Styx: Design and Evaluation of a New Privacy Risk Communication Method for Smartphones

  • Gökhan Bal
  • Kai Rannenberg
  • Jason Hong
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 428)

Abstract

Modern smartphone platforms are highly privacy-affecting but not effective in properly communicating their privacy impacts to its users. Particularly, actual data-access behavior of apps is not considered in current privacy risk communication approaches. We argue that factors such as frequency of access to sensitive information is significantly affecting the privacy-invasiveness of applications. We introduce Styx, a novel privacy risk communication system that provides the user with more meaningful privacy information based on the actual behavior of apps. In a proof-of-concept study we evaluate the effectiveness of Styx. Our results show that more meaningful privacy warnings can increase user trust into smartphone platforms and also reduce privacy concerns.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Bai, G., Gu, L., Feng, T., Guo, Y., Chen, X.: Context-Aware Usage Control for Android. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 326–343. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Bal, G.: Revealing Privacy-Impacting Behavior Patterns of Smartphone Applications (Short Paper). In: MoST 2012 - Proceedings of the Mobile Security Technologies Workshop 2012, San Francisco, USA (2012), http://mostconf.org/2012/papers/15.pdf
  3. 3.
    Beresford, A.R., Rice, A., Sohan, N., Skehin, N., Sohan, R.: MockDroid: trading privacy for application functionality on smartphones. In: Proceedings of HotMobile 2011, ACM (2011)Google Scholar
  4. 4.
    Bravo-Lillo, C., Cranor, L.F., Downs, J., Komanduri, S., Sleeper, M.: Improving Computer Security Dialogs. In: Campos, P., Graham, N., Jorge, J., Nunes, N., Palanque, P., Winckler, M. (eds.) INTERACT 2011, Part IV. LNCS, vol. 6949, pp. 18–35. Springer, Heidelberg (2011), http://www.springerlink.com/content/q551210n08h16970/ CrossRefGoogle Scholar
  5. 5.
    Brunk, B.: A User-Centric Privacy Space Framework. In: Cranor, L.F., Garfinkel, S.L. (eds.) Security and Usability - Designing Secure Systems that People Can Use, ch. 21, pp. 401–420. O’Reilly (2005)Google Scholar
  6. 6.
    Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R.S.: XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks. Tech. rep. (2011)Google Scholar
  7. 7.
    Chia, P.H., Yamamoto, Y., Asokan, N.: Is this App Safe? A Large Scale Study on Application Permissions and Risk Signals. In: Proceedings of WWW 2012 (November 2012)Google Scholar
  8. 8.
    Chittaranjan, G., Blom, J., Gatica-Perez, D.: Mining large-scale smartphone data for personality studies. Personal and Ubiquitous Computing (December 2011), http://www.springerlink.com/index/10.1007/s00779-011-0490-1
  9. 9.
    Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: Context-related Policy Enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  10. 10.
    Cranor, L.F., Garfinkel, S.L.: Security and Usability - Designing Secure Systems that People Can Use. O’Reilly (2005)Google Scholar
  11. 11.
    Eagle, N., Pentland, A.S., Lazer, D.: Inferring Social Network Structure using Mobile Phone Data. Tech. Rep. usually 1 (2009)Google Scholar
  12. 12.
    Egele, M., Kruegel, C., Kirda, E.: PiOS: Detecting Privacy Leaks in iOS Applications. In: NDSS 2011 Network and Distributed System Security Symposium Proceedings (2011)Google Scholar
  13. 13.
    Egelman, S., Tsai, J., Cranor, L.F., Acquisti, A.: Timing is everything?: the effects of timing and placement of online privacy indicators. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, CHI 2009, p. 319. ACM Press, New York (2009), http://dl.acm.org/citation.cfm?id=1518701.1518752 Google Scholar
  14. 14.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proc. of USENIX Symposium on Operating Systems Design and Implementation, OSDI (2010)Google Scholar
  15. 15.
    Enck, W., Ongtang, M., McDaniel, P.: On Lightweight Mobile Phone Application Certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, p. 235. ACM Press, New York (2009)Google Scholar
  16. 16.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, p. 627. ACM Press, New York (2011)Google Scholar
  17. 17.
    Fuchs, A.P., Chaudhuri, A.: SCanDroid: Automated Security Certification of Android Applications. Tech. rep., University of Maryland (2009), http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.148.2511
  18. 18.
    Gilbert, P., Chun, B.G., Cox, L.P., Jung, J.: Vision: automated security validation of mobile apps at app markets. In: Proceedings of the Second International Workshop on Mobile Cloud Computing and Services, MCS 2011, p. 21. ACM Press, New York (2011)Google Scholar
  19. 19.
    González, M.C., Hidalgo, C.A., Barabási, A.L.: Understanding individual human mobility patterns. Nature 453(7196), 779–782 (2008), http://www.ncbi.nlm.nih.gov/pubmed/18528393 CrossRefGoogle Scholar
  20. 20.
    Hong, J.I.: An Architecture for Privacy-Sensitive Ubiquitous Computing. Ph.D. thesis, UNIVERSITY OF CALIFORNIA (2005)Google Scholar
  21. 21.
    Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: CCS 2011 - Proceedings of the 18th ACM Conference on Computer and Communications Security, p. 639. ACM, New York (2011)Google Scholar
  22. 22.
    Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W.: A “nutrition label” for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, p. 1. ACM Press, New York (2009), http://dl.acm.org/citation.cfm?id=1572532.1572538 Google Scholar
  23. 23.
    Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A Conundrum of Permissions: Installing Applications on an Android Smartphone. In: Proceedings of USEC 2012, pp. 1–12 (2012)Google Scholar
  24. 24.
    Kwapisz, J.R., Weiss, G.M., Moore, S.A.: Cell phone-based biometric identification. In: 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS), pp. 1–7. IEEE (September 2010), http://ieeexplore.ieee.org/articleDetails.jsp?arnumber=5634532
  25. 25.
    Laugwitz, B., Held, T., Schrepp, M.: Construction and Evaluation of a User Experience Questionnaire. Tech. rep. (2008)Google Scholar
  26. 26.
    Lederer, S., Dey, A.K., Mankoff, J.: A Conceptual Model and a Metaphor of Everyday Privacy in Ubiquitous Computing Environments. In: Ubiquitous Computing Computer S (2002), http://www.cs.cmu.edu/~io/publications/old-pubs/privacy-techreport02.pdf
  27. 27.
    Lin, J., Amini, S., Hong, J., Sadeh, N., Lindqvist, J., Zhang, J.: Expectation and Purpose: Understanding Users Mental Models of Mobile App Privacy through Crowdsourcing. In: Proceedings of the 14th ACM International Conference on Ubiquitous Computing - Ubicomp 2012 (2012)Google Scholar
  28. 28.
    Min, J.K., Wiese, J., Hong, J.I., Zimmerman, J.: Mining Smartphone Data to Classify Life-Facets of Social Relationships. In: Conference on Computer Supported Cooperative Work and Social Computing 2013 (2013)Google Scholar
  29. 29.
    Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 328–332. ACM Press (2010)Google Scholar
  30. 30.
    Phithakkitnukoon, S., Horanont, T., Di Lorenzo, G., Shibasaki, R., Ratti, C.: Activity-Aware Map: Identifying Human Daily Activity Pattern Using Mobile Phone Data. In: Salah, A.A., Gevers, T., Sebe, N., Vinciarelli, A. (eds.) HBU 2010. LNCS, vol. 6219, pp. 14–25. Springer, Heidelberg (2010), http://www.springerlink.com/index/10.1007/978-3-642-14715-9 CrossRefGoogle Scholar
  31. 31.
    Thampi, A.: Path uploads your entire iPhone address book to its servers, http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html
  32. 32.
    Thompson, C., Johnson, M., Egelman, S., Wagner, D., King, J.: When it’s better to ask forgiveness than get permission. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, p. 1 (2013), http://dl.acm.org/citation.cfm?doid=2501604.2501605
  33. 33.
    Weiss, G.M., Lockhart, J.W.: Identifying user traits by mining smart phone accelerometer data. In: Proceedings of the Fifth International Workshop on Knowledge Discovery from Sensor Data - SensorKDD 2011, pp. 61–69. ACM Press, New York (2011), http://portal.acm.org/citation.cfm?doid=2003653.2003660 CrossRefGoogle Scholar
  34. 34.
    Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© IFIP International Federation for Information Processing 2014

Authors and Affiliations

  • Gökhan Bal
    • 1
  • Kai Rannenberg
    • 1
  • Jason Hong
    • 2
  1. 1.Goethe University FrankfurtGermany
  2. 2.Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations