research-article

ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing

Authors:
Yuvraj Agarwal

UC San Diego, La Jolla, CA, USA

UC San Diego, La Jolla, CA, USA
View Profile

,
Malcolm Hall

UC San Diego, La Jolla, CA, USA

UC San Diego, La Jolla, CA, USA
View Profile

MobiSys '13: Proceeding of the 11th annual international conference on Mobile systems, applications, and servicesJune 2013Pages 97–110https://doi.org/10.1145/2462456.2464460

Published:25 June 2013Publication History

MobiSys '13: Proceeding of the 11th annual international conference on Mobile systems, applications, and services

Pages 97–110

ABSTRACT

In this paper we present the design and implementation of ProtectMyPrivacy (PMP), a system for iOS devices to detect access to private data and protect users by substituting anonymized data in its place if users decide. We developed a novel crowdsourced recommendation engine driven by users who contribute their protection decisions, which provides app specific privacy recommendations. PMP has been in use for over nine months by 90,621 real users, and we present a detailed evaluation based on the data we collected for 225,685 unique apps. We show that access to the device identifer (48.4% of apps), location (13.2% of apps), address book (6.2% of apps) and music library (1.6% of apps) is indeed widespread in iOS. We show that based on the protection decisions contributed by our users we can recommend protection settings for over 97.1% of the 10,000 most popular apps. We show the effectiveness of our recommendation engine with users accepting 67.1% of all recommendations provide to them, thereby helping them make informed privacy choices. Finally, we show that as few as 1% of our users, classified as experts, make enough decisions to drive our crowdsourced privacy recommendation engine.

References

D. Barrera, H. Kayacik, P. van Oorschot, and A. Somayaji. A Methodology for Empirical Analysis of Permission-based Security Models and its Application to Android. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pages 73--84. ACM, 2010. Google ScholarDigital Library
M. Bellare, T. Ristenpart, P. Rogaway, and T. Stegers. Format-preserving Encryption. In Selected Areas in Cryptography, pages 295--312. Springer, 2009. Google ScholarDigital Library
A.R. Beresford, A. Rice, N. Skehin, and R.Sohan. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems and Applications (HotMobile), 2011. Google ScholarDigital Library
M. Bohmer, B. Hecht, J. Schoning, A. Kruger, and G. Gernot Bauer. Falling Asleep with Angry Birds, Facebook and Kindle: A Large Scale Study on Mobile Application Usage. In Proceedings of the International Conference on Human Computer Interaction with Mobile Devices and Services (MobileHCI), 2011. Google ScholarDigital Library
A. Chaudhuri. Language-based Security on Android. In Proceedings of the ACM SIGPLAN fourth workshop on Programming Languages and Analysis for Security (PLAS), pages 1--7. ACM, 2009. Google ScholarDigital Library
M. Egele, C. Kruegely, E. Kirdaz, and G. Vigna. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the Network and Distributed System Security Symposium(NDSS), 2011.Google Scholar
W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, McDaniel, and A. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX conference on Operating Systems Design and Implementation (OSDI), 2010. Google ScholarDigital Library
W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A Study of Android Application Security. In Proceedings of the 20th USENIX Security Symposium, 2011. Google ScholarDigital Library
W. Enck, M. Ongtang, and P. McDaniel. On Lightweight Mobile Phone Application Certification. In Proceedings of the 16th ACM conference on Computer and Communications Security (CCS), 2009. Google ScholarDigital Library
A. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android Permissions Demystified. In Proceedings of the 18th ACM conference on Computer and communications security, pages 627--638. ACM, 2011. Google ScholarDigital Library
A. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Android Permissions: User Attention, Comprehension, and Behavior. Technical report, University of California, Berkeley, 2012.Google Scholar
J. Freeman. Mobile Substrate. http://iphonedevwiki.net/index.php/MobileSubstrate.Google Scholar
A. P. Fuchs, A. Chaudhuri, and J. S. Foster. SCanDroid: Automated security certification of Android applications. Manuscript, Univ. of Maryland, http://www.cs.umd.edu/~avik/projects/scandroidascaa, 2009.Google Scholar
P. Hornyack, S. Han, J. Jung,S . Schechter, and D. Wetherall. These Aren't the Droids you're Looking For: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM conference on Computer and Communications Security (CCS), pages 639--652. ACM, 2011. Google ScholarDigital Library
Ian Shapira, The Washington Post. Once the Hobby of Tech Geeks, iPhone Jailbreaking now a Lucrative Industry, 2011.Google Scholar
J. Jeon, K. Micinski, J. Vaughan, N. Reddy, Y. Zhu, J. Foster, and T. Millstein. Dr. Android and Mr. Hide: Fine-grained Security Policies on Unmodified Android. Technical report, University of Maryland, 2011.Google Scholar
J. Lin, S. Amini, J. Hong, N. Sadeh, J. Lindqvist, and J. Zhang. Expectation and Purpose: Understanding Users Mental Models of Mobile App Privacy Through Crowdsourcing. In Proceedings of the 14th ACM International Conference on Ubiquitous Computing (Ubicomp), 2012. Google ScholarDigital Library
W. Mackay. Patterns of Sharing Customizable Software. In Proceedings of the 1990 ACM conference on Computer-supported cooperative work, pages 209--221. ACM, 1990. Google ScholarDigital Library
MobiStealth. http://www.mobistealth.com/.Google Scholar
M. Nauman, S. Khan, and X. Zhang. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (CCS), pages 328--332. ACM, 2010. Google ScholarDigital Library
Protect My Privacy (PmP). iOS Privacy App. http://www.protectmyprivacy.org.Google Scholar
N. Seriot. iPhone Privacy. In Black Hat DC, 2010.Google Scholar
E. Smith. iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs). Technical report, Technical Report, 2010.Google Scholar
The Next Web. Popular Jailbreak Software Cydia hits 14m Monthly Users on iOS 6, 23m on All Devices, March 2013.Google Scholar
S. Thurm and Y. Kane. The Journal's Cellphone Testing Methodology. The Wall Street Journal, 2010.Google Scholar
S. Thurm and Y. Kane. Your Apps Are Watching You. The Wall Street Journal, 2010.Google Scholar
N. Y. Times. Mobile Apps Take Data Without Permission. http://bits.blogs.nytimes.com/2012/02/15/google-and-mobile-apps-take-data-books-without-permission/.Google Scholar
M. T. Vennon. Android Malware: Spyware in the Android Market. Technical report, SMobile Systems, 2010.Google Scholar
T. Vennon. Android Malware. A Study of Known and Potential Malware Threats. Technical report, SMobile Global Threat Center, 2010.Google Scholar
XEUDOXUS. Privacy Blocker and Inspector. http://privacytools.xeudoxus.com/.Google Scholar
Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taming Information-Stealing Smartphone Applications (on Android). Trust and Trustworthy Computing (TRUST), pages 93--107, 2011. Google ScholarDigital Library

Index Terms

ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing

Recommendations

Privacy Capsules: Preventing Information Leaks by Mobile Apps
MobiSys '16: Proceedings of the 14th Annual International Conference on Mobile Systems, Applications, and Services

Preventing the leakage of user information via untrusted third-party apps is a key challenge in mobile privacy. We propose and evaluate privacy capsules (PCs), a platform execution model for mobile apps that prevents the flow of private information to ...
Read More
An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
Read More
App store mining is not enough for app improvement

The rise in popularity of mobile devices has led to a parallel growth in the size of the app store market, intriguing several research studies and commercial platforms on mining app stores. App store reviews are used to analyze different aspects of app ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
MobiSys '13: Proceeding of the 11th annual international conference on Mobile systems, applications, and services
June 2013
568 pages
ISBN:9781450316729
DOI:10.1145/2462456
General Chairs:
Hao-Hua Chu
National Taiwan University
,
Polly Huang
National Taiwan University
,
Program Chairs:
Romit Roy Choudhury
Duke University
,
Feng Zhao
Microsoft Research
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 25 June 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Apple iOS
crowdsourcing
mobile apps
privacy
recommendations
Qualifiers
- research-article
Conference

Acceptance Rates
MobiSys '13 Paper Acceptance Rate33of211submissions,16%Overall Acceptance Rate274of1,679submissions,16%
More
Upcoming Conference
MOBISYS '24

Sponsor:

sigmobile

The 22nd Annual International Conference on Mobile Systems, Applications and Services

June 3 - 7, 2024

Minato-ku, Tokyo , Japan
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 132
  Total Citations
  View Citations
- 1,294
  Total Downloads
- Downloads (Last 12 months)61
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing

MobiSys '13: Proceeding of the 11th annual international conference on Mobile systems, applications, and services

ABSTRACT

References

Cited By

Index Terms

Recommendations

Privacy Capsules: Preventing Information Leaks by Mobile Apps

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective

App store mining is not enough for app improvement