By Swarup Kumar Sahoo
This week the 2nd Post-Doc Short Talk took place at HCII of Carnegie Mellon University. The style was the same again as the 1st version had: three 20-minutes short talks by the post-doctoral researchers. Among today’s talks, the one caught my attention most was the one given by Swarup Kumar Sahoo : Managing Privacy of Mobile Applications. Hence, I’m presenting the summary of the talk and my personal concerns about the talk and the study.
Their study has been conducted under Brandeis Mobile Privacy Program of DARPA. The motivation comes from the fact that mobile applications are very invasive and request lots of private and sensitive data. However they do not inform users why they request the sensitive data and resources of the device via permissions. In order to guide users to decide in an informed way, they developed a mobile application, ProtectMyPrivacy (PMP) which is available both on GooglePlay and Apple AppStore. Basically what PMP does is that it intercepts the API calls to the sensitive data and allows/denies/fakes requests for data and libraries. PMP has an interface listing all the applications installed on the users’ smart device and permissions requested by them. One most significant advantage of PMP is being run on real phones, so (as they state) they could collect usage data for data mining purposes. By doing so, the crowd data are feedback for novice users.
Their second study under this project is “Privacy Enhanced Android” (PEA). They modify the Android in a sense to allow user more control on the private data. Hence, their approach is based on making the applications explicitly declare the purpose of why sensitive data being used. For example with a statement similar to “We request access to location information to suggest you nearby restaurants”. In order to do so, they define a set of usage purposes and provide to developers. Those purposes are declared in the manifest files of applications by the developers. Here the overall working mechanism of their system:
- When the application is uploaded to the store by the developer, the static checker component of PEA checks whether the application uses the permissions for intended purposes (by examining the API calls).
- Users also give feedback in order to state whether the app behaves properly.
- Dynamic checker component of the PEA checks the application’s behaviors at run time (like by tracking the stacks).
For now, their ongoing study is about usability of the application such as measuring the time to complete specific tasks.
I appreciate their study much and believe that the security and privacy for mobile devices is a promising domain as a security researcher. The reason is no doubt our mobile devices are full of personal and even corporate sensitive data and security & privacy solutions are not mature enough as in traditional computing devices. However, my concern is about the way they collect usage data from their application, PMP. If they do this seamlessly at the background, this would cause to another privacy breach. Otherwise if the user reports his/her feedback then it is not a concern.