Advertisement

A Multilateral Privacy Impact Analysis Method for Android Apps

  • Majid HatamianEmail author
  • Nurul Momen
  • Lothar Fritsch
  • Kai Rannenberg
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11498)

Abstract

Smartphone apps have the power to monitor most of people’s private lives. Apps can permeate private spaces, access and map social relationships, monitor whereabouts and chart people’s activities in digital and/or real world. We are therefore interested in how much information a particular app can and intends to retrieve in a smartphone. Privacy-friendliness of smartphone apps is typically measured based on single-source analyses, which in turn, does not provide a comprehensive measurement regarding the actual privacy risks of apps. This paper presents a multi-source method for privacy analysis and data extraction transparency of Android apps. We describe how we generate several data sets derived from privacy policies, app manifestos, user reviews and actual app profiling at run time. To evaluate our method, we present results from a case study carried out on ten popular fitness and exercise apps. Our results revealed interesting differences concerning the potential privacy impact of apps, with some of the apps in the test set violating critical privacy principles. The result of the case study shows large differences that can help make relevant app choices.

Keywords

Smartphone apps Case study Security Privacy Android Privacy policy Reviews Privacy impact Privacy score and ranking Privacy risk Transparency 

Notes

Acknowledgments

This research is partially supported by the ALerT project, Research Council of Norway, IKTPLUSS 2017–2021 and by the European Union Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 675730 Privacy&Us.

References

  1. 1.
  2. 2.
    Eu general data protection regulation (2016). https://eur-lex.europa.eu/legal-content/en/txt/html/?uri=celex:32016r0679. Accessed 8 Aug 2018
  3. 3.
    Facebook data privacy scandal: A cheat sheet (2018). https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/. Accessed 11 Jan 2019
  4. 4.
    Fitness app strava lights up staff at military bases (2018). https://www.bbc.com/news/technology-42853072. Accessed 01 Feb 2019
  5. 5.
    Almuhimedi, H., et al.: Your location has been shared 5,398 times!: a field study on mobile app privacy nudging. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 787–796. ACM (2015)Google Scholar
  6. 6.
    Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: the Proceedings of the the 9th ACM USENIX Conference on Operating Systems Design and Implementation, Vancouver, BC, Canada, pp. 393–407 (2010)Google Scholar
  7. 7.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: the Proceedings of the the 20th USENIX Conference on Security, San Francisco, CA, USA, p. 21 (2011)Google Scholar
  8. 8.
    Enck, W., Ongtang, M., Mcdaniel, P.: On lightweight mobile phone application certification. In: the Proceedings of the the 16th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, pp. 235–245 (2009)Google Scholar
  9. 9.
    EU Regulation: 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off J Eur Union p. L119 (2016)Google Scholar
  10. 10.
    Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: A survey of smartphone users’ concerns. In: the Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, New York, NY, USA, pp. 33–44 (2012)Google Scholar
  11. 11.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: the Proceedings of the 8th ACM Symposium on Usable Privacy and Security, SOUPS 2012, New York, NY, USA, pp. 1–3 (2012)Google Scholar
  12. 12.
    Franzen, D., Aspinall, D.: PhoneWrap-Injecting the “How Often” into Mobile Apps. In: Proceedings of the 1st International Workshop on Innovations in Mobile Privacy and Security co-located with the International Symposium on Engineering Secure Software and Systems (ESSoS 2016), pp. 11–19. CEUR-WS.org (2016)Google Scholar
  13. 13.
    Fritsch, L., Abie, H., Regnesentral, N.: Towards a research road map for the management of privacy risks in information systems. In: Gesellschaft für Informatik eV (GI) publishes this series in order to make available to a broad public recent findings in informatics (ie computer science and informa-tion systems), to document conferences that are organized in co-operation with GI and to publish the annual GI Award dissertation, p. 1 (2008)Google Scholar
  14. 14.
    Gleicher, M., Albers, D., Walker, R., Jusufi, I., Hansen, C.D., Roberts, J.C.: Visual comparison for information visualization. Inf. Vis. 10(4), 289–309 (2011)CrossRefGoogle Scholar
  15. 15.
    Habib, S.M., Alexopoulos, N., Islam, M.M., Heider, J., Marsh, S., Müehlhäeuser, M.: Trust4App: automating trustworthiness assessment of mobile applications. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 124–135. IEEE (2018)Google Scholar
  16. 16.
    Hatamian, M., Serna-Olvera, J.: Beacon alarming: informed decision-making supporter and privacy risk analyser in smartphone applications. In: To be Appeared in the Proceedings of the 35th IEEE International Conference on Consumer Electronics (ICCE), USA (2017)Google Scholar
  17. 17.
    Hatamian, M., Kitkowska, A., Korunovska, J., Kirrane, S.: “It’s shocking!”: analysing the impact and reactions to the A3: android apps behaviour analyser. In: Kerschbaum, F., Paraboschi, S. (eds.) Data and Applications Security and Privacy XXXII, pp. 198–215. Springer International Publishing, Cham (2018)CrossRefGoogle Scholar
  18. 18.
    Hatamian, M., Serna, J., Rannenberg, K.: Revealing the unrevealed: mining smartphone users privacy perception on app markets. Comput. Secur. (2019).  https://doi.org/10.1016/j.cose.2019.02.010, http://www.sciencedirect.com/science/article/pii/S0167404818313051CrossRefGoogle Scholar
  19. 19.
    Hatamian, M., Serna, J., Rannenberg, K., Igler, B.: Fair: fuzzy alarming index rule for privacy analysis in smartphone apps. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) Trust, Privacy and Security in Digital Business, pp. 3–18. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-98385-1CrossRefGoogle Scholar
  20. 20.
    Hutton, L., et al.: Assessing the privacy of mhealth apps for self-tracking: heuristic evaluation approach. JMIR Mhealth Uhealth 6(10), e185 (2018).  https://doi.org/10.2196/mhealth.9217CrossRefGoogle Scholar
  21. 21.
    Kuehnhausen, M., Frost, V.S.: Trusting smartphone apps? to install or not to install, that is the question. In: 2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 30–37 (2013).  https://doi.org/10.1109/CogSIMA.2013.6523820
  22. 22.
    Martínez-Pérez, B., De La Torre-Díez, I., López-Coronado, M.: Privacy and security in mobile health apps: a review and recommendations. J. Med. Syst. 39(1), 1–8 (2015)CrossRefGoogle Scholar
  23. 23.
    Momen, N.: Towards Measuring Apps’ Privacy-Friendliness (licentiate thesis). Ph.D. thesis, Karlstads universitet (2018)Google Scholar
  24. 24.
    Momen, N., Pulls, T., Fritsch, L., Lindskog, S.: How much privilege does an app need? investigating resource usage of android apps. In: 2017 15th Annual Conference on Privacy, Security and Trust (PST), pp. 268–2685. IEEE (2017)Google Scholar
  25. 25.
    Murmann, P., Fischer-Hübner, S.: Tools for achieving usable ex post transparency: a survey. IEEE Access 5, 22965–22991 (2017).  https://doi.org/10.1109/ACCESS.2017.2765539. http://ieeexplore.ieee.org/document/8078167/CrossRefGoogle Scholar
  26. 26.
    Paintsil, E., Fritsch, L.: A Taxonomy of privacy and security risks contributing factors. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 52–63. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-20769-3_5CrossRefGoogle Scholar
  27. 27.
    Paintsil, E., Fritsch, L.: Executable model-based risk analysis method for identity management systems: using hierarchical colored petri nets. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2013. LNCS, vol. 8058, pp. 48–61. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40343-9_5CrossRefGoogle Scholar
  28. 28.
    Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., Patsakis, C.: Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access 6, 9390–9403 (2018).  https://doi.org/10.1109/ACCESS.2018.2799522CrossRefGoogle Scholar
  29. 29.
    Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)MathSciNetzbMATHGoogle Scholar
  30. 30.
    Rannenberg, K.: Recent development in information technology security evaluation - the need for evaluation criteria for multilateral security. In: Proceedings of the IFIP TC9/WG9.6 Working Conference on Security and Control of Information Technology in Society on Board M/S Illich and Ashore, pp. 113–128. North-Holland Publishing Co., Amsterdam (1994). http://dl.acm.org/citation.cfm?id=647317.723330
  31. 31.
    Rannenberg, K.: Multilateral security a concept and examples for balanced security. In: Proceedings of the 2000 Workshop on New Security Paradigms. pp. 151–162. NSPW 2000, ACM, New York (2000).  https://doi.org/10.1145/366173.366208, http://doi.acm.org/10.1145/366173.366208
  32. 32.
    Reidenberg, J.R., Breaux, T., Carnor, L.F., French, B.: Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkely Technol. Law J. 30(1), 39–68 (2015)Google Scholar
  33. 33.
    Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975).  https://doi.org/10.1109/PROC.1975.9939CrossRefGoogle Scholar
  34. 34.
    Solove, D.J.: Nothing to Hide: The False Tradeoff between Privacy and Security. Yale University Press, New Haven (2011)Google Scholar
  35. 35.
    Solove, D.J.: A taxonomy of privacy. U. Pa. L. Rev. 154, 477 (2005)CrossRefGoogle Scholar
  36. 36.
    Van Kleek, M., Liccardi, I., Binns, R., Zhao, J., Weitzner, D.J., Shadbolt, N.: Better the devil you know: exposing the data sharing practices of smartphone apps. In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 5208–5220. ACM (2017)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Majid Hatamian
    • 1
    Email author
  • Nurul Momen
    • 2
  • Lothar Fritsch
    • 2
  • Kai Rannenberg
    • 1
  1. 1.Chair of Mobile Business & Multilateral SecurityGoethe University FrankfurtFrankfurtGermany
  2. 2.Department of Mathematics and Computer ScienceKarlstad UniversityKarlstadSweden

Personalised recommendations