COPPTCHA: COPPA Tracking by Checking Hardware-level Activity

User privacy is an extremely important concern for mobile applications. Recently, the Federal Trade Commission (FTC) has penalized multiple mobile application developers, such as TikTok and BabyBus for violating privacy regulations. Privacy concerns are more critical for children, who do not comprehend the risks associated with transmitting private information like geospatial location. The Children’s Online Privacy Protection Act (COPPA) is an online privacy regulation platform to monitor data usage by mobile applications designed for children. Existing research on detecting whether an application complies with certain privacy regulations is performed either by analyzing the application binary or by dynamic monitoring of network at runtime. However, as explained in related work, both methods have their respective demerits. We propose COPPTCHA, a Hardware performance counter (HPC)-based technique to detect whether a children’s app abides by the COPPA regulations. HPCs are special purpose registers found in all processors that measure system level events. Since the proposed method is hardware-based, it is difficult to undermine it compared to software-based COPPA compliance detection. COPPTCHA has no hardware overhead, since HPC data collection is integral to all industry standard processors. The HPC readings of applications running on a smartphone are classified using machine learning based classifiers to detect COPPA compliance. Our experiments employing a Moto-G4 smartphone shows that COPPTCHA can detect COPPA-violating apps with ≥ 99% accuracy.