Skip to main content

A Multilateral Privacy Impact Analysis Method for Android Apps

  • Conference paper
  • First Online:
Privacy Technologies and Policy (APF 2019)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 11498))

Included in the following conference series:

Abstract

Smartphone apps have the power to monitor most of people’s private lives. Apps can permeate private spaces, access and map social relationships, monitor whereabouts and chart people’s activities in digital and/or real world. We are therefore interested in how much information a particular app can and intends to retrieve in a smartphone. Privacy-friendliness of smartphone apps is typically measured based on single-source analyses, which in turn, does not provide a comprehensive measurement regarding the actual privacy risks of apps. This paper presents a multi-source method for privacy analysis and data extraction transparency of Android apps. We describe how we generate several data sets derived from privacy policies, app manifestos, user reviews and actual app profiling at run time. To evaluate our method, we present results from a case study carried out on ten popular fitness and exercise apps. Our results revealed interesting differences concerning the potential privacy impact of apps, with some of the apps in the test set violating critical privacy principles. The result of the case study shows large differences that can help make relevant app choices.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Full discretionary power (Merriam-Webster dictionary), Retrieved on November 22, 2018.

  2. 2.

    https://developer.android.com/guide/topics/permissions/overview; [Accessed: 2018-11-27].

  3. 3.

    https://android.googlesource.com/platform/frameworks/base/+/android-6.0.1_r25/cmds/appops/src/com/android/commands/appops/AppOpsCommand.java; Accessed: 2018-10-23.

References

  1. Google play scraper. https://github.com/facundoolano/google-play-scraper/

  2. Eu general data protection regulation (2016). https://eur-lex.europa.eu/legal-content/en/txt/html/?uri=celex:32016r0679. Accessed 8 Aug 2018

  3. Facebook data privacy scandal: A cheat sheet (2018). https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/. Accessed 11 Jan 2019

  4. Fitness app strava lights up staff at military bases (2018). https://www.bbc.com/news/technology-42853072. Accessed 01 Feb 2019

  5. Almuhimedi, H., et al.: Your location has been shared 5,398 times!: a field study on mobile app privacy nudging. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 787–796. ACM (2015)

    Google Scholar 

  6. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: the Proceedings of the the 9th ACM USENIX Conference on Operating Systems Design and Implementation, Vancouver, BC, Canada, pp. 393–407 (2010)

    Google Scholar 

  7. Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: the Proceedings of the the 20th USENIX Conference on Security, San Francisco, CA, USA, p. 21 (2011)

    Google Scholar 

  8. Enck, W., Ongtang, M., Mcdaniel, P.: On lightweight mobile phone application certification. In: the Proceedings of the the 16th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, pp. 235–245 (2009)

    Google Scholar 

  9. EU Regulation: 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off J Eur Union p. L119 (2016)

    Google Scholar 

  10. Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: A survey of smartphone users’ concerns. In: the Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, New York, NY, USA, pp. 33–44 (2012)

    Google Scholar 

  11. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: the Proceedings of the 8th ACM Symposium on Usable Privacy and Security, SOUPS 2012, New York, NY, USA, pp. 1–3 (2012)

    Google Scholar 

  12. Franzen, D., Aspinall, D.: PhoneWrap-Injecting the “How Often” into Mobile Apps. In: Proceedings of the 1st International Workshop on Innovations in Mobile Privacy and Security co-located with the International Symposium on Engineering Secure Software and Systems (ESSoS 2016), pp. 11–19. CEUR-WS.org (2016)

    Google Scholar 

  13. Fritsch, L., Abie, H., Regnesentral, N.: Towards a research road map for the management of privacy risks in information systems. In: Gesellschaft für Informatik eV (GI) publishes this series in order to make available to a broad public recent findings in informatics (ie computer science and informa-tion systems), to document conferences that are organized in co-operation with GI and to publish the annual GI Award dissertation, p. 1 (2008)

    Google Scholar 

  14. Gleicher, M., Albers, D., Walker, R., Jusufi, I., Hansen, C.D., Roberts, J.C.: Visual comparison for information visualization. Inf. Vis. 10(4), 289–309 (2011)

    Article  Google Scholar 

  15. Habib, S.M., Alexopoulos, N., Islam, M.M., Heider, J., Marsh, S., Müehlhäeuser, M.: Trust4App: automating trustworthiness assessment of mobile applications. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 124–135. IEEE (2018)

    Google Scholar 

  16. Hatamian, M., Serna-Olvera, J.: Beacon alarming: informed decision-making supporter and privacy risk analyser in smartphone applications. In: To be Appeared in the Proceedings of the 35th IEEE International Conference on Consumer Electronics (ICCE), USA (2017)

    Google Scholar 

  17. Hatamian, M., Kitkowska, A., Korunovska, J., Kirrane, S.: “It’s shocking!”: analysing the impact and reactions to the A3: android apps behaviour analyser. In: Kerschbaum, F., Paraboschi, S. (eds.) Data and Applications Security and Privacy XXXII, pp. 198–215. Springer International Publishing, Cham (2018)

    Chapter  Google Scholar 

  18. Hatamian, M., Serna, J., Rannenberg, K.: Revealing the unrevealed: mining smartphone users privacy perception on app markets. Comput. Secur. (2019). https://doi.org/10.1016/j.cose.2019.02.010, http://www.sciencedirect.com/science/article/pii/S0167404818313051

    Article  Google Scholar 

  19. Hatamian, M., Serna, J., Rannenberg, K., Igler, B.: Fair: fuzzy alarming index rule for privacy analysis in smartphone apps. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) Trust, Privacy and Security in Digital Business, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-98385-1

    Chapter  Google Scholar 

  20. Hutton, L., et al.: Assessing the privacy of mhealth apps for self-tracking: heuristic evaluation approach. JMIR Mhealth Uhealth 6(10), e185 (2018). https://doi.org/10.2196/mhealth.9217

    Article  Google Scholar 

  21. Kuehnhausen, M., Frost, V.S.: Trusting smartphone apps? to install or not to install, that is the question. In: 2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 30–37 (2013). https://doi.org/10.1109/CogSIMA.2013.6523820

  22. Martínez-Pérez, B., De La Torre-Díez, I., López-Coronado, M.: Privacy and security in mobile health apps: a review and recommendations. J. Med. Syst. 39(1), 1–8 (2015)

    Article  Google Scholar 

  23. Momen, N.: Towards Measuring Apps’ Privacy-Friendliness (licentiate thesis). Ph.D. thesis, Karlstads universitet (2018)

    Google Scholar 

  24. Momen, N., Pulls, T., Fritsch, L., Lindskog, S.: How much privilege does an app need? investigating resource usage of android apps. In: 2017 15th Annual Conference on Privacy, Security and Trust (PST), pp. 268–2685. IEEE (2017)

    Google Scholar 

  25. Murmann, P., Fischer-Hübner, S.: Tools for achieving usable ex post transparency: a survey. IEEE Access 5, 22965–22991 (2017). https://doi.org/10.1109/ACCESS.2017.2765539. http://ieeexplore.ieee.org/document/8078167/

    Article  Google Scholar 

  26. Paintsil, E., Fritsch, L.: A Taxonomy of privacy and security risks contributing factors. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 52–63. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20769-3_5

    Chapter  Google Scholar 

  27. Paintsil, E., Fritsch, L.: Executable model-based risk analysis method for identity management systems: using hierarchical colored petri nets. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2013. LNCS, vol. 8058, pp. 48–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40343-9_5

    Chapter  Google Scholar 

  28. Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., Patsakis, C.: Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access 6, 9390–9403 (2018). https://doi.org/10.1109/ACCESS.2018.2799522

    Article  Google Scholar 

  29. Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    MathSciNet  MATH  Google Scholar 

  30. Rannenberg, K.: Recent development in information technology security evaluation - the need for evaluation criteria for multilateral security. In: Proceedings of the IFIP TC9/WG9.6 Working Conference on Security and Control of Information Technology in Society on Board M/S Illich and Ashore, pp. 113–128. North-Holland Publishing Co., Amsterdam (1994). http://dl.acm.org/citation.cfm?id=647317.723330

  31. Rannenberg, K.: Multilateral security a concept and examples for balanced security. In: Proceedings of the 2000 Workshop on New Security Paradigms. pp. 151–162. NSPW 2000, ACM, New York (2000). https://doi.org/10.1145/366173.366208, http://doi.acm.org/10.1145/366173.366208

  32. Reidenberg, J.R., Breaux, T., Carnor, L.F., French, B.: Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkely Technol. Law J. 30(1), 39–68 (2015)

    Google Scholar 

  33. Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975). https://doi.org/10.1109/PROC.1975.9939

    Article  Google Scholar 

  34. Solove, D.J.: Nothing to Hide: The False Tradeoff between Privacy and Security. Yale University Press, New Haven (2011)

    Google Scholar 

  35. Solove, D.J.: A taxonomy of privacy. U. Pa. L. Rev. 154, 477 (2005)

    Article  Google Scholar 

  36. Van Kleek, M., Liccardi, I., Binns, R., Zhao, J., Weitzner, D.J., Shadbolt, N.: Better the devil you know: exposing the data sharing practices of smartphone apps. In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 5208–5220. ACM (2017)

    Google Scholar 

Download references

Acknowledgments

This research is partially supported by the ALerT project, Research Council of Norway, IKTPLUSS 2017–2021 and by the European Union Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 675730 Privacy&Us.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Majid Hatamian .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Hatamian, M., Momen, N., Fritsch, L., Rannenberg, K. (2019). A Multilateral Privacy Impact Analysis Method for Android Apps. In: Naldi, M., Italiano, G., Rannenberg, K., Medina, M., Bourka, A. (eds) Privacy Technologies and Policy. APF 2019. Lecture Notes in Computer Science(), vol 11498. Springer, Cham. https://doi.org/10.1007/978-3-030-21752-5_7

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-21752-5_7

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-21751-8

  • Online ISBN: 978-3-030-21752-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics