The TV is Smart and Full of Trackers

In this section, we first present an overview of the Roku platform. Next, we present our app selection method. We then proceed to describe Rokustic—the software tool we wrote for automatically exercising Roku apps. The data resulting from exercising 1044 Roku apps provides insight into what ATS are most prevalent on the Roku platform.

To display ads, apps typically rely on the Roku Advertising Framework which is integrated into the Roku SDK [38]. The framework allows developers to use ad servers of their preference and updates automatically without requiring the developer to rebuild the app. Even though such a framework eliminates the need for third party ATS libraries, the development and usage of such libraries is still possible. For example, the Ooyala IQ SDK [39] provides various analytics services that can be integrated into a Roku app. Thus, although the Roku sandboxes apps, such libraries can help ATS servers learn the viewing habits of users by collecting data from multiple apps. In terms of permissions, Roku only protects microphone access with a permission and does not require any permission to access the advertising ID. Users can choose to reset this ID and opt-out of targeted advertising at any time [38]. However, apps and libraries can easily create other IDs or use fingerprinting techniques to continue tracking users even after opt-out.

To ensure that we test the most relevant apps, we selected the top 50 apps in 30 out of the total 32 categories. We excluded “Themes” and “Screensavers” since these apps do not show up among the regular apps on the Roku device and therefore cannot be operated using our automation software described below. Since statistics for the number of downloads or installs are not provided by Roku, we based our selection on the “star rating count”—which we interpret as the review count—present in the metadata extracted from the RCS. Note that Roku apps can be labeled with multiple categories, meaning some apps contribute to the top 50 of multiple categories. Furthermore, some categories contain fewer than 50 apps, a handful of apps could not be installed due to incompatibility with the Roku Express (Roku offers a range of more capable devices), and about a dozen of apps had to be discarded due to failure during automation. This places the final count of apps in our dataset at 1044.

Setup and Network Traffic capture. We run Rokustic on a Raspberry Pi 3 Model B+ set up to host a standalone network as per the instructions given in [41]. The Pi’s wlan0 interface is configured as a wireless access point with DHCP server and NAT, and the Roku Express is connected to this local wireless network. The Pi’s eth0 interface connects the Pi and the Roku Express to the WAN. This setup enables us to collect all traffic going in and out of the Roku Express by running tcpdump on the Raspberry Pi’s wlan0 interface.

App Exploration. From manual inspection of a few apps (e.g. YouTube and Pluto TV), we found that playable content is often presented in a grid, where each cell is a different video or live TV channel. Generally, the user interface defaults to highlighting one of these cells (e.g., the first recommended video). Pressing “SELECT” on the Roku remote immediately after the app has launched will therefore result in playback of some content. From this insight, we devised a simple algorithm that attempts to cause playback of three different videos for each installed Roku app. Due to lack of space, we only provide an overview below, but we plan to make the tool publicly available. The algorithm utilizes the Roku External Control Protocol (ECP) API [42] to mimic a user’s interaction with each Roku app. The ECP turns the Roku into an HTTP-server with a REST-like API. The API includes an endpoint for each key on the physical Roku remote. This allows us to send virtual key presses to the Roku. We combine this with the ECP endpoint that allows for querying the Roku device for its set of installed apps, as well as the endpoint that launches a specific app, to cycle through and exercise all installed apps.

Putting it all together. For each Roku app, the algorithm first starts a packet capture so as to produce a .pcap file for each Roku app, thereby essentially labeling traffic with the app that caused it. Since Roku does not allow apps to execute in the background (see “Roku Platform” earlier in this section), all traffic captured during execution of a single app will belong to that app and the Roku system. The target app is then launched, and the algorithm pauses, waiting for the app to load. A virtual “SELECT” key press is then sent to start video playback, and the algorithm subsequently pauses for five minutes to let the content play. The app is then relaunched by returning to the Roku’s home screen and then launching the app again. A different video/live TV channel is then selected by sending a sequence of navigational key presses followed by a “SELECT” key press, and the algorithm waits another five minutes for the content to play. We perform two such relaunches, making the total interaction time with each app approximately 16 minutes (due to sleep timers).

In this section, we first briefly describe the Fire TV platform. We then describe Firetastic—our automated methodology for systematically testing and collecting traffic from 1010 Fire TV apps. The dataset reveals properties of ATS for Fire TV devices and its analysis is deferred to Sections 4.3 and 4.4.

On-Device Network Traffic Collection. Since Fire TV is based on Android, we can use existing Android tools to capture network traffic. Although there are various methods for capturing traffic on Android on the smartTV device itself (e.g. androidtcpdump [46]), most of them require a rooted device. While it is possible to root a Fire TV, it may make applications behave differently if they detect root. Thus, to collect measurements that are representative of an average user, we use a VPN-based traffic interception method that does not require rooting the device. Specifically, we used an open-source VPN-based library [43, 44] to intercept all incoming and outgoing network traffic (including decrypting TLS connections) from the Fire TV while labeling each packet with the package name of the application that generated it. In addition, we monitor network traffic from system applications to learn how the device behaves with each different application.

App Exploration. To automatically explore each Fire TV application, we utilize [45], a Python application that sends commands to an Android device via the Android Debug Bridge (ADB) to simulate inputs such as pressing buttons, input text in a search box, or selecting a video to play. It does not require rooting the device and is easily customizable. This tool is ideal for testing Fire TV applications because it treats each application as a tree of possible paths to explore instead of randomly generating events. We configured it to utilize its breadth first search algorithm to explore each application, and ensure various videos and ads would be played. Furthermore, we deduce that developers would minimize the necessary clicks in order to reach the core sections of their applications, especially for playing video content. With some trial and error, we selected the input command interval as three seconds which leaves enough time for applications to handle the command and load the next view during app exploration.

Putting it all together. In summary, Firetastic does the following for each app: (1) it starts the local VPN, (2) explores the app for 15 minutes, (3) stops the local VPN, and (4) extracts the .pcapng files that were generated during testing. We use Firetastic to do testing in parallel with six Fire TV devices. Our test setup is resource-efficient and scalable: we use only one computer to send commands to multiple (6 in our experiments) Fire TV devices, and we are able to collect network traffic data for 1010 apps within a one week period.

1. 1.

   We first tokenize app identifiers and eSLDs. For Fire TV, we tokenize the package names while relying on app and developer names for Roku since its apps do not have package names.

2. 2.

   We then match the app’s tokenized identifier against the tokenized eSLD. In doing so, we ignore common tokens or platform-specific strings like “com”, “firetv”, “roku” “free”, “paid” etc. If the tokens match, we label the eSLD as first party. If the tokens do not match, and if the eSLD is contacted by at least two different apps (from different developers), we label it as third party.

3. 3.

   Finally, we label an eSLD as platform-specific party if it originated from platform activity rather than app activity. For Fire TV, the VPN Tool [43] labels connections with the responsible process. For Roku, we simply check if the eSLD contains the string “roku.”

Roku vs. Android. The key third party ATS players in Roku (Fig. 3(c)) differ substantially from the Android platform: the only overlapping FQDNs are Alphabet’s endpoints such as tpc.googlesyndication.com and subdomains of doubleclick.net. While Alphabet has a strong foothold in both Roku and Android ATS ecosystems, it is less significant for Roku (9 out 20 of the top Roku third party ATS FQDNs are Alphabet-owned, vs. 16 out of 20 for Android). Furthermore, Facebook is a key player in the Android ATS ecosystem (graph.facebook.com is the second most popular ATS domain), but has close to zero ATS presence on the Roku platform; while SpotX (*.spotxchange.com) has a strong presence on Roku but is not among the key players for Android. Similarly, comScore’s tracking service *.scorecardresearch.com is a key player for Roku, but is absent for Android. In contrast to the top ATS for Android, the set of top third party ATS in Roku is more diverse and includes smaller organizations such as Pixalate (adrta.com), Telaria (*.tremorhub.com), Barons Media (ctv.monarchards.com), and The Trade Desk (insight.adsrvr.org).

Fire TV vs. Android. In contrast to Roku, Fire TV is much more similar to Android: we see an overlap of 9 FQDNs, 7 of which are owned by Alphabet. This is to be expected, given that Fire TV is based off of Android, and thus natively supports the ATS services of Android. For example, the Alphabet-owned analytics service Crashlytics, which is supported on Android, iOS and Unity, is widely in use on both Fire TV and Android, but is completely absent on Roku. In contrast to Roku, Facebook (graph.facebook.com) and Verizon (data.flurry.com) both have a strong presence on both Fire TV and Android. Some of the third party ATS observed for Fire TV, which were not present for Android, include comScore (*.scorecardresearch.com), Adobe (dpm.demdex.net), and Amazon (applab-sdk.amazon.com).

Next, we compare the ATS ecosystems of Roku and Fire TV at the app-level by analyzing the traffic generated by the set of apps that appear on both platforms, referred to as common apps. Recall from Table 2 that the datasets collected using Rokustic and Firetastic contain a total of 128 common apps. We identified common apps by fuzzy matching app names since they sometimes vary slightly for each platform (e.g., “TechSmart.tv” on Roku vs. “TechSmart” on Fire TV). We further cross-referenced with the developer’s name to validate that the apps were indeed the same (e.g., both TechSmart apps are created by “Future Today”).

We examine the overlapping and non-overlapping sets of endpoints contacted by the common apps. The 128 common apps contact a total of 1248 different FQDNs. Out of these, 597 FQDNs are exclusively contacted by Roku apps, 496 are exclusively contacted by Fire TV apps, and only 155 FQDNs are contacted by both Roku and Fire TV apps. These numbers already suggest that the two ecosystems differ substantially even for the common apps.

Figure 6 reports overlapping and non-overlapping FQDN for the top-60 common apps (in terms of the number of distinct FQDNs that each app contacts). In general, the set of FQDNs contacted by both the Roku and the Fire TV versions of the same app is much smaller than the set of platform-specific FQDNs. From inspecting the common FQDNs for the apps in Fig. 6, we find that these generally include endpoints that serve content. For example, for Mediterranean Food, the only two common hostnames are subdomains of ifood.tv, which belong to the parent organization behind the app. This makes intuitive sense as the same app presumably offers the same content on both platforms and must therefore access the same servers to download said content. On the other hand, the platform-specific hostnames contain obvious ATS endpoints such as ads.yahoo.com and ads.stickyadstv.com for the Roku version of the app, and aax-us-east.amazon-adsystem.com and mobileanalytics.us-east-1.amazonaws.com for the Fire TV version of the app. In conclusion, our analysis of common apps that are present on both platforms reveals (to our surprise) little overlap in the ATS endpoints they access, which further highlights the distinct nature of the ATS ecosystems of the two platforms.

Note that unlike on-device blocking solutions that are readily available for the desktop and mobile ecosystems [56], it is generally not feasible to install ad/tracker blocking solutions directly on smart TVs. DNS-based blocking solutions such as Pi-hole [8] are typically used to block advertising and tracking traffic from non-traditional devices in a smart home, including smart TVs [57]. To block advertising and tracking traffic, they essentially “blackhole” DNS requests to known advertising and tracking domains. Specifically, they match the domain name in a DNS request against a set of blocklists that are essentially curated hosts files that contain rules for well-known advertising and tracking services. We note that the well-known EasyList [58] contains regular expressions that do fine-grained matching against URLs in HTTP requests. In contrast, the hosts files are limited to coarse-grained matching against domain names in DNS requests. If the domain name is found in one of the blocklists, it is typically mapped to 0.0.0.0 or 127.0.0.1 to prevent outbound traffic to that domain [59].

We applied the aforementioned blocklists to both our in-the-wild and testbed datasets, discussed in the previous sections, and we report the results next.

We first systematically quantify visually observable false positives and false negatives of blocklists by interacting with a sample of apps from our testbed datasets and manually coding for presence of ads and app breakage. We sample 10 Roku apps and 10 Fire TV apps, including the top-4 free apps, three apps that are present on both platforms, and an additional three randomly selected apps. We test each app five times: one time without any blocklist and four times where we individually deploy each of the aforementioned blocklists. During each experiment, we attempt to trigger ads by playing multiple videos and/or live TV channels and fast-forwarding through video content, and we take note of any visually observable functionality breakage (due to false positives) and missed ATS (due to false negatives). We differentiate between minor and major functionality breakage as follows: minor breakage when the app’s main content remains available but the application suffers from minor user interface glitches or occasional freezes; and major breakage when the app’s content becomes completely unavailable or the app fails to launch.

For Roku, PD and TF perform similarly. While TF is the only list that blocks ads in Sony Crackle, both lists miss ads in YouTube and Pluto TV. TF majorly breaks three apps while PD only majorly breaks one app. MoaAB is unable to block ads in four apps and majorly breaks only one app. SATV does not cause any breakage but is unable to block ads in six apps.

For Fire TV, PD again seems to be the most effective at blocking ads while avoiding breakage, but is still unable to block ads in one app (Pluto TV) and majorly breaks two apps. TF is also unable to block ads in Pluto TV, but majorly breaks four apps. MoaAB is unable to block ads in three apps and majorly breaks three apps (one minor). SATV is unable to block ads in four apps and majorly breaks one app (two minor).

In this section, we look at ATS characteristics beyond just the destination domains. In particular, we observe that the more apps that contact a single destination, the more likely it is for that destination to be an ATS. This is intuitive and consistent with a similar observation previously made in the mobile ecosystem [7]. This observation may also aid blocklist curators in identifying candidate block rules.

We first use simple keywords such as “ad”, “ads” and “tracking” to shortlist obvious ATS domains in our datasets. While keyword search is not perfect, this simple approach identified several obvious false negatives, a few of which are shown in Table 5. For example, p.ads.roku.com and adtag.primetime.adobe.com are advertising/tracking related domains which are not blocked by any of the lists. A few domains such as ads.samba.tv are only blocked by the TF block list. Finally, data.ad-score.com is blocked by PD and TF, but not MoaAB and SATV.

We observe that many of these false negatives (i.e., missed ATS domains) are contacted by multiple apps in our testbed datasets. For example, p.ads.roku.com is accessed by more than 100 apps in our Roku testbed dataset. To gain further insight into potential false negatives, we study whether the likelihood of being blocked is impacted by the number of apps that access a particular domain. Figure 7 plots the block rates for the union of the four blocklists as a function of FQDNs’ occurrences across apps in our testbed datasets. We note that the block rate of a domain substantially increases as it starts to appear across multiple apps. For example, a domain’s block rate almost doubles when it is contacted by multiple apps. Domains that are contacted by multiple different apps are therefore more likely to belong to third party ATS libraries included by smart TV apps.

In this section, we consider exposure of personally identifiable information (PII) and we evaluate the effectiveness of blocklists in preventing that. We define “PII exposure” as the transmission of any PII from the smart TV device to any Internet destination. We identify PIIs (such as advertising ID and serial number) through each platform’s settings menus and packaging. Since trackers are known to encode or hash PIIs [62], we compute the MD5 and SHA1 hashes for each of the PII values. We then search for these PIIs in the HTTP headers and URI.

Some PII exposures may be legitimate, in the sense that the user may have given permission to the app to access the PII and the network; or that the PII sent by the app is needed for the functionality of the app. For example, Roku apps may use PII to enable personalized content in the absence of logins. However, third party (ATS) libraries automatically inherit app permissions and may use PII for tracking unrelated to app functionality. For example, in Fire TV, we observed examples where static PIIs (serial number) are sent alongside dynamic ones (advertising ID), which allows re-linking of users to dynamic PIIs (even after they have been reset).

As a first step for distinguishing between “good” or ”bad” PII transmission (which is a problem on its own and out of scope for this paper), we adopt a simple approach similar to [56] that treats data exfiltration to third parties as a higher threat to privacy. We further distinguish between PII sent to first party, third party, and platform services, as defined in Sec. 4.3. PII sent to first parties are generally warranted as they have functional purposes such as personalization of content (e.g., keep track of where the user paused a video or serve content specific to the user’s region). On the other hand, PII sent to third parties do not typically have a functional purpose. This extends to cases where the app retrieves its content through a third party CDN as the personalization could be achieved by first sending the PII to the first party server which could then respond to the app with the CDN URL for the content to be retrieved.

Table 6 reports the number of PII exposures found in our Roku and Fire TV testbed datasets. Recall from Section 4 that we can analyze HTTP information even for encrypted flows in Fire TV, but can only analyze unencrypted flows in Roku. Thus, we are able to observe more PII exposures for Fire TV than Roku, which results in higher numbers on the right than on the left side of Table 6.

For Roku, we observe that the device’s serial number is often exposed to first and third parties. When sent to first parties, this identifier can enable personalization as many Roku apps do not require login. The blocklists seem to capture this functional purpose well: the block rates for serial number are very low (8%), when it is sent to first parties, and much higher (73%) when it is sent to third parties. There are very few exposures of serial number to the platform, none of which is captured by the blocklists. Upon closer inspection, we found that these platform exposures originate from the flickr app (developed by Roku) and go to rokucom-link.appspot.com. They seem to link the Roku device with the flickr service for analytics purposes as the URI path “/getRegResult?…” encodes the PII alongside Roku as a partner and flickr as the service.

In contrast, for Fire TV, blocklists are unable to block third party exposures of more prevalent PIIs such as serial number (only 2.6% blocked) and device ID (35%) while performing well for advertising ID (81%). While exposure of serial number or device ID may be utilized for software updates, we discover that they are multipurpose, as the vast majority of these exposures to Amazon-owned endpoints go to aviary.amazon.com with a URI path of “/GetAds”. Furthermore, these two hardwired identifiers are often sent alongside the advertising ID, which allows third parties to associate an old advertising ID (users can reset their advertising ID) to the new value by joining on serial number and device ID.

Leveraging Missed PII Exposures to Improve Blocklists. The unblocked PII exposures indicate another direction for improving blocklist curation for smart TVs. By deploying tools such as Rokustic and Firetastic and searching the network traces for PIIs, blocklist curators can generate candidate rules that can then be examined manually. Using this approach, we identified 38 domains in the Roku dataset and 30 in the Fire TV dataset that receive PII, but were not blocked by any list. These numbers are conservative as we exclude location and account name that are likely to be used for legitimate purposes, such as logging in or serving location-based content. These domains include obvious ATS such as ads.aimitv.com and ads.ewscloud.com. Another noteworthy mention is hotlist.samba.tv: Samba TV uses Automatic Content Recognition to provide content suggestions on smart TVs, but this comes at the cost of targeted advertising that even propagates onto other devices in the home network [63].