Advertisement

Decision Support for Mobile App Selection via Automated Privacy Assessment

  • Jens WettlauferEmail author
  • Hervais SimoEmail author
Chapter
  • 44 Downloads
Part of the IFIP Advances in Information and Communication Technology book series (IFIPAICT, volume 576)

Abstract

Mobile apps have entered many areas of our everyday life through smartphones, smart TVs, smart cars, and smart homes. They facilitate daily routines and provide entertainment, while requiring access to sensitive data such as private end user data, e.g., contacts or photo gallery, and various persistent device identifiers, e.g., IMEI. Unfortunately, most mobile users neither pay attention nor fully understand privacy indicating factors that could expose malicious apps. We introduce APPA (Automated aPp Privacy Assessment), a technical tool to assist mobile users making privacy-enhanced app installation decisions. Given a set of empirically validated and publicly available factors which app users typically consider at install-time, APPA creates an output in form of a personalized privacy score. The score indicates the level of privacy safety of the given app integrating three different privacy perspectives. First, an analysis of app permissions determines the degree of privateness preservation after an installation. Second, user reviews are assessed to inform about the privacy-to-functionality trade-off by comparing the sentiment of privacy and functionality related reviews. Third, app privacy policies are analyzed with respect to their legal compliance with the European General Data Protection Regulation (GDPR). While the permissions based score introduces capabilities to filter over-privileged apps, privacy and functionality related reviews are classified with an average accuracy of 79%. As proof of concept, the APPA framework demonstrates the feasibility of user-centric tools to enhance transparency and informed consent as early as during the app selection phase.

Keywords

Privacy assessment Mobile apps Permissions Privacy policy User reviews Privacy perception Decision support 

Notes

Acknowledgment

This work has been supported in part by the German Federal Ministry of Education and Research (BMBF) within the project “Forum Privatheit und selbstbestimmtes Leben in der Digitalen Welt”.

References

  1. 1.
    AppCensus: Appcensus app search (2019). https://search.appcensus.io/. Accessed 20 July 2019
  2. 2.
    Belica, M.: jusText 2.2.0. Python Software Foundation. https://pypi.org/project/jusText/. Accessed 21 Apr 2019
  3. 3.
    Board, T.E.: Opinion: how silicon valley puts the ‘con’ in consent, February 2019. https://www.nytimes.com/2019/02/02/opinion/internet-facebook-google-consent.html. Accessed 20 July 2019
  4. 4.
    Brandtzaeg, P.B., Pultier, A., Moen, G.M.: Losing control to data-hungry apps - a mixed-methods approach to mobile app privacy. Soc. Sci. Comput. Rev. 37, 466–488 (2018)CrossRefGoogle Scholar
  5. 5.
    Chin, E., Felt, A.P., Sekar, V., Wagner, D.: Measuring user confidence in smartphone security and privacy. In: Proceedings of the Eighth Symposium on Usable Privacy and Security (2012)Google Scholar
  6. 6.
    Choe, E.K., Jung, J., Lee, B., Fisher, K.: Nudging people away from privacy-invasive mobile apps through visual framing. In: Kotzé, P., Marsden, G., Lindgaard, G., Wesson, J., Winckler, M. (eds.) INTERACT 2013. LNCS, vol. 8119, pp. 74–91. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40477-1_5CrossRefGoogle Scholar
  7. 7.
    Chong, I., Ge, H., Li, N., Proctor, R.W.: Influence of privacy priming and security framing on android app selection. In: Proceedings of the Human Factors and Ergonomics Society Annual Meeting (2017)Google Scholar
  8. 8.
    deanmalmgren: textract. GitHub.com (2014). https://textract.readthedocs.io/en/stable/. Accessed 23 Feb 2019
  9. 9.
    Dogruel, L., Joeckel, S., Bowman, N.D.: Choosing the right app: an exploratory perspective on heuristic decision processes for smartphone app selection. Mob. Media Commun. 3, 125–144 (2014)CrossRefGoogle Scholar
  10. 10.
    European Parliament and Council of the European Union: Regulation (EU) 2016/679 (general data protection regulation). Official Journal of the European Union, May 2018. https://eur-lex.europa.eu/eli/reg/2016/679/2016-05-04. Accessed 06 May 2019
  11. 11.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: SOUPS. ACM (2012)Google Scholar
  12. 12.
    Fogg, B.J., Iizawa, D.: Online persuasion in Facebook and Mixi: a cross-cultural comparison. In: Oinas-Kukkonen, H., Hasle, P., Harjumaa, M., Segerståhl, K., Øhrstrøm, P. (eds.) PERSUASIVE 2008. LNCS, vol. 5033, pp. 35–46. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-68504-3_4CrossRefGoogle Scholar
  13. 13.
    Gorla, A., Tavecchia, I., Gross, F., Zeller, A.: CHABADA: checking app behavior against app descriptions. In: Proceedings of the 36th International Conference on Software Engineering - ICSE 2014. ACM Press (2014)Google Scholar
  14. 14.
    Gu, J., Xu, Y.C., Xu, H., Zhang, C., Ling, H.: Privacy concerns for mobile app download: an elaboration likelihood model perspective. Decis. Support Syst. 94, 19–28 (2017)CrossRefGoogle Scholar
  15. 15.
    Habib, S.M., Alexopoulos, N., Islam, M.M., Heider, J., Marsh, S., Müehlhäeuser, M.: Trust4App: automating trustworthiness assessment of mobile applications. In: 2018 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications/12th IEEE International Conference on Big Data Science and Engineering (TrustCom/BigDataSE), pp. 124–135, August 2018Google Scholar
  16. 16.
    Hansen, M.: Data protection by design and by default à la European general data protection regulation. In: Lehmann, A., Whitehouse, D., Fischer-Hübner, S., Fritsch, L., Raab, C. (eds.) Privacy and Identity 2016. IAICT, vol. 498, pp. 27–38. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-55783-0_3CrossRefGoogle Scholar
  17. 17.
    Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. CoRR (2018)Google Scholar
  18. 18.
    Harris, M., Brookshire, R., Patten, K., Regan, E.: Mobile application installation influences: have mobile device users become desensitized to excessive permission requests? In: Americas Conference on Information Systems (2015)Google Scholar
  19. 19.
    Harris, M.A., Brookshire, R., Chin, A.G.: Identifying factors influencing consumers’ intent to install mobile applications. Int. J. Inf. Manag. 36, 441–450 (2016)CrossRefGoogle Scholar
  20. 20.
    Hatamian, M., Momen, N., Fritsch, L., Rannenberg, K.: A multilateral privacy impact analysis method for android apps. In: Naldi, M., Italiano, G.F., Rannenberg, K., Medina, M., Bourka, A. (eds.) APF 2019. LNCS, vol. 11498, pp. 87–106. Springer, Cham (2019).  https://doi.org/10.1007/978-3-030-21752-5_7CrossRefGoogle Scholar
  21. 21.
    Hong, J.: Privacygrade: grading the privacy of smartphone apps (2014). http://privacygrade.org/home. Accessed 20 July 2019
  22. 22.
    Kelley, P.G., Cranor, L.F., Sadeh, N.: Privacy as part of the app decision-making process. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (2013)Google Scholar
  23. 23.
    Kesswani, N., Lyu, H., Zhang, Z.: Analyzing android app privacy with GP-PP model. IEEE Access 6, 39541–39546 (2018)CrossRefGoogle Scholar
  24. 24.
    Knijnenburg, B.: A user-tailored approach to privacy decision support. Master’s thesis, University of California, Irvine, July 2015. http://www.ics.uci.edu/~kobsa/phds/knijnenburg.pdf
  25. 25.
    Kulyk, O., Gerber, P., Marky, K., Beckmann, C., Volkamer, M.: Does this app respect my privacy? Design and evaluation of information materials supporting privacy-related decisions of smartphone users. In: NDSS Symposium 2018 (USEC), San Diego, CA, 18–21 February 2019 (2019)Google Scholar
  26. 26.
    Lim, S.L., Bentley, P.J., Kanakam, N., Ishikawa, F., Honiden, S.: Investigating country differences in mobile app user behavior and challenges for software engineering. IEEE Trans. Softw. Eng. 41, 40–64 (2015). http://www0.cs.ucl.ac.uk/staff/S.Lim/app_user_survey/CrossRefGoogle Scholar
  27. 27.
    Liu, B., et al.: Follow my recommendations: a personalized privacy assistant for mobile app permissions. In: 12th Symposium on Usable Privacy and Security 2016. USENIX Association, Denver (2016)Google Scholar
  28. 28.
    Liu, B., Kong, D., Cen, L., Gong, N.Z., Jin, H., Xiong, H.: Personalized mobile app recommendation: reconciling app functionality and user privacy preference. In: Proceedings of the Eighth ACM International Conference on Web Search and Data Mining, WSDM 2015, ACM, New York (2015)Google Scholar
  29. 29.
    Liu, B., Lin, J., Sadeh, N.: Reconciling mobile app privacy and usability on smartphones: could user privacy profiles help? In: Proceedings of the 23rd International Conference on World Wide Web (2014)Google Scholar
  30. 30.
    Meineck, S.: Komplizierter als Kant: Nerd erstellt Ranking der furchtbarsten AGB (2019). https://www.vice.com/de/article/5974vb/datenschutz-ranking-der-schlimmsten-agb-facebook-airbnb-google-dsgvo. Accessed 28 July 2019
  31. 31.
    Mylonas, A., Theoharidou, M., Gritzalis, D.: Assessing privacy risks in android: a user-centric approach. In: Risk Assessment and Risk-Driven Testing (2014)Google Scholar
  32. 32.
    Urcuqui, C., Navarro, A.: Dataset malware/beningn permissions android (2016).  https://doi.org/10.21227/H26P4M
  33. 33.
    Ng, A.: More than 1,000 android apps harvest data even after you deny permissions (2019). https://www.cnet.com/news/more-than-1000-android-apps-harvest-your-data-even-after-you-deny-permissions/. Accessed 20 July 2019
  34. 34.
    Nguyen, D.C., Derr, E., Backes, M., Bugiel, S.: Short text, large effect: measuring the impact of user reviews on android app security & privacy. In: Proceedings of the IEEE Symposium on Security & Privacy. IEEE, May 2019Google Scholar
  35. 35.
    Qu, Z., Rastogi, V., Zhang, X., Chen, Y., Zhu, T., Chen, Z.: AutoCog: measuring the description-to-permission fidelity in android applications. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security - CCS 2014. ACM Press (2014).  https://doi.org/10.1145/2660267.2660287
  36. 36.
    Rajivan, P., Camp, J.: Influence of privacy attitude and privacy cue framing on android app choices. In: 12th Symposium on Usable Privacy and Security (2016)Google Scholar
  37. 37.
    Reardon, J., Feal, Á., Wijesekera, P., On, A.E.B., Vallina-Rodriguez, N., Egelman, S.: 50 ways to leak your data: an exploration of apps’ circumvention of the android permissions system. In: 28th USENIX Security Symposium (2019)Google Scholar
  38. 38.
    Robillard, J.M., et al.: Availability, readability, and content of privacy policies and terms of agreements of mental health apps. Internet Interv. 17, 100243 (2019)CrossRefGoogle Scholar
  39. 39.
    State of California Department of Justice: Privacy laws. State of California Department of Justice (2003). https://oag.ca.gov/privacy/privacy-laws. Accessed 06 May 2019
  40. 40.
    The Realtime Report: how appification is transforming the internet (2017). https://therealtimereport.com/2017/11/01/appification-transforming-internet/. Accessed 26 July 2019
  41. 41.
    Thelwall, M., Buckley, K., Paltoglou, G., Cai, D., Kappas, A.: Sentiment strength detection in short informal text. J. Am. Soc. Inf. Sci. Technol. 61, 2544–2558 (2010)CrossRefGoogle Scholar
  42. 42.
    Wilson, S., et al.: The creation and analysis of a website privacy policy corpus. In: ACL (2016)Google Scholar
  43. 43.
    Wottrich, V.M., van Reijmersdal, E.A., Smit, E.G.: The privacy trade-off for mobile app downloads: the roles of app value, intrusiveness, and privacy concerns. Decis. Support Syst. 106, 44–52 (2017)CrossRefGoogle Scholar
  44. 44.
    Yin, S.: What can a zero-permissions android app do? April 2012. http://securitywatch.pcmag.com/none/296635-what-can-a-zero-permissions-android-app-do. Accessed 16 June 2019
  45. 45.
    Zhang, B., Xu, H.: Privacy nudges for mobile applications: effects on the creepiness emotion and privacy attitudes. In: Proceedings of the 19th ACM Conference on Computer-Supported Cooperative Work & Social Computing - CSCW 2016 (2016)Google Scholar
  46. 46.
    Zimmeck, S., et al.: Automated analysis of privacy requirements for mobile apps. In: The 2016 AAAI Fall Symposium Series: Privacy and Language Technologies (2016)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2020

Authors and Affiliations

  1. 1.Universität HamburgHamburgGermany
  2. 2.Fraunhofer Institute for Secure Information TechnologyDarmstadtGermany

Personalised recommendations