Visual Configuration of Mobile Privacy Policies

  • Abdulbaki AydinEmail author
  • David Piorkowski
  • Omer Tripp
  • Pietro Ferrara
  • Marco Pistoia
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10202)


Mobile applications often require access to private user information, such as the user or device ID, the location or the contact list. Usage of such data varies across different applications. A notable example is advertising. For contextual advertising, some applications release precise data, such as the user’s exact address, while other applications release only the user’s country. Another dimension is the user. Some users are more privacy demanding than others. Existing solutions for privacy enforcement are neither app- nor user- sensitive, instead performing general tracking of private data into release points like the Internet. The main contribution of this paper is in refining privacy enforcement by letting the user configure privacy preferences through a visual interface that captures the application’s screens enriched with privacy-relevant information. We demonstrate the efficacy of our approach w.r.t. advertising and analytics, which are the main (third-party) consumers of private user information. We have implemented our approach for Android as the VisiDroid system. We demonstrate VisiDroid’s efficacy via both quantitative and qualitative experiments involving top-popular Google Play apps. Our experiments include objective metrics, such as the average number of configuration actions per app, as well as a user study to validate the usability of VisiDroid.


Private Information Offline Analysis Privacy Enforcement Privacy Threat Configuration Task 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Benedek, J., Miner, T.: Measuring desirability: new methods for evaluating desirability in a usability lab setting. In: Proceedings of Usability Professionals Association 2003, pp. 8–12 (2002)Google Scholar
  2. 2.
    Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: Mockdroid: trading privacy for application functionality on smartphones. In: HotMobile 2011 (2011)Google Scholar
  3. 3.
    Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: S&P (2010)Google Scholar
  4. 4.
    Choi, W., Necula, G., Sen, K.: Guided gui testing of android apps with minimal restart and approximate learning. In: OOPSLA (2013)Google Scholar
  5. 5.
    Enck, W., Gilbert, P., Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: an information-flow tracking system for real-time privacy monitoring on smartphones. In: OSDI (2010)Google Scholar
  6. 6.
    Fawaz, K., Shin, K.G.: Location privacy protection for smartphone users. In: CCS (2014)Google Scholar
  7. 7.
    Felt, A.P., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 33–44. ACM (2012)Google Scholar
  8. 8.
    Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 3. ACM (2012)Google Scholar
  9. 9.
    Ferrara, P., Tripp, O., Pistoia, M.: MorphDroid: fine-grained Privacy Verification. In: ACSAC (2015)Google Scholar
  10. 10.
    Fu, B., Lin, J., Li, L., Faloutsos, C., Hong, J., Sadeh, N.: Why people hate your app: making sense of user feedback in a mobile app store. In: Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1276–1284. ACM (2013)Google Scholar
  11. 11.
    Hornyack, P., Han, S., Jung, J., Schechter, S.E., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: CCS (2011)Google Scholar
  12. 12.
    Jensen, C., Prasad, M., A. Møller, A.: Automated testing with targeted event sequence generation. In: ISSTA (2013)Google Scholar
  13. 13.
    Jung, J., Han, S., Wetherall, D.: Short paper: enhancing mobile application permissions with run-time feedback and constraints. In: SPSM (2012)Google Scholar
  14. 14.
    Kelley, P.G., Cranor, L.F., Sadeh, N.: Privacy as part of the app decision-making process. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, pp. 3393–3402. ACM (2013)Google Scholar
  15. 15.
    Khalid, H., Shihab, E., Nagappan, M., Hassan, A.E.: What do mobile app users complain about? IEEE Softw. 32(3), 70–77 (2015)CrossRefGoogle Scholar
  16. 16.
    Lin, J., Liu, B., Sadeh, N.M., Hong, J.I.: Modeling users’ mobile app privacy preferences: restoring usability in a sea of permission settings. In: SOUPS (2014)Google Scholar
  17. 17.
    Lin, J., Amini, S., Hong, J.I., Sadeh, N., Lindqvist, J., Zhang, J.: Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 2012 ACM Conference on Ubiquitous Computing, pp. 501–510. ACM (2012)Google Scholar
  18. 18.
    Machiry, A., Tahiliani, R., Naik, M.: Dynodroid: an input generation system for android apps. In: FSE (2013)Google Scholar
  19. 19.
    Nadkarni, A., Enck, W.: Preventing accidental data disclosure in modern operating systems. In: CCS (2013)Google Scholar
  20. 20.
    Roesner, F., Kohno, T., Moshchuk, A., Parno, B., Wang, H.J., Cowan, C.: User-driven access control: rethinking permission granting in modern operating systems. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP 2012, pp. 224–238 (2012)Google Scholar
  21. 21.
    Schreckling, D., Posegga, J., Köstler, J., Schaff, M.: Kynoid: real-time enforcement of fine-grained, user-defined, and data-centric security policies for android. In: Askoxylakis, I., Pöhls, H.C., Posegga, J. (eds.) WISTP 2012. LNCS, vol. 7322, pp. 208–223. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30955-7_18 CrossRefGoogle Scholar
  22. 22.
    Shklovski, I., Mainwaring, S.D., Skúladóttir, H.H., Borgthorsson, H.: Leakiness and creepiness in app space: perceptions of privacy and mobile app use. In: Proceedings of the 32nd Annual ACM Conference on Human Factors in Computing Systems, pp. 2347–2356. ACM (2014)Google Scholar
  23. 23.
    Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in android ad libraries. In: W2SP (2012)Google Scholar
  24. 24.
    Sun, Q., Simon, D.R., Wang, Y., Russell, W., Padmanabhan, V.N., Qiu, L.: Statistical identification of encrypted web browsing traffic. In: S&P (2002)Google Scholar
  25. 25.
    Tripp, O., Rubin, J.: A Bayesian approach to privacy enforcement in smartphones. In: USENIX Security (2014)Google Scholar
  26. 26.
    Xia, M., Gong, L., Lyu, Y., Qi, Z., Liu, X.: Effective real-time android application auditing. In: 2015 IEEE Symposium on Security and Privacy, SP 2015, San Jose, CA, USA, 17–21 May 2015, pp. 899–914 (2015)Google Scholar
  27. 27.
    Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for android applications. In: USENIX Security (2012)Google Scholar
  28. 28.
    Yang, Z., Yang, M., Zhang, Y., Gu, G., Ning, P., Wang, X.S.: AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In: CCS (2013)Google Scholar
  29. 29.
    Zhou, X., Demetriou, S., He, D., Naveed, M., Pan, X., Wang, X., Gunter, C.A., Nahrstedt, K.: Identity, location, disease and more: inferring your secrets from android public resources. In: CCS (2013)Google Scholar

Copyright information

© Springer-Verlag GmbH Germany 2017

Authors and Affiliations

  • Abdulbaki Aydin
    • 1
    Email author
  • David Piorkowski
    • 2
  • Omer Tripp
    • 2
  • Pietro Ferrara
    • 2
  • Marco Pistoia
    • 2
  1. 1.University of CaliforniaSanta BarbaraUSA
  2. 2.IBM T.J. Watson Research CenterYorktown HeightsUSA

Personalised recommendations