Abstract
With the rapidly growing popularity of smart mobile devices, the number of mobile applications available has surged in the past few years. Such mobile applications collect a treasure trove of Personally Identifiable Information (PII) attributes (such as age, gender, location, and fingerprints). Mobile applications, however, are many and often not well understood, especially for their privacy-related activities and functions. To fill this critical gap, we recommend providing an automated yet effective assessment of the privacy risk score of each application. The design goal is that the higher the score, the higher the potential privacy risk of this mobile application. Specifically, we consider excessive data access permissions and risky privacy policies. We first calculate the privacy risk of over 600 PII attributes through a longitudinal study of over 20 years of identity theft and fraud news reporting. Then, we map the access rights and privacy policies of each smart application to our dataset of PII to analyze what PII the application collects, and then calculate the privacy risk score of each smart application. Finally, we report our extensive experiments of 100 open source applications collected from Google Play to evaluate our method. The experimental results clearly prove the effectiveness of our method.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Google Play. https://play.google.com/store
Immuniweb® Mobile App Scanner. https://www.htbridge.com
Itap Report 2019. Tech. rep., Center for Identity, University of Texas at Austin (2019)
Agarwal, Y., Hall, M.: ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing, pp. 97–110 (June 2013). https://doi.org/10.1145/2462456.2464460
Au, K., Zhou, Y., Huang, Z., Gill, P., Lie, D.: Short paper: a look at smartphone permission models. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (October 2011). https://doi.org/10.1145/2046614.2046626
Chang, K.C., Zaeem, R.N., Barber, K.S.: Enhancing and evaluating identity privacy and authentication strength by utilizing the identity ecosystem. In: Proceedings of the 2018 Workshop on Privacy in the Electronic Society, pp. 114–120. ACM (2018)
Chang, K.C., Zaeem, R.N., Barber, K.S.: Internet of Things: securing the identity by analyzing ecosystem models of devices and organizations. In: 2018 AAAI Spring Symposium Series (2018)
Chen, C.J., Zaeem, R.N., Barber, K.S.: Statistical analysis of identity risk of exposure and cost using the ecosystem of identity attributes. In: 2019 European Intelligence and Security Informatics Conference (EISIC), pp. 32–39. IEEE (2019)
Dehling, T., Sunyaev, A., Taylor, P.L., Mandl, K.D.: Availability and quality of mobile health app privacy policies. J. Am. Med. Inform. Assoc. 22(e1), e28–e33 (2014). https://doi.org/10.1136/amiajnl-2013-002605
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5:1–5:29 (2014). https://doi.org/10.1145/2619091
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. Association for Computing Machinery, New York (2011). https://doi.org/10.1145/2046707.2046779
Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_17
Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 531–548. USENIX Association, Baltimore (August 2018). https://www.usenix.org/conference/usenixsecurity18/presentation/harkous
Harris, K.D.: Privacy on the go. Tech. rep., California Department of Justice (2013)
Hart, K.: Privacy policies are read by an aging few. Tech. rep. (2019)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 639–652. ACM, New York (2011). https://doi.org/10.1145/2046707.2046780
Li, J., Sun, L., Yan, Q., Li, Z., Srisa-an, W., Ye, H.: Significant permission identification for machine-learning-based Android malware detection. IEEE Trans. Ind. Inform. 14(7), 3216–3225 (2018)
Liau, D., Zaeem, R.N., Barber, K.S.: Evaluation framework for future privacy protection systems: a dynamic identity ecosystem approach. In: 2019 17th International Conference on Privacy, Security and Trust (PST), pp. 1–3. IEEE (2019)
Liu, C., Arnett, K.P.: An examination of privacy policies in fortune 500 web sites. Am. J. Bus. 17(1), 13–22 (2002). https://doi.org/10.1108/19355181200200001
Nokhbeh Zaeem, R., Barber, K.S.: A study of web privacy policies across industries. J. Inf. Priv. Secur. 13(4), 169–185 (2017)
Zaeem, R.N., Budalakoti, S., Barber, K.S., Rasheed, M., Bajaj, C.: Predicting and explaining identity risk, exposure and cost using the ecosystem of identity attributes. In: 2016 IEEE International Carnahan Conference on Security Technology (ICCST), pp. 1–8. IEEE (2016)
O’Loughlin, K., Neary, M., Adkins, E.C., Schueller, S.M.: Reviewing the data security and privacy policies of mobile apps for depression. Internet Interv. 15, 110–115 (2019). https://doi.org/10.1016/j.invent.2018.12.001. http://www.sciencedirect.com/science/article/pii/S2214782918300460
Petkos, G., Papadopoulos, S., Kompatsiaris, Y.: PScore: a framework for enhancing privacy awareness in online social networks. In: 2015 10th International Conference on Availability, Reliability and Security, pp. 592–600 (2015)
Rana, R., Zaeem, R.N., Barber, K.S.: Us-centric vs. international personally identifiable information: a comparison using the UT CID identity ecosystem. In: 2018 International Carnahan Conference on Security Technology (ICCST), pp. 1–5. IEEE (2018)
Raoa, A., et al.: Using the middle to meddle with mobile. Tech. rep., Northeastern University (2013)
Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1077–1093 (2017)
Zaeem, R.N., Barber, K.S.: The effect of the GDPR on privacy policies: recent progress and future promise. ACM Trans. Manag. Inf. Syst. (2020). to Appear
Zaeem, R.N., German, R.L., Barber, K.S.: PrivacyCheck: automatic summarization of privacy policies using data mining. ACM Trans. Internet Technol. 18(4), 1–18 (2018). https://doi.org/10.1145/3127519
Zaeem, R.N., Manoharan, M., Barber, K.S.: Risk kit: highlighting vulnerable identity assets for specific age groups. In: 2016 European Intelligence and Security Informatics Conference (EISIC), pp. 32–38. IEEE (2016)
Zaeem, R.N., Manoharan, M., Yang, Y., Barber, K.S.: Modeling and analysis of identity threat behaviors through text mining of identity theft stories. Comput. Secur. 65, 50–63 (2017)
Zaiss, J., Nokhbeh Zaeem, R., Barber, K.S.: Identity threat assessment and prediction. J. Consum. Aff. 53(1), 58–70 (2019). https://doi.org/10.1111/joca.12191
Zhu, H., Xiong, H., Ge, Y., Chen, E.: Mobile app recommendations with security and privacy awareness. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2014, pp. 951–960. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2623330.2623705
Zuo, C., Lin, Z., Zhang, Y.: Why does your data leak? Uncovering the data leakage in cloud from mobile apps. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1296–1310 (2019)
Acknowledgments
This work was in part funded by the Center for Identity’s Strategic Partners. The complete list of Partners can be found at the following URL: https://identity.utexas.edu/strategic-partners.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Chang, K.C., Zaeem, R.N., Barber, K.S. (2020). A Framework for Estimating Privacy Risk Scores of Mobile Apps. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-62974-8_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-62973-1
Online ISBN: 978-3-030-62974-8
eBook Packages: Computer ScienceComputer Science (R0)