Abstract
Smartphone apps have the power to monitor most of people’s private lives. Apps can permeate private spaces, access and map social relationships, monitor whereabouts and chart people’s activities in digital and/or real world. We are therefore interested in how much information a particular app can and intends to retrieve in a smartphone. Privacy-friendliness of smartphone apps is typically measured based on single-source analyses, which in turn, does not provide a comprehensive measurement regarding the actual privacy risks of apps. This paper presents a multi-source method for privacy analysis and data extraction transparency of Android apps. We describe how we generate several data sets derived from privacy policies, app manifestos, user reviews and actual app profiling at run time. To evaluate our method, we present results from a case study carried out on ten popular fitness and exercise apps. Our results revealed interesting differences concerning the potential privacy impact of apps, with some of the apps in the test set violating critical privacy principles. The result of the case study shows large differences that can help make relevant app choices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Full discretionary power (Merriam-Webster dictionary), Retrieved on November 22, 2018.
- 2.
https://developer.android.com/guide/topics/permissions/overview; [Accessed: 2018-11-27].
- 3.
References
Google play scraper. https://github.com/facundoolano/google-play-scraper/
Eu general data protection regulation (2016). https://eur-lex.europa.eu/legal-content/en/txt/html/?uri=celex:32016r0679. Accessed 8 Aug 2018
Facebook data privacy scandal: A cheat sheet (2018). https://www.techrepublic.com/article/facebook-data-privacy-scandal-a-cheat-sheet/. Accessed 11 Jan 2019
Fitness app strava lights up staff at military bases (2018). https://www.bbc.com/news/technology-42853072. Accessed 01 Feb 2019
Almuhimedi, H., et al.: Your location has been shared 5,398 times!: a field study on mobile app privacy nudging. In: Proceedings of the 33rd Annual ACM Conference on Human Factors in Computing Systems, pp. 787–796. ACM (2015)
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: the Proceedings of the the 9th ACM USENIX Conference on Operating Systems Design and Implementation, Vancouver, BC, Canada, pp. 393–407 (2010)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: the Proceedings of the the 20th USENIX Conference on Security, San Francisco, CA, USA, p. 21 (2011)
Enck, W., Ongtang, M., Mcdaniel, P.: On lightweight mobile phone application certification. In: the Proceedings of the the 16th ACM Conference on Computer and Communications Security, Chicago, Illinois, USA, pp. 235–245 (2009)
EU Regulation: 679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). Off J Eur Union p. L119 (2016)
Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: A survey of smartphone users’ concerns. In: the Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, New York, NY, USA, pp. 33–44 (2012)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: the Proceedings of the 8th ACM Symposium on Usable Privacy and Security, SOUPS 2012, New York, NY, USA, pp. 1–3 (2012)
Franzen, D., Aspinall, D.: PhoneWrap-Injecting the “How Often” into Mobile Apps. In: Proceedings of the 1st International Workshop on Innovations in Mobile Privacy and Security co-located with the International Symposium on Engineering Secure Software and Systems (ESSoS 2016), pp. 11–19. CEUR-WS.org (2016)
Fritsch, L., Abie, H., Regnesentral, N.: Towards a research road map for the management of privacy risks in information systems. In: Gesellschaft für Informatik eV (GI) publishes this series in order to make available to a broad public recent findings in informatics (ie computer science and informa-tion systems), to document conferences that are organized in co-operation with GI and to publish the annual GI Award dissertation, p. 1 (2008)
Gleicher, M., Albers, D., Walker, R., Jusufi, I., Hansen, C.D., Roberts, J.C.: Visual comparison for information visualization. Inf. Vis. 10(4), 289–309 (2011)
Habib, S.M., Alexopoulos, N., Islam, M.M., Heider, J., Marsh, S., Müehlhäeuser, M.: Trust4App: automating trustworthiness assessment of mobile applications. In: 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pp. 124–135. IEEE (2018)
Hatamian, M., Serna-Olvera, J.: Beacon alarming: informed decision-making supporter and privacy risk analyser in smartphone applications. In: To be Appeared in the Proceedings of the 35th IEEE International Conference on Consumer Electronics (ICCE), USA (2017)
Hatamian, M., Kitkowska, A., Korunovska, J., Kirrane, S.: “It’s shocking!”: analysing the impact and reactions to the A3: android apps behaviour analyser. In: Kerschbaum, F., Paraboschi, S. (eds.) Data and Applications Security and Privacy XXXII, pp. 198–215. Springer International Publishing, Cham (2018)
Hatamian, M., Serna, J., Rannenberg, K.: Revealing the unrevealed: mining smartphone users privacy perception on app markets. Comput. Secur. (2019). https://doi.org/10.1016/j.cose.2019.02.010, http://www.sciencedirect.com/science/article/pii/S0167404818313051
Hatamian, M., Serna, J., Rannenberg, K., Igler, B.: Fair: fuzzy alarming index rule for privacy analysis in smartphone apps. In: Lopez, J., Fischer-Hübner, S., Lambrinoudakis, C. (eds.) Trust, Privacy and Security in Digital Business, pp. 3–18. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-98385-1
Hutton, L., et al.: Assessing the privacy of mhealth apps for self-tracking: heuristic evaluation approach. JMIR Mhealth Uhealth 6(10), e185 (2018). https://doi.org/10.2196/mhealth.9217
Kuehnhausen, M., Frost, V.S.: Trusting smartphone apps? to install or not to install, that is the question. In: 2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA), pp. 30–37 (2013). https://doi.org/10.1109/CogSIMA.2013.6523820
Martínez-Pérez, B., De La Torre-Díez, I., López-Coronado, M.: Privacy and security in mobile health apps: a review and recommendations. J. Med. Syst. 39(1), 1–8 (2015)
Momen, N.: Towards Measuring Apps’ Privacy-Friendliness (licentiate thesis). Ph.D. thesis, Karlstads universitet (2018)
Momen, N., Pulls, T., Fritsch, L., Lindskog, S.: How much privilege does an app need? investigating resource usage of android apps. In: 2017 15th Annual Conference on Privacy, Security and Trust (PST), pp. 268–2685. IEEE (2017)
Murmann, P., Fischer-Hübner, S.: Tools for achieving usable ex post transparency: a survey. IEEE Access 5, 22965–22991 (2017). https://doi.org/10.1109/ACCESS.2017.2765539. http://ieeexplore.ieee.org/document/8078167/
Paintsil, E., Fritsch, L.: A Taxonomy of privacy and security risks contributing factors. In: Fischer-Hübner, S., Duquenoy, P., Hansen, M., Leenes, R., Zhang, G. (eds.) Privacy and Identity 2010. IAICT, vol. 352, pp. 52–63. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-20769-3_5
Paintsil, E., Fritsch, L.: Executable model-based risk analysis method for identity management systems: using hierarchical colored petri nets. In: Furnell, S., Lambrinoudakis, C., Lopez, J. (eds.) TrustBus 2013. LNCS, vol. 8058, pp. 48–61. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40343-9_5
Papageorgiou, A., Strigkos, M., Politou, E., Alepis, E., Solanas, A., Patsakis, C.: Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access 6, 9390–9403 (2018). https://doi.org/10.1109/ACCESS.2018.2799522
Pedregosa, F., et al.: Scikit-learn: machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Rannenberg, K.: Recent development in information technology security evaluation - the need for evaluation criteria for multilateral security. In: Proceedings of the IFIP TC9/WG9.6 Working Conference on Security and Control of Information Technology in Society on Board M/S Illich and Ashore, pp. 113–128. North-Holland Publishing Co., Amsterdam (1994). http://dl.acm.org/citation.cfm?id=647317.723330
Rannenberg, K.: Multilateral security a concept and examples for balanced security. In: Proceedings of the 2000 Workshop on New Security Paradigms. pp. 151–162. NSPW 2000, ACM, New York (2000). https://doi.org/10.1145/366173.366208, http://doi.acm.org/10.1145/366173.366208
Reidenberg, J.R., Breaux, T., Carnor, L.F., French, B.: Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkely Technol. Law J. 30(1), 39–68 (2015)
Saltzer, J.H., Schroeder, M.D.: The protection of information in computer systems. Proc. IEEE 63(9), 1278–1308 (1975). https://doi.org/10.1109/PROC.1975.9939
Solove, D.J.: Nothing to Hide: The False Tradeoff between Privacy and Security. Yale University Press, New Haven (2011)
Solove, D.J.: A taxonomy of privacy. U. Pa. L. Rev. 154, 477 (2005)
Van Kleek, M., Liccardi, I., Binns, R., Zhao, J., Weitzner, D.J., Shadbolt, N.: Better the devil you know: exposing the data sharing practices of smartphone apps. In: Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems, pp. 5208–5220. ACM (2017)
Acknowledgments
This research is partially supported by the ALerT project, Research Council of Norway, IKTPLUSS 2017–2021 and by the European Union Horizon 2020 research and innovation programme under the Marie Skłodowska-Curie grant agreement No 675730 Privacy&Us.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Hatamian, M., Momen, N., Fritsch, L., Rannenberg, K. (2019). A Multilateral Privacy Impact Analysis Method for Android Apps. In: Naldi, M., Italiano, G., Rannenberg, K., Medina, M., Bourka, A. (eds) Privacy Technologies and Policy. APF 2019. Lecture Notes in Computer Science(), vol 11498. Springer, Cham. https://doi.org/10.1007/978-3-030-21752-5_7
Download citation
DOI: https://doi.org/10.1007/978-3-030-21752-5_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-21751-8
Online ISBN: 978-3-030-21752-5
eBook Packages: Computer ScienceComputer Science (R0)