Privacy Model: Detect Privacy Leakage for Chinese Browser Extensions

The wide use of browser extensions brings the privacy leakage problem. The previous works detected private data transmission to find privacy leakage in Chrome or Firefox, but the real challenge is to determine whether the transmission is reasonable because the privacy data that existed in transmission does not absolutely mean leaking. To this end, we establish a privacy model for each extension, which contains the sensitive information permitted to be used and servers authorized to communicate with. In order to evaluate the effectiveness of the proposed method, we develop a dynamic browser extension privacy detection framework. It first builds privacy models for extensions and records all network traffic when accessing test pages. Then, the leakage results are presented according to the strict privacy leakage judgment rules. In this paper, the experiments are conducted in a real environment, and our work is verified by 34,095 extensions which are collected from 3 mainstream browsers in China from November 2019 to August 2020. There is a total of 2,983 extensions that exist privacy leakage. We further conduct a comprehensive analysis of the results including calculating the precision, recall, accuracy, and F1 score for each type of leakage, and show the information leaked by different extension categories and the malicious domain name that collecting the users' privacy, as well as the results changing of detection over time.