Analyzing Mobile App Privacy Using Computation and Crowdsourcing

Amini, Shahriyar

01 May 2014

Mobile apps can make use of the rich data and sensors available on smartphones to offer compelling services. However, the use of sensitive resources by apps is not always justified, which has led to new kinds of privacy risks and challenges. While it is possible for app market owners and third-parties to analyze the privacy-related behaviors of apps, present approaches are difficult and tedious. I present two iterations of the design, implementation, and evaluation of a system, Gort, which enables more efficient app analysis, by reducing the burden of instrumenting apps, making it easier to find potential privacy problems, and presenting sensitive behavior in context. Gort interacts with apps while instrumenting them to detect sensitive information transmissions. It then presents this information along with the associated app context to a crowd of users to obtain their expectations and comfort regarding the privacy implications of using the app. Gort also runs a set of heuristics on the app to flag potential privacy problems. Finally, Gort synthesizes the information obtained through its analysis and presents it in an interactive GUI, built specifically for privacy analysts. This work offers three distinct new advances over the state of the art. First, Gort uses a set of heuristics, elicited through interviews with 12 experts, to identify potential app privacy problems. Gort heuristics present high-level privacy problems instead of the overwhelming amount of information offered through existing tools. Second, Gort automatically interacts with apps by discovering and interacting with UI elements while instrumenting app behavior. This eliminates the need for analysts to manually interact with apps or to script interactions. Third, Gort uses crowdsourcing in a novel way to determine whether app privacy leaks are legitimate and desirable and raises red flags about potentially suspicious app behavior. While existing tools can detect privacy leaks, they cannot determine whether the privacy leaks are beneficial or desirable to the user. Gort was evaluated through two separate user studies. The experiences from building Gort and the insights from the user studies guide the creation of future systems, especially systems intended for the inspection and analysis of software.

mobile privacy

mobile security

app privacy

privacy analysis

crowdsourcing

Android

Efficient techniques for secure multiparty computation on mobile devices

Carter, Henry Lee

07 January 2016

Smartphones are rapidly becoming a widespread computation platform, with many users relying on their mobile devices as their primary computing device. This popularity has brought about a plethora of mobile applications and services which are designed to efficiently make these limited devices a viable source of entertainment and productivity. This is commonly accomplished by moving the critical application computation to a Cloud or application server managed by the application developer. Unfortunately, the significant number of breaches experienced by mobile application infrastructure and the accompanying loss of private user data indicates the need for stronger security and privacy guarantees before this model of computation can become ubiquitous. The cryptographic community has developed the field of secure multiparty computation (SMC) to allow applications to perform computation over encrypted data. Such a protocol would allow mobile users to keep their private information encrypted while still enjoying the convenience of their Cloud based applications. However, while SMC protocols have seen significant advances in efficiency on desktop and server class machines, they currently require more computation power and memory than is available on commodity smartphones. Furthermore, even as smartphone computational power increases, the mobile-specific limitations of network bandwidth and power usage will always stand as barriers to efficiently executing SMC protocols. This dissertation develops techniques for outsourcing the costly operations in garbled circuit SMC protocols to an untrusted Cloud to allow resource-constrained devices to use this cryptographic primitive. By providing the mobile device with a third party Cloud provider, we show that it is possible for a mobile device to execute a garbled circuit with an application server at approximately the same efficiency as the same computation run between two server class machines. We first show two protocols for outsourcing the garbled circuit evaluation and generation. We develop a novel outsourced oblivious transfer (OOT) protocol to make this type of outsourcing possible. Second, we develop a black box technique for outsourcing any two-party SMC protocol, and show that the overhead incurred by outsourcing is minimal. Finally, we develop a protocol for outsourcing SMC that pro- vides both input privacy and circuit privacy, preventing the assisting Cloud from learning anything about the computation besides the fact that it took place. Through the protocols and the empirical evaluations in this dissertation, we show that executing SMC protocols on mobile devices can be done with comparable efficiency to the desktop platform, and provide techniques to allow for such computation using the latest developments in secure computation.

Server-assisted cryptography

Garbled circuits

Cloud computing

Secure multiparty computation

Mobile privacy

Multi-dimensional-personalization in mobile contexts

Schilke, Steffen Walter

January 2013

During the dot com era the word 'personalisation' was a hot buzzword. With the fall of the dot com companies the topic has lost momentum. As the killer application for UMTS or the mobile internet has yet to be identified, the concept of Multi-Dimensional-Personalisation (MDP) could be a candidate. Using this approach, a recommendation of mobile advertisement or marketing (i.e., recommendations or notifications), online content, as well as offline events, can be offered to the user based on their known interests and current location. Instead of having to request or pull this information, the new service concept would proactively provide the information and services – with the consequence that the right information or service could therefore be offered at the right place, at the right time. The growing availability of "Location-based Services“ for mobile phones is a new target for the use of personalisation. "Location-based Services“ are information, for example, about restaurants, hotels or shopping malls with offers which are in close range/short distance to the user. The lack of acceptance for such services in the past is based on the fact that early implementations required the user to pull the information from the service provider. A more promising approach is to actively push information to the user. This information must be from interest to the user and has to reach the user at the right time and at the right place. This raises new requirements on personalisation which will go far beyond present requirements. It will reach out from personalisation based only on the interest of the user. Besides the interest, the enhanced personalisation has to cover the location and movement patterns, the usage and the past, present and future schedule of the user. This new personalisation paradigm has to protect the user's privacy so that an approach supporting anonymous recommendations through an extended 'Chinese Wall' will be described.

004.67

Mobile privacy and apps: investigating behavior and attitude

Havelka, Stefanie

31 August 2020

Diese Dissertation untersucht das Nutzerverhalten und die Einstellungen von Smartphone- und App-BenutzerInnen und welche Rolle die Kultur in Bezug auf mobile Privatsphäre spielt. Die zentrale Forschungsfrage lautet: Gibt es Unterschiede im Verhalten und in der Einstellung von amerikanischen und deutschen Studenten der Bibliotheks- und Informationswissenschaften in Bezug auf die mobile Privatsphäre? Im Mittelpunkt dieser Dissertation steht die ethnographische Forschung in einem interkulturellen Umfeld. Das Forschungsdesign besteht aus halb-strukturierten Interviews, gekoppelt mit Experimenten und Beobachtungen der Teilnehmer über die Nutzung mobiler Technologien. Die Feldforschung 1 wurde (in persona) an zwei verschiedenen Orten durchgeführt: an der Humboldt-Universität zu Berlin, Deutschland, und an der Rutgers State University of New Jersey, USA. Die Feldforschung 2 wurde (digital) über eine Online-Videokonferenzplattform durchgeführt. Im Gegensatz dazu, was die Autorin dieser vorliegenden Studie prognostizierte, kommt es zu folgenden Ergebnissen in dieser Studie: Bei den Probanden können fast keine kulturellen Unterschiede im Verhalten und in der Einstellung zur mobilen Privatsphäre festgestellt werden. Stattdessen werden in Bezug auf die mobile Privatsphäre ähnliche Einstellungen unter den Studienteilnehmenden festgestellt. Zum einen die Selbstzufriedenheit, zum anderen das Gefühl der Hilfslosigkeit und schließlich Pragmatismus scheinen, deutsche und amerikanische Studierende gleichermaßen zu beeinflussen. Das Ergebnis wurde aber ursprünglich nicht so erwartet, da eigentlich zu Beginn der Studie davon ausgegangen wurde, dass der unterschiedliche Kenntnis- und Bewusstseinsstand zur mobilen Privatsphäre in beiden Kulturen zu unterschiedlichen Reaktionen führen würde. Dennoch bieten die Ergebnisse dieser Studie sicher nachfolgenden WissenschaftlerInnen interessante Impulse und eine gute Ausgangsbasis für weitere Studien. / This dissertation examines the role of culture, mobile privacy, apps, and user behavior and attitude. The core research question is: Are there differences in the mobile privacy behaviors and attitudes of American and German library and information science students? This dissertation uses ethnography as its research methodology since culture is at the heart of ethnography. Furthermore, ethnographers try to make sense of behavior, customs, and attitudes of the culture they observe and research. This ethnographer aims to portray a thick narrative and transforms participants' mobile privacy attitude and behavior into a rich account. The research design is comprised of semi-structured interviews, coupled with experiments and participant observations about mobile technology use. Fieldwork 1 was conducted in two different sites: Humboldt-Universität zu Berlin, Germany, and Rutgers, the State University of New Jersey, USA. Fieldwork 2 was conducted via an online video conferencing platform. Contrary to what this researcher predicted, the findings have revealed that there are nearly no cultural differences in mobile privacy behavior and attitude. Similar attitudes, such as mobile privacy complacency, mobile privacy learned-helplessness, and mobile privacy pragmatism, seem to impact German and American students equally. The findings provide support for further research recommendations, and in conclusion, this researcher highlights three contributions this study makes to the scholarly literature.

Verhalten

Mobile Privatsphäre

Einstellung

Apps

Bibliothekswissenschaft

Informationswissenschaft

angelernte Hilflosigkeit

Selbstzufriedenheit

Pragmatismus

mobile privacy

behavior

attitude

apps

library science

information science

mobile privacy learned helplessness

mobile privacy complacency

mobile privacy pragmatism

AN 77500

ddc:020

ddc:028

ddc:000