variety of privacy risks to those that use them. From excessive permission requests to communicating user data with third parties it may be unclear how these systems violate the user’s privacy. This study looks at the Nest Cam (Google) and Ring Camera (Amazon) smart security cameras, as well as the Nest Hub Max (Google) and Amazon Echo (Amazon), performing a range of privacy analyses on these systems.
Due to their increased security protections, security and privacy research is much more difficult on the iOS platform. We gained access to an Apple Security Research Device, which has these protections reduced, allowing for the installation of analysis tools such as Frida.
We use the above analysis methods to determine:
- The number of permissions requested – and whether they are dangerous
- Any possible tracking services
- The domains they are contacting – and whether they are a third party
- How they notify and gain consent regarding the privacy policy
- How easily users can change their privacy settings
Android vs iOS Permissions
We compile and compare lists of general and dangerous permissions. Our findings show that Android has far more dangerous permission requests, except for the Google Home app, which is the same across platforms. Android also sees a higher number of general permission requests, highlighting a possible issue of Android apps requesting more permissions than necessary.
Android vs iOS Domains
From analysing the network communications of the devices and their companion apps, we identify the domains they are contacting during use. When running on iOS, the apps contacted significantly more domains. Additionally, during the experiments, there were a significant number of attempts to contact a suspected third party – for iOS, whilst Android saw considerably fewer.
Apps and Actions
The Google products performed generally better in terms of privacy, contacting fewer third-party domains during app communications and requesting fewer permissions – both general and dangerous.
We additionally tested a range of actions with each app/device, reflecting the privacy practices present during everyday use. Changing aspects of the account or device settings resulted in contact with the most third parties. Interestingly, out of the app interactions, the call or camera-view features had the least contact with third parties. This is promising as users typically show increased (and understandable) concerns around camera/video data.
Conclusion
Given the observed differences in privacy practices across the platforms, as well as the apps/devices themselves, we call for more consistent regulations around the privacy of these systems. More consistent privacy practices would enable user to maintain a greater understanding of how their data and privacy are handled. We believe these consistencies are needed to grant users greater control and agency of their privacy.