Abstract
It is undeniable that smartphones play a vital role in our lives, as their applications (apps) can be used to access various services anytime and anywhere. Despite the benefits provided by mobile apps, there are risks connected to the release of personal and sensitive data. Understanding the potential privacy risks of installing an app based on its description or privacy policy could be challenging, especially for non-skilled users. In this paper, to assist users in their app selection process, we propose PriApp-Install, a privacy-aware app installation recommendation system. It leverages semi-supervised learning to learn individual privacy preferences w.r.t mobile app installation. Learning is done based on a rich set of features modelling both the app behavior w.r.t. personal data consumption and the benefits a user can get in installing the app. We tested four learning strategies on a real dataset by exploiting three participant groups: security and privacy experts, IT workers, and crowd workers. The obtained results show the effectiveness of our proposal.
Keywords
- Mobile apps
- Privacy preferences and policies
- Static analysis
- Semi-supervised learning
This is a preview of subscription content, access via your institution.
Buying options
Notes
- 1.
- 2.
- 3.
- 4.
Implementation is available at https://github.com/SonHaXuan/PriApp-Install.
- 5.
Android app store: https://play.google.com/store/apps.
- 6.
- 7.
We presented the APIs list and dangerous permissions at https://bit.ly/3qm5VT4.
- 8.
Arrays for the other personal data types can be similarly defined.
- 9.
pp contains \(not\_specified\) if the policy does not specify any purpose.
- 10.
If shared data are not specified in the privacy policy, 3pt is set to \(not\_specified\).
- 11.
\(\theta \) parameters aim at optimizing the label probability.
- 12.
argmax is used for finding the label (i.e., Y, N, MB) with the highest probability.
- 13.
Failure to decompile was primarily due to code obfuscation.
- 14.
On average, in our dataset, an app uses 6 APIs, 48 classes, and 238 functions/constants to collect personal data.
- 15.
References
Alecakir, H., Can, B., Sen, S.: Attention: there is an inconsistency between Android permissions and application metadata! Int. J. Inf. Secur. 20, 797–815 (2021)
Borman, S.: The expectation maximization algorithm-a short tutorial. Submitted for Publication 41 (2004)
Feng, Y., et al.: AC-Net: assessing the consistency of description and permission in Android apps. IEEE Access 7, 57829–57842 (2019)
John, O.P., Srivastava, S., et al.: The Big-Five Trait Taxonomy: History, Measurement, and Theoretical Perspectives, vol. 2. University of California Berkeley (1999)
Jones, K.S., et al.: Readings in Information Retrieval. Morgan Kaufmann (1997)
Lin, J., et al.: Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 2012 ACM Conference on Ubiquitous Computing, pp. 501–510 (2012)
Martin, K., Shilton, K.: Putting mobile application privacy in context: an empirical study of user privacy expectations for mobile devices. Inf. Soc. 32(3), 200–216 (2016)
Nguyen, T.T., et al.: Measuring user perception for detecting unexpected access to sensitive resource in mobile apps. In: Proceedings of the 2021 ACM Asia Conference on Computer and Communications Security, pp. 578–592 (2021)
Nigam, K., Ghani, R.: Analyzing the effectiveness and applicability of co-training. In: Proceedings of the Ninth International Conference on Information and Knowledge Management, pp. 86–93 (2000)
Olukoya, O., et al.: Security-oriented view of app behaviour using textual descriptions and user-granted permission requests. Comput. Secur. 89 (2020)
Polikar, R.: Ensemble based systems in decision making. IEEE Circuits Syst. Mag. 6(3), 21–45 (2006)
Polikar, R.: Ensemble learning. In: Zhang, C., Ma, Y. (eds.) Ensemble Machine Learning, pp. 1–34. Springer, Boston (2012). https://doi.org/10.1007/978-1-4419-9326-7_1
Singh, A.K., et al.: Experimental analysis of Android malware detection based on combinations of permissions and API-calls. J. Comput. Virol. Hacking Tech. 15, 209–218 (2019)
Singh, B.C., Carminati, B., Ferrari, E.: Privacy-aware personal data storage (P-PDS): learning how to protect user privacy from external applications. IEEE Trans. Dependable Secure Comput. 18, 889–903 (2019)
Son, H.X., Carminati, B., Ferrari, E.: A risk assessment mechanism for Android apps. In: 2021 IEEE International Conference on Smart Internet of Things (SmartIoT), pp. 237–244. IEEE (2021)
Son, H.X., Carminati, B., Ferrari, E.: A risk estimation mechanism for Android apps based on hybrid analysis. Data Sci. Eng. 7, 242–252 (2022)
Taylor, V.F., Martinovic, I.: SecuRank: starving permission-hungry apps using contextual permission analysis. In: Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 43–52 (2016)
Taylor, V.F., et al.: There are many apps for that: quantifying the availability of privacy-preserving apps. In: ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 247–252 (2017)
Triguero, I., García, S., Herrera, F.: Self-labeled techniques for semi-supervised learning: taxonomy, software and empirical study. Knowl. Inf. Syst. 42(2), 245–284 (2015)
Van Engelen, J.E., Hoos, H.H.: A survey on semi-supervised learning. Mach. Learn. 109(2), 373–440 (2020)
Van Kleek, M., et al.: Better the devil you know: exposing the data sharing practices of smartphone apps. In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 5208–5220 (2017)
Wilson, S., et al.: The creation and analysis of a website privacy policy corpus. In: Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics, pp. 1330–1340 (2016)
Wu, T., et al.: Catering to your concerns: automatic generation of personalised security-centric descriptions for Android apps. ACM Trans. Cyber-Phys. Syst. 3(4), 1–21 (2019)
Wu, Z., et al.: Enhancing fidelity of description in Android apps with category-based common permissions. IEEE Access 9, 105493–105505 (2021)
Xiao, J., et al.: An Android application risk evaluation framework based on minimum permission set identification. J. Syst. Softw. 163 (2020)
Zhang, L.L., et al.: Characterizing privacy risks of mobile apps with sensitivity analysis. IEEE Trans. Mob. Comput. 17(2), 279–292 (2017)
Acknowledgments
This work has received funding from RAIS (Real-time analytics for the Internet of Sports), Marie Skłodowska-Curie Innovative Training Networks (ITN), under grant agreement No 813162 and from CONCORDIA, (Cybersecurity Competence Network) supported by H2020 Research and Innovation program under grant agreement No 830927. The content of this paper reflects only the authors’ view and the Agency and the Commission are not responsible for any use that may be made of the information it contains.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix A: Metrics
Appendix A: Metrics
We use conventional measures to measure the effectiveness of the proposed learning approaches. In particular, since we have classes with three labels (Y, N, and M), we exploit a \(3\times 3\) confusion matrix, see Table 5, where columns represent predicted labels, rows possible actual value and cells denote error value (E) or true positive value (TP). From the confusion matrix, we define the evaluation metrics given in Table 6.
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Son, H.X., Carminati, B., Ferrari, E. (2022). PriApp-Install: Learning User Privacy Preferences on Mobile Apps’ Installation. In: Su, C., Gritzalis, D., Piuri, V. (eds) Information Security Practice and Experience. ISPEC 2022. Lecture Notes in Computer Science, vol 13620. Springer, Cham. https://doi.org/10.1007/978-3-031-21280-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-21280-2_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-21279-6
Online ISBN: 978-3-031-21280-2
eBook Packages: Computer ScienceComputer Science (R0)