Abstract
Modern smartphone platforms are highly privacy-affecting but not effective in properly communicating their privacy impacts to its users. Particularly, actual data-access behavior of apps is not considered in current privacy risk communication approaches. We argue that factors such as frequency of access to sensitive information is significantly affecting the privacy-invasiveness of applications. We introduce Styx, a novel privacy risk communication system that provides the user with more meaningful privacy information based on the actual behavior of apps. In a proof-of-concept study we evaluate the effectiveness of Styx. Our results show that more meaningful privacy warnings can increase user trust into smartphone platforms and also reduce privacy concerns.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bai, G., Gu, L., Feng, T., Guo, Y., Chen, X.: Context-Aware Usage Control for Android. In: Jajodia, S., Zhou, J. (eds.) SecureComm 2010. LNICST, vol. 50, pp. 326–343. Springer, Heidelberg (2010)
Bal, G.: Revealing Privacy-Impacting Behavior Patterns of Smartphone Applications (Short Paper). In: MoST 2012 - Proceedings of the Mobile Security Technologies Workshop 2012, San Francisco, USA (2012), http://mostconf.org/2012/papers/15.pdf
Beresford, A.R., Rice, A., Sohan, N., Skehin, N., Sohan, R.: MockDroid: trading privacy for application functionality on smartphones. In: Proceedings of HotMobile 2011, ACM (2011)
Bravo-Lillo, C., Cranor, L.F., Downs, J., Komanduri, S., Sleeper, M.: Improving Computer Security Dialogs. In: Campos, P., Graham, N., Jorge, J., Nunes, N., Palanque, P., Winckler, M. (eds.) INTERACT 2011, Part IV. LNCS, vol. 6949, pp. 18–35. Springer, Heidelberg (2011), http://www.springerlink.com/content/q551210n08h16970/
Brunk, B.: A User-Centric Privacy Space Framework. In: Cranor, L.F., Garfinkel, S.L. (eds.) Security and Usability - Designing Secure Systems that People Can Use, ch. 21, pp. 401–420. O’Reilly (2005)
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.R.S.: XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks. Tech. rep. (2011)
Chia, P.H., Yamamoto, Y., Asokan, N.: Is this App Safe? A Large Scale Study on Application Permissions and Risk Signals. In: Proceedings of WWW 2012 (November 2012)
Chittaranjan, G., Blom, J., Gatica-Perez, D.: Mining large-scale smartphone data for personality studies. Personal and Ubiquitous Computing (December 2011), http://www.springerlink.com/index/10.1007/s00779-011-0490-1
Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: Context-related Policy Enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011)
Cranor, L.F., Garfinkel, S.L.: Security and Usability - Designing Secure Systems that People Can Use. O’Reilly (2005)
Eagle, N., Pentland, A.S., Lazer, D.: Inferring Social Network Structure using Mobile Phone Data. Tech. Rep. usually 1 (2009)
Egele, M., Kruegel, C., Kirda, E.: PiOS: Detecting Privacy Leaks in iOS Applications. In: NDSS 2011 Network and Distributed System Security Symposium Proceedings (2011)
Egelman, S., Tsai, J., Cranor, L.F., Acquisti, A.: Timing is everything?: the effects of timing and placement of online privacy indicators. In: Proceedings of the 27th International Conference on Human Factors in Computing Systems, CHI 2009, p. 319. ACM Press, New York (2009), http://dl.acm.org/citation.cfm?id=1518701.1518752
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: Proc. of USENIX Symposium on Operating Systems Design and Implementation, OSDI (2010)
Enck, W., Ongtang, M., McDaniel, P.: On Lightweight Mobile Phone Application Certification. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009, p. 235. ACM Press, New York (2009)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, p. 627. ACM Press, New York (2011)
Fuchs, A.P., Chaudhuri, A.: SCanDroid: Automated Security Certification of Android Applications. Tech. rep., University of Maryland (2009), http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.148.2511
Gilbert, P., Chun, B.G., Cox, L.P., Jung, J.: Vision: automated security validation of mobile apps at app markets. In: Proceedings of the Second International Workshop on Mobile Cloud Computing and Services, MCS 2011, p. 21. ACM Press, New York (2011)
González, M.C., Hidalgo, C.A., Barabási, A.L.: Understanding individual human mobility patterns. Nature 453(7196), 779–782 (2008), http://www.ncbi.nlm.nih.gov/pubmed/18528393
Hong, J.I.: An Architecture for Privacy-Sensitive Ubiquitous Computing. Ph.D. thesis, UNIVERSITY OF CALIFORNIA (2005)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: CCS 2011 - Proceedings of the 18th ACM Conference on Computer and Communications Security, p. 639. ACM, New York (2011)
Kelley, P.G., Bresee, J., Cranor, L.F., Reeder, R.W.: A “nutrition label” for privacy. In: Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS 2009, p. 1. ACM Press, New York (2009), http://dl.acm.org/citation.cfm?id=1572532.1572538
Kelley, P.G., Consolvo, S., Cranor, L.F., Jung, J., Sadeh, N., Wetherall, D.: A Conundrum of Permissions: Installing Applications on an Android Smartphone. In: Proceedings of USEC 2012, pp. 1–12 (2012)
Kwapisz, J.R., Weiss, G.M., Moore, S.A.: Cell phone-based biometric identification. In: 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS), pp. 1–7. IEEE (September 2010), http://ieeexplore.ieee.org/articleDetails.jsp?arnumber=5634532
Laugwitz, B., Held, T., Schrepp, M.: Construction and Evaluation of a User Experience Questionnaire. Tech. rep. (2008)
Lederer, S., Dey, A.K., Mankoff, J.: A Conceptual Model and a Metaphor of Everyday Privacy in Ubiquitous Computing Environments. In: Ubiquitous Computing Computer S (2002), http://www.cs.cmu.edu/~io/publications/old-pubs/privacy-techreport02.pdf
Lin, J., Amini, S., Hong, J., Sadeh, N., Lindqvist, J., Zhang, J.: Expectation and Purpose: Understanding Users Mental Models of Mobile App Privacy through Crowdsourcing. In: Proceedings of the 14th ACM International Conference on Ubiquitous Computing - Ubicomp 2012 (2012)
Min, J.K., Wiese, J., Hong, J.I., Zimmerman, J.: Mining Smartphone Data to Classify Life-Facets of Social Relationships. In: Conference on Computer Supported Cooperative Work and Social Computing 2013 (2013)
Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 328–332. ACM Press (2010)
Phithakkitnukoon, S., Horanont, T., Di Lorenzo, G., Shibasaki, R., Ratti, C.: Activity-Aware Map: Identifying Human Daily Activity Pattern Using Mobile Phone Data. In: Salah, A.A., Gevers, T., Sebe, N., Vinciarelli, A. (eds.) HBU 2010. LNCS, vol. 6219, pp. 14–25. Springer, Heidelberg (2010), http://www.springerlink.com/index/10.1007/978-3-642-14715-9
Thampi, A.: Path uploads your entire iPhone address book to its servers, http://mclov.in/2012/02/08/path-uploads-your-entire-address-book-to-their-servers.html
Thompson, C., Johnson, M., Egelman, S., Wagner, D., King, J.: When it’s better to ask forgiveness than get permission. In: Proceedings of the Ninth Symposium on Usable Privacy and Security, SOUPS 2013, p. 1 (2013), http://dl.acm.org/citation.cfm?doid=2501604.2501605
Weiss, G.M., Lockhart, J.W.: Identifying user traits by mining smart phone accelerometer data. In: Proceedings of the Fifth International Workshop on Knowledge Discovery from Sensor Data - SensorKDD 2011, pp. 61–69. ACM Press, New York (2011), http://portal.acm.org/citation.cfm?doid=2003653.2003660
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 IFIP International Federation for Information Processing
About this paper
Cite this paper
Bal, G., Rannenberg, K., Hong, J. (2014). Styx: Design and Evaluation of a New Privacy Risk Communication Method for Smartphones. In: Cuppens-Boulahia, N., Cuppens, F., Jajodia, S., Abou El Kalam, A., Sans, T. (eds) ICT Systems Security and Privacy Protection. SEC 2014. IFIP Advances in Information and Communication Technology, vol 428. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-55415-5_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-55415-5_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-55414-8
Online ISBN: 978-3-642-55415-5
eBook Packages: Computer ScienceComputer Science (R0)