Investigating Data Privacy and Network Communication in IoT Devices and Their Apps: A Cross-Platform Analysis of Android and iOS

Abstract

Consumer Internet of Things (IoT) devices offer unprecedented convenience by automating and improving everyday tasks, from managing home security systems to optimizing energy usage, making them essential to modern households. Despite these devices’ convenience, they collect and transmit significant amounts of personal data, often without user awareness. We provide the first extensive cross-platform analysis of IoT devices and their companion mobile apps on Android and iOS across different network settings, focusing on the privacy implications for users. We design and implement CapIoT, a semi-automated framework, that enables systematic capture and replay of interactions between IoT devices and their companion apps. Using CapIoT, we test ten IoT devices, collecting and analyzing traffic at both the device and app level. Using the collected traffic, we aim to understand how devices and apps communicate in different network scenarios across mobile platforms, what kinds of data are shared, and with whom. Specifically, our analysis covers device and app traffic, endpoint diversity, protocol adoption, reliance on cloud providers, and handling personally identifiable information (PII). We also want to understand the extent of data sharing with third-party trackers and analytics services. Our findings reveal that while none of the devices directly contact these services, most companion apps do, highlighting their significant role in privacy risks. We also examine how network settings and mobile platforms impact communication patterns, noting substantial differences. We underscore the need for greater transparency, robust data protection measures, and strict regulatory enforcement in the IoT ecosystem.

Consumer Internet of Things (IoT) devices offer unprecedented convenience by automating and improving everyday tasks, from managing home security systems to optimizing energy usage, making them essential to modern households. Despite these devices’ convenience, they collect and transmit significant amounts of personal data, often without user awareness. We provide the first extensive cross-platform analysis of IoT devices and their companion mobile apps on Android and iOS across different network settings, focusing on the privacy implications for users. We design and implement CapIoT, a semi-automated framework, that enables systematic capture and replay of interactions between IoT devices and their companion apps. Using CapIoT, we test ten IoT devices, collecting and analyzing traffic at both the device and app level. Using the collected traffic, we aim to understand how devices and apps communicate in different network scenarios across mobile platforms, what kinds of data are shared, and with whom. Specifically, our analysis covers device and app traffic, endpoint diversity, protocol adoption, reliance on cloud providers, and handling personally identifiable information (PII). We also want to understand the extent of data sharing with third-party trackers and analytics services. Our findings reveal that while none of the devices directly contact these services, most companion apps do, highlighting their significant role in privacy risks. We also examine how network settings and mobile platforms impact communication patterns, noting substantial differences. We underscore the need for greater transparency, robust data protection measures, and strict regulatory enforcement in the IoT ecosystem.