ABSTRACT
In this paper we present the design and implementation of ProtectMyPrivacy (PMP), a system for iOS devices to detect access to private data and protect users by substituting anonymized data in its place if users decide. We developed a novel crowdsourced recommendation engine driven by users who contribute their protection decisions, which provides app specific privacy recommendations. PMP has been in use for over nine months by 90,621 real users, and we present a detailed evaluation based on the data we collected for 225,685 unique apps. We show that access to the device identifer (48.4% of apps), location (13.2% of apps), address book (6.2% of apps) and music library (1.6% of apps) is indeed widespread in iOS. We show that based on the protection decisions contributed by our users we can recommend protection settings for over 97.1% of the 10,000 most popular apps. We show the effectiveness of our recommendation engine with users accepting 67.1% of all recommendations provide to them, thereby helping them make informed privacy choices. Finally, we show that as few as 1% of our users, classified as experts, make enough decisions to drive our crowdsourced privacy recommendation engine.
- D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. A Methodology for Empirical Analysis of Permission-based Security Models and its Application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pages 73--84. ACM, 2010. Google ScholarDigital Library
- M. Bellare, T. Ristenpart, P. Rogaway, and T. Stegers. Format-preserving Encryption. In Selected Areas in Cryptography, pages 295--312. Springer, 2009. Google ScholarDigital Library
- A.R. Beresford, A. Rice, N. Skehin, and R.Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems and Applications (HotMobile), 2011. Google ScholarDigital Library
- M. Bohmer, B. Hecht, J. Schoning, A. Kruger, and G. Gernot Bauer. Falling Asleep with Angry Birds, Facebook and Kindle: A Large Scale Study on Mobile Application Usage. In Proceedings of the International Conference on Human Computer Interaction with Mobile Devices and Services (MobileHCI), 2011. Google ScholarDigital Library
- A. Chaudhuri. Language-based Security on Android. In Proceedings of the ACM SIGPLAN fourth workshop on Programming Languages and Analysis for Security (PLAS), pages 1--7. ACM, 2009. Google ScholarDigital Library
- M. Egele, C. Kruegely, E. Kirdaz, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the Network and Distributed System Security Symposium(NDSS), 2011.Google Scholar
- W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, McDaniel, and A. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX conference on Operating Systems Design and Implementation (OSDI), 2010. Google ScholarDigital Library
- W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, 2011. Google ScholarDigital Library
- W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), 2009. Google ScholarDigital Library
- A. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011. Google ScholarDigital Library
- A. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. Technical report, University of California, Berkeley, 2012.Google Scholar
- J. Freeman. Mobile Substrate. http://iphonedevwiki.net/index.php/MobileSubstrate.Google Scholar
- A. P. Fuchs, A. Chaudhuri, and J. S. Foster. SCanDroid: Automated security certification of Android applications. Manuscript, Univ. of Maryland, http://www.cs.umd.edu/~avik/projects/scandroidascaa, 2009.Google Scholar
- P. Hornyack, S. Han, J. Jung,S . Schechter, and D. Wetherall. These Aren't the Droids you're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM conference on Computer and Communications Security (CCS), pages 639--652. ACM, 2011. Google ScholarDigital Library
- Ian Shapira, The Washington Post. Once the Hobby of Tech Geeks, iPhone Jailbreaking now a Lucrative Industry, 2011.Google Scholar
- J. Jeon, K. Micinski, J. Vaughan, N. Reddy, Y. Zhu, J. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-grained Security Policies on Unmodified Android. Technical report, University of Maryland, 2011.Google Scholar
- J. Lin, S. Amini, J. Hong, N. Sadeh, J. Lindqvist, and J. Zhang. Expectation and Purpose: Understanding Users Mental Models of Mobile App Privacy Through Crowdsourcing. In Proceedings of the 14th ACM International Conference on Ubiquitous Computing (Ubicomp), 2012. Google ScholarDigital Library
- W. Mackay. Patterns of Sharing Customizable Software. In Proceedings of the 1990 ACM conference on Computer-supported cooperative work, pages 209--221. ACM, 1990. Google ScholarDigital Library
- MobiStealth. http://www.mobistealth.com/.Google Scholar
- M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (CCS), pages 328--332. ACM, 2010. Google ScholarDigital Library
- Protect My Privacy (PmP). iOS Privacy App. http://www.protectmyprivacy.org.Google Scholar
- N. Seriot. iPhone Privacy. In Black Hat DC, 2010.Google Scholar
- E. Smith. iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs). Technical report, Technical Report, 2010.Google Scholar
- The Next Web. Popular Jailbreak Software Cydia hits 14m Monthly Users on iOS 6, 23m on All Devices, March 2013.Google Scholar
- S. Thurm and Y. Kane. The Journal's Cellphone Testing Methodology. The Wall Street Journal, 2010.Google Scholar
- S. Thurm and Y. Kane. Your Apps Are Watching You. The Wall Street Journal, 2010.Google Scholar
- N. Y. Times. Mobile Apps Take Data Without Permission. http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission/.Google Scholar
- M. T. Vennon. Android Malware: Spyware in the Android Market. Technical report, SMobile Systems, 2010.Google Scholar
- T. Vennon. Android Malware. A Study of Known and Potential Malware Threats. Technical report, SMobile Global Threat Center, 2010.Google Scholar
- XEUDOXUS. Privacy Blocker and Inspector. http://privacytools.xeudoxus.com/.Google Scholar
- Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information-Stealing Smartphone Applications (on Android). Trust and Trustworthy Computing (TRUST), pages 93--107, 2011. Google ScholarDigital Library
Index Terms
- ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing
Recommendations
Privacy Capsules: Preventing Information Leaks by Mobile Apps
MobiSys '16: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and ServicesPreventing the leakage of user information via untrusted third-party apps is a key challenge in mobile privacy. We propose and evaluate privacy capsules (PCs), a platform execution model for mobile apps that prevents the flow of private information to ...
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide WebWith the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
App store mining is not enough for app improvement
The rise in popularity of mobile devices has led to a parallel growth in the size of the app store market, intriguing several research studies and commercial platforms on mining app stores. App store reviews are used to analyze different aspects of app ...
Comments