Skip to main content
SpringerLink
Log in

A Framework for Estimating Privacy Risk Scores of Mobile Apps

  • Conference paper
  • First Online:
Information Security (ISC 2020)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12472))

Included in the following conference series:

Abstract

With the rapidly growing popularity of smart mobile devices, the number of mobile applications available has surged in the past few years. Such mobile applications collect a treasure trove of Personally Identifiable Information (PII) attributes (such as age, gender, location, and fingerprints). Mobile applications, however, are many and often not well understood, especially for their privacy-related activities and functions. To fill this critical gap, we recommend providing an automated yet effective assessment of the privacy risk score of each application. The design goal is that the higher the score, the higher the potential privacy risk of this mobile application. Specifically, we consider excessive data access permissions and risky privacy policies. We first calculate the privacy risk of over 600 PII attributes through a longitudinal study of over 20 years of identity theft and fraud news reporting. Then, we map the access rights and privacy policies of each smart application to our dataset of PII to analyze what PII the application collects, and then calculate the privacy risk score of each smart application. Finally, we report our extensive experiments of 100 open source applications collected from Google Play to evaluate our method. The experimental results clearly prove the effectiveness of our method.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Google Play. https://play.google.com/store

  2. Immuniweb® Mobile App Scanner. https://www.htbridge.com

  3. Itap Report 2019. Tech. rep., Center for Identity, University of Texas at Austin (2019)

    Google Scholar 

  4. Agarwal, Y., Hall, M.: ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing, pp. 97–110 (June 2013). https://doi.org/10.1145/2462456.2464460

  5. Au, K., Zhou, Y., Huang, Z., Gill, P., Lie, D.: Short paper: a look at smartphone permission models. In: Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices (October 2011). https://doi.org/10.1145/2046614.2046626

  6. Chang, K.C., Zaeem, R.N., Barber, K.S.: Enhancing and evaluating identity privacy and authentication strength by utilizing the identity ecosystem. In: Proceedings of the 2018 Workshop on Privacy in the Electronic Society, pp. 114–120. ACM (2018)

    Google Scholar 

  7. Chang, K.C., Zaeem, R.N., Barber, K.S.: Internet of Things: securing the identity by analyzing ecosystem models of devices and organizations. In: 2018 AAAI Spring Symposium Series (2018)

    Google Scholar 

  8. Chen, C.J., Zaeem, R.N., Barber, K.S.: Statistical analysis of identity risk of exposure and cost using the ecosystem of identity attributes. In: 2019 European Intelligence and Security Informatics Conference (EISIC), pp. 32–39. IEEE (2019)

    Google Scholar 

  9. Dehling, T., Sunyaev, A., Taylor, P.L., Mandl, K.D.: Availability and quality of mobile health app privacy policies. J. Am. Med. Inform. Assoc. 22(e1), e28–e33 (2014). https://doi.org/10.1136/amiajnl-2013-002605

    Article  Google Scholar 

  10. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5:1–5:29 (2014). https://doi.org/10.1145/2619091

    Article  Google Scholar 

  11. Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 627–638. Association for Computing Machinery, New York (2011). https://doi.org/10.1145/2046707.2046779

  12. Gibler, C., Crussell, J., Erickson, J., Chen, H.: AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds.) Trust 2012. LNCS, vol. 7344, pp. 291–307. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-30921-2_17

    Chapter  Google Scholar 

  13. Harkous, H., Fawaz, K., Lebret, R., Schaub, F., Shin, K.G., Aberer, K.: Polisis: automated analysis and presentation of privacy policies using deep learning. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 531–548. USENIX Association, Baltimore (August 2018). https://www.usenix.org/conference/usenixsecurity18/presentation/harkous

  14. Harris, K.D.: Privacy on the go. Tech. rep., California Department of Justice (2013)

    Google Scholar 

  15. Hart, K.: Privacy policies are read by an aging few. Tech. rep. (2019)

    Google Scholar 

  16. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 639–652. ACM, New York (2011). https://doi.org/10.1145/2046707.2046780

  17. Li, J., Sun, L., Yan, Q., Li, Z., Srisa-an, W., Ye, H.: Significant permission identification for machine-learning-based Android malware detection. IEEE Trans. Ind. Inform. 14(7), 3216–3225 (2018)

    Article  Google Scholar 

  18. Liau, D., Zaeem, R.N., Barber, K.S.: Evaluation framework for future privacy protection systems: a dynamic identity ecosystem approach. In: 2019 17th International Conference on Privacy, Security and Trust (PST), pp. 1–3. IEEE (2019)

    Google Scholar 

  19. Liu, C., Arnett, K.P.: An examination of privacy policies in fortune 500 web sites. Am. J. Bus. 17(1), 13–22 (2002). https://doi.org/10.1108/19355181200200001

    Article  Google Scholar 

  20. Nokhbeh Zaeem, R., Barber, K.S.: A study of web privacy policies across industries. J. Inf. Priv. Secur. 13(4), 169–185 (2017)

    Google Scholar 

  21. Zaeem, R.N., Budalakoti, S., Barber, K.S., Rasheed, M., Bajaj, C.: Predicting and explaining identity risk, exposure and cost using the ecosystem of identity attributes. In: 2016 IEEE International Carnahan Conference on Security Technology (ICCST), pp. 1–8. IEEE (2016)

    Google Scholar 

  22. O’Loughlin, K., Neary, M., Adkins, E.C., Schueller, S.M.: Reviewing the data security and privacy policies of mobile apps for depression. Internet Interv. 15, 110–115 (2019). https://doi.org/10.1016/j.invent.2018.12.001. http://www.sciencedirect.com/science/article/pii/S2214782918300460

    Article  Google Scholar 

  23. Petkos, G., Papadopoulos, S., Kompatsiaris, Y.: PScore: a framework for enhancing privacy awareness in online social networks. In: 2015 10th International Conference on Availability, Reliability and Security, pp. 592–600 (2015)

    Google Scholar 

  24. Rana, R., Zaeem, R.N., Barber, K.S.: Us-centric vs. international personally identifiable information: a comparison using the UT CID identity ecosystem. In: 2018 International Carnahan Conference on Security Technology (ICCST), pp. 1–5. IEEE (2018)

    Google Scholar 

  25. Raoa, A., et al.: Using the middle to meddle with mobile. Tech. rep., Northeastern University (2013)

    Google Scholar 

  26. Wijesekera, P., et al.: The feasibility of dynamically granted permissions: aligning mobile privacy with user preferences. In: 2017 IEEE Symposium on Security and Privacy (SP), pp. 1077–1093 (2017)

    Google Scholar 

  27. Zaeem, R.N., Barber, K.S.: The effect of the GDPR on privacy policies: recent progress and future promise. ACM Trans. Manag. Inf. Syst. (2020). to Appear

    Google Scholar 

  28. Zaeem, R.N., German, R.L., Barber, K.S.: PrivacyCheck: automatic summarization of privacy policies using data mining. ACM Trans. Internet Technol. 18(4), 1–18 (2018). https://doi.org/10.1145/3127519

    Article  Google Scholar 

  29. Zaeem, R.N., Manoharan, M., Barber, K.S.: Risk kit: highlighting vulnerable identity assets for specific age groups. In: 2016 European Intelligence and Security Informatics Conference (EISIC), pp. 32–38. IEEE (2016)

    Google Scholar 

  30. Zaeem, R.N., Manoharan, M., Yang, Y., Barber, K.S.: Modeling and analysis of identity threat behaviors through text mining of identity theft stories. Comput. Secur. 65, 50–63 (2017)

    Article  Google Scholar 

  31. Zaiss, J., Nokhbeh Zaeem, R., Barber, K.S.: Identity threat assessment and prediction. J. Consum. Aff. 53(1), 58–70 (2019). https://doi.org/10.1111/joca.12191

    Article  Google Scholar 

  32. Zhu, H., Xiong, H., Ge, Y., Chen, E.: Mobile app recommendations with security and privacy awareness. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD 2014, pp. 951–960. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2623330.2623705

  33. Zuo, C., Lin, Z., Zhang, Y.: Why does your data leak? Uncovering the data leakage in cloud from mobile apps. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 1296–1310 (2019)

    Google Scholar 

Download references

Acknowledgments

This work was in part funded by the Center for Identity’s Strategic Partners. The complete list of Partners can be found at the following URL: https://identity.utexas.edu/strategic-partners.

Author information

Authors and Affiliations

  1. The University of Texas at Austin, Austin, TX, 78712, USA

    Kai Chih Chang, Razieh Nokhbeh Zaeem & K. Suzanne Barber

Authors
  1. Kai Chih Chang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Razieh Nokhbeh Zaeem
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. K. Suzanne Barber
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Kai Chih Chang .

Editor information

Editors and Affiliations

  1. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Willy Susilo

  2. Singapore Management University, Singapore, Singapore

    Robert H. Deng

  3. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Fuchun Guo

  4. Institute of Cybersecurity and Cryptology, University of Wollongong, Wollongong, NSW, Australia

    Yannan Li

  5. Informatics, Petra Christian University, Surabaya, Indonesia

    Rolly Intan

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Chang, K.C., Zaeem, R.N., Barber, K.S. (2020). A Framework for Estimating Privacy Risk Scores of Mobile Apps. In: Susilo, W., Deng, R.H., Guo, F., Li, Y., Intan, R. (eds) Information Security. ISC 2020. Lecture Notes in Computer Science(), vol 12472. Springer, Cham. https://doi.org/10.1007/978-3-030-62974-8_13

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-62974-8_13

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-62973-1

  • Online ISBN: 978-3-030-62974-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation