Abstract
Mobile application (app) developers are often ill-equipped to understand the privacy implications of their products and services, especially with the common practice of using third-party libraries to provide critical functionality. To add to the complexity, most mobile applications interact with the “cloud”—not only the platform provider’s ecosystem (such as Apple or Google) but also with third-party servers (as a consequence of library use). This presents a hazy view of the privacy impact for a particular app. Therefore, we take a significant step to address this challenge and propose a testbed with the ability to systematically evaluate and understand the privacy behavior of client server applications in a network environment across a large number of hosts. We reflect on our experiences of successfully deploying two mass market applications on the initial versions of our proposed testbed. Standardization across cloud implementations and exposed end points of closed source binaries are key for transparent evaluation of privacy features.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
https://www.torproject.org. Accessed June 2021
https://docs.openvswitch.org/en/latest/ref/ovs-tcpdump.8/. Accessed June 2021
Acquisti, A., Brandimarte, L., Loewenstein, G.: Secrets and likes: the drive for privacy and the difficulty of achieving it in the digital age. J. Consum. Psychol. 30(4), 736–758 (2021)
Baqer, K., Anderson, R.: Do you believe in tinker bell? The social externalities of trust. In: Christianson, B., Švenda, P., Matyáš, V., Malcolm, J., Stajano, F., Anderson, J. (eds.) Security Protocols 2015. LNCS, vol. 9379, pp. 224–236. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-26096-9_23
Braz, L., Fregnan, E., Çalikli, G., Bacchelli, A.: Why don’t developers detect improper input validation? DROP TABLE papers. In: 2021 IEEE/ACM 43rd International Conference on Software Engineering (ICSE), pp. 499–511 (2021). https://doi.org/10.1109/icse43902.2021.00054
Busvine, D.: Rift opens over European coronavirus contact tracing APPs, April 2020. https://www.reuters.com/article/uk-health-coronavirus-europe-tech-idUKKBN2221U6?edition-redirect=uk
Canonical: cloud-init - The standard for customising cloud instances. https://cloud-init.io/
Crispo, B., Lomas, M.: A certification scheme for electronic commerce. In: Lomas, M. (ed.) Security Protocols 1996. LNCS, vol. 1189, pp. 19–32. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-62494-5_2
Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requir. Eng. 16(1), 3–32 (2011)
Druschel, P., Kaashoek, F., Rowstron, A. (eds.): IPTPS 2002. LNCS, vol. 2429. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45748-8
Gardiner, J., Craggs, B., Green, B., Rashid, A.: Oops I did it again: further adventures in the land of ICS security testbeds. In: Proceedings of the ACM Workshop on Cyber-Physical Systems Security and Privacy, CPS-SPC 2019, pp. 75–86. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3338499.3357355
Golomb, S.: Mathematical models-Uses and limitations. Astronaut. Aeronaut. 6(1), 57 (1968). Amer Inst Aeronaut Astronaut 1801 Alexander Bell Drive, Ste 500, Reston, Va
Google, Apple. Exposure notifications: Helping fight COVID-19. https://www.google.com/covid19/exposurenotifications/. Accessed June 2021
Green, B., Lee, A., Antrobus, R., Roedig, U., Hutchison, D., Rashid, A.: Pains, gains and PLCs: Ten lessons from building an industrial control systems testbed for security research. In: 10th USENIX Workshop on Cyber Security Experimentation and Test (CSET 17). USENIX Association, Vancouver, August 2017. https://www.usenix.org/conference/cset17/workshop-program/presentation/green
Haber, S., Stornetta, W.S.: How to time-stamp a digital document. J. Cryptol. 3(2), 99–111 (1991). https://doi.org/10.1007/BF00196791
Hoepman, J.H.: Privacy Design Strategies (The Little Blue Book). Radbound University (2019)
Lamport, L., Shostak, R., Pease, M.: The Byzantine Generals Problem, pp. 203–226. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3335772.3335936
Mathur, A.P., Tippenhauer, N.O.: SWaT: a water treatment testbed for research and training on ICS security. In: 2016 International Workshop on Cyber-Physical Systems for Smart Water Networks (CySWater), pp. 31–36 (2016). https://doi.org/10.1109/CySWater.2016.7469060
Triggle, N.: Care.data: how did it go so wrong? https://www.bbc.co.uk/news/health-26259101. Accessed June 2021
Signal Foundation: Speak freely. https://signal.org/en/. Accessed June 2021
Solove, D.J.: The myth of the privacy paradox. George Washington Law Rev. 89, 1 (2021)
Tahaei, M., Frik, A., Vaniea, K.: Privacy champions in software teams: understanding their motivations, strategies, and challenges. In: Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems, CHI 2021, pp. pp. 1–15. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3411764.3445768
Wang, L., Kangasharju, J.: Real-world sybil attacks in Bittorrent mainline DHT. In: 2012 IEEE Global Communications Conference (GLOBECOM), pp. 826–832 (2012). https://doi.org/10.1109/GLOCOM.2012.6503215
Wen, H., Zhao, Q., Lin, Z., Xuan, D., Shroff, N.: A study of the privacy of COVID-19 contact tracing apps. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds.) SecureComm 2020, Part I. LNICST, vol. 335, pp. 297–317. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-63086-7_17
Yeh, L.Y., Lu, P.J., Huang, S.H., Huang, J.L.: SOChain: a privacy-preserving DDoS data exchange service over SOC consortium blockchain. IEEE Trans. Eng. Manage. 67(4), 1487–1500 (2020). https://doi.org/10.1109/TEM.2020.2976113
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Gardiner, J., Das Chowdhury, P., Halsey, J., Tahaei, M., Elahi, T., Rashid, A. (2022). Building a Privacy Testbed: Use Cases and Design Considerations. In: Katsikas, S., et al. Computer Security. ESORICS 2021 International Workshops. ESORICS 2021. Lecture Notes in Computer Science(), vol 13106. Springer, Cham. https://doi.org/10.1007/978-3-030-95484-0_12
Download citation
DOI: https://doi.org/10.1007/978-3-030-95484-0_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-95483-3
Online ISBN: 978-3-030-95484-0
eBook Packages: Computer ScienceComputer Science (R0)