About Our Project

Federated Single Sign-On (SSO) is a widely used authentication method that delegates user login to Identity Providers (IdPs) such as Google and Facebook. While convenient, SSO raises privacy and security concerns, particularly, as we observed, when permissions vary across different platforms (web vs. mobile, even different versions of an app). This study examines such discrepancies at scale, alongside an analysis of dangerous permissions specifically requested on websites and Android apps.

Our findings indicate that Android apps generally request more intrusive permissions, with a 12.58% discrepancy in Facebook SSO permissions, and a 3.48% discrepancy in Google SSO permissions between web and Android platforms. These results underscore the need for incremental authorization practices to minimize unnecessary data access.





RESULTS OVERVIEW

RECOMMENDATIONS

VR/AR apps have the capability to capture a wide range of data beyond what is typically collected by standard applications. This includes not only traditional user data such as location and browsing history but also biometric information, spatial mapping data, and interactions within virtual environments. As such, shoppers, merchants using shopping AR/VR technology, and privacy regulators must be mindful of the unique privacy implications associated with these technologies and take proactive steps to protect users’ personal information. We therefore provide the following recommendations.