A Multilateral Privacy Impact Analysis Method for Android Applications

Orjiude, Kelly E.; Yinka-Banjo, Chika O.

doi:10.2478/ast-2022-0005

Abstract

Most people’s private lives can be monitored by smartphone applications (apps). Apps have the potential to invade private spaces, access and map social interactions, track users’ whereabouts, and track their online activities. Our interest is in the volume of data that a specific app can and seeks to retrieve on a smartphone. Smartphone app privacy friendliness is normally evaluated based on single-source analyses, which often do not offer a thorough assessment of the app’s actual privacy threats. In order to analyze Android apps’ privacy, this study proposes a multi-source methodology. Our data sets and methodology from app manifestos, privacy policies, vulnerability analysis and user reviews were described. Results from a case study on ten well-known finance applications operating in Nigeria were provided in order to assess our methodology. Our findings showed distinct patterns regarding the possible privacy implications of apps, with some of the apps in the data set infringing fundamental privacy principles. The case study’s findings reveal significant differences that can guide users in making relevant app choices.

References

Achara, J.P., Roca, V., Castelluccia, C., and Francillon, A. (2016). MobileAppScrutinator: A Simple yet Efficient Dynamic Analysis Approach for Detecting Privacy Leaks across Mobile OSs. https://doi.org/10.48550/arXiv.1605.08357
Search in Google Scholar Back to article
Achara, J. P., Acs, G., and Castelluccia, C. (2015). On the Unicity of Smartphone Applications, In Proceedings of the 14th ACM Workshop on Privacy in the Electronic Society (WPES ‘15). Association for Computing Machinery, New York, NY, USA, 27–36. https://doi.org/10.1145/2808138.280814610.1145/2808138.2808146
Search in Google Scholar Back to article
Alepis, E., Patsakis, C. (2019). Unravelling Security Issues of Runtime Permissions in Android, Journal of Hardware and Systems Security (3); 45–63. https://doi.org/10.1007/s41635-018-0053-210.1007/s41635-018-0053-2
Search in Google Scholar Back to article
Arp, D., Quiring, E., Wressneger, C., and Rieck, K. (2017). Privacy Threats through Ultrasonic Side Channels on Mobile Devices, IEEE European Symposium on Security and Privacy (EuroS&P); 35-47. https://doi.org/10.1109/EuroSP.2017.3310.1109/EuroSP.2017.33
Search in Google Scholar Back to article
Chin, E., Felt, A.P., Sekar, V., and Wagner, D.A. (2012). Measuring user confidence in smartphone security and privacy. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ‘12). Association for Computing Machinery, New York, NY, USA (Article 1); 1–16. https://doi.org/10.1145/2335356.233535810.1145/2335356.2335358
Search in Google Scholar Back to article
Benenson, Z., Kroll-Peters, O., and Krupp, M. (2012). Attitudes to IT Security when Using a Smartphone, Federated Conference on Computer Science and Information Systems (FedCSIS); 1179–1183.
Search in Google Scholar Back to article
Blumberg, A.J. and Eckersley, P. (2009). On locational privacy, and how to avoid losing it forever, Electronic Frontier Foundation. [cited 2021 June 22]. Available from: https://www.eff.org/files/eff-locational-privacy.pdf.
Search in Google Scholar Back to article
Book, T., Pridgen, A., and Wallach, D. S. (2013) Longitudinal analysis of Android ad library permissions. In Mobile Security Technologies (MoST), San Francisco, CA. https://doi.org/10.48550/arXiv.1303.0857
Search in Google Scholar Back to article
Cavoukian, A. (2010). Privacy by design: the definitive workshop. A foreword by Ann Cavoukian, Ph.D, vol 3 (2); 247–251. Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ‘12). Association for Computing Machinery, New York, NY, USA (Article 1); 1–16. https://doi.org/10.1007/s12394-010-0062-y10.1007/s12394-010-0062-y
Search in Google Scholar Back to article
Blumberg, A.J. and Eckersley, P. (2009). On locational privacy, and how to avoid losing it forever, Electronic Frontier Foundation. [cited 2021 June 22]. Available from: https://www.eff.org/files/eff-locational-privacy.pdf.
Search in Google Scholar Back to article
Egele, M., Brumley, D., Fratantonio, Y., and Kruegel, C. (2013). An empirical study of cryptographic misuse in android applications. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS ‘13), Association for Computing Machinery, New York, NY, USA; 73–84. https://doi.org/10.1145/2508859.251669310.1145/2508859.2516693
Search in Google Scholar Back to article
Enck, W., Gilbert, P., Chun, B. G., Cox, L. P., Jung, J., McDaniel, P., and Sheth, A. N. (2019). TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones, In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation; 393-407. https://doi.org/10.1145/249452210.1145/2494522
Search in Google Scholar Back to article
Enck, W., Octeau, D., McDaniel, P., and Chaudhuri, S. (2011). A Study of Android Application Security. Proceedings of the 20th USENIX Security Symposium, San Francisco, CA; 10-12.
Search in Google Scholar Back to article
Enck, W., Ongtang, M., Mcdaniel, P. (2009). On lightweight mobile phone application certification, In Proceedings of the 16th ACM conference on Computer and communications security (CCS ‘09), Association for Computing Machinery, New York, NY, USA; 235–245. https://doi.org/10.1145/1653662.165369110.1145/1653662.1653691
Search in Google Scholar Back to article
EU General Data Protection Regulation; 2016 [cited 2021 Aug 8]. Available from: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A02016R0679-20160504.
Search in Google Scholar Back to article
Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., and Smith, M. (2012). Why eve and mallory love android: an analysis of android SSL (in)security, In Proceedings of the 2012 ACM conference on Computer and communications security (CCS ‘12), Association for Computing Machinery, New York, NY, USA; 50–61. https://doi.org/10.1145/2382196.238220510.1145/2382196.2382205
Search in Google Scholar Back to article
Felt, A. P., Egelman, S., and Wagner, D. (2012). I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns, In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices (SPSM ‘12), Association for Computing Machinery, New York, NY, USA; 33–44. https://doi.org/10.1145/2381934.238194310.1145/2381934.2381943
Search in Google Scholar Back to article
Felt, A. P., Ha, E., Egelman, S., Haney, A., Chin, E., and Wagner, D. (2012). Android permissions: user attention, comprehension, and behavior. In Proceedings of the Eighth Symposium on Usable Privacy and Security (SOUPS ‘12). Association for Computing Machinery, New York, NY, USA, Article 3;1–14. https://doi.org/10.1145/2335356.233536010.1145/2335356.2335360
Search in Google Scholar Back to article
Fife, E., and Orjuela, J. (2012). The Privacy Calculus: Mobile Apps and User Perceptions of Privacy and Security, International Journal of Engineering Business Management. 5(6); 7. https://doi.org/10.5772%2F51645
Search in Google Scholar Back to article
Fritsch, L. and Momen, N. (2017). Derived Partial Identities Generated from App Permissions, In: Fritsch, L., Roßnagel, H. and Hühnlein, D. (Hrsg.), Open Identity Summit 2017, Gesellschaft für Informatik, Bonn; 117-130.
Search in Google Scholar Back to article
Fritsch, L., and Abie, H. (2008). Towards a Research Road Map for the Management of Privacy Risks in Information Systems, In: Alkassar, A. & Siekmann, J. (Hrsg.), SICHERHEIT 2008 – Sicherheit, Schutz und Zuverlässigkeit. Beiträge der 4. Jahrestagung des Fachbereichs Sicherheit der Gesellschaft für Informatik e.V. (GI). Bonn: Gesellschaft für Informatik e. V; 1-15.
Search in Google Scholar Back to article
Gadaleta, M., and Rossi, M. (2018). IDNet: Smartphone-based Gait Recognition with Convolutional Neural Networks; 25-37. https://doi.org/10.48550/arXiv.1606.0323810.1016/j.patcog.2017.09.005
Search in Google Scholar Back to article
Google Developers (2021). Permissions on Android; [cited 2021 Oct 9]. Available from: https://developer.android.com/guide/topics/permissions/overview/.
Search in Google Scholar Back to article
Google-play-scraper 1.0.2; 2021 [cited 2021 Nov 8]. Available from: https://pypi.org/project/google-play-scraper/
Search in Google Scholar Back to article
Habib, S.M., Alexopoulos, N., Islam, M.M., Heider, J., Marsh, S., and Mühlhäuser, M. (2018). Trust4App: Automating Trustworthiness Assessment of Mobile Applications, 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE); 124-135. https://doi.org/10.1109/TrustCom%2FBigDataSE.2018.0002910.1109/TrustCom/BigDataSE.2018.00029
Search in Google Scholar Back to article
Hatamian, M. (2020). Engineering Privacy in Smartphone Apps: A Technical Guideline Catalog for App Developers, in IEEE Access, vol. 8; 35429-35445. https://doi.org/10.1109/ACCESS.2020.297491110.1109/ACCESS.2020.2974911
Search in Google Scholar Back to article
Hatamian, M., Serna, J., Rannenberg, K., and Igler, B. (2017). FAIR: Fuzzy Alarming Index Rule for Privacy Analysis in Smartphone Apps, In J. Lopez, S. Fischer-Hübner, & C. Lambrinoudakis (Eds.), Trust, Privacy and Security in Digital Business: 14th International Conference, TrustBus 2017, Lyon, France, Vol. 10442; pp. 3-18. https://doi.org/10.1007/978-3-319-64483-7_110.1007/978-3-319-64483-7_1
Search in Google Scholar Back to article
Ibrar F., Saleem H., Castle S., Malik M. Z. (2017). A Study of Static Analysis Tools to Detect Vulnerabilities of Branchless Banking Applications in Developing Countries, In Proceedings of the Ninth International Conference on Information and Communication Technologies and Development (ICTD ‘17), Association for Computing Machinery, New York, NY, USA, Article 30; 1–5.10.1145/3136560.3136595
Search in Google Scholar Back to article
Isaak, J. and Hanna, M. J. (2018). User Data Privacy: Facebook, Cambridge Analytica, and Privacy Protection, in Computer, vol. 51 (8); 56-59. https://doi.org/10.1109/MC.2018.319126810.1109/MC.2018.3191268
Search in Google Scholar Back to article
Jain, A.K. and Shanbhag, D. (2012). Addressing Security and Privacy Risks in Mobile Applications. IT Professional, 14; 28-33. https://doi.org/10.1109/MITP.2012.7210.1109/MITP.2012.72
Search in Google Scholar Back to article
Knorr K., Aspinall D., and Wolters M. (2015). On the privacy, security and safety of blood pressure and diabetes apps. In: IFIP International Information Security and Privacy Conference. Springer; 571–584. https://doi.org/10.1007/978-3-319-18467-8_3810.1007/978-3-319-18467-8_38
Search in Google Scholar Back to article
Kuehnhausen, M., and Frost, V.S. (2013). Trusting smartphone Apps? To install or not to install, that is the question. 2013 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support (CogSIMA); 30-37. https://doi.org/10.1109/CogSIMA.2013.652382010.1109/CogSIMA.2013.6523820
Search in Google Scholar Back to article
Kurtz, A., Gascon, H., Becker, T., Rieck, K. and Freiling, F. (2015). Fingerprinting Mobile Devices Using Personalized Configurations, Proceedings on Privacy Enhancing Technologies, Vol.2016 (Issue 1); 4-19. http://dx.doi.org/10.1515/popets-2015-002710.1515/popets-2015-0027
Search in Google Scholar Back to article
Leibenger, D., Möllers, F., Petrlic, A., Petrlic, R. and Sorge, C. (2016). Privacy Challenges in the Quantified Self Movement – An EU Perspective, Proceedings on Privacy Enhancing Technologies, Vol.2016 (Issue 4); 315-334. http://dx.doi.org/10.1515/popets-2016-004210.1515/popets-2016-0042
Search in Google Scholar Back to article
Leontiadis, I., Efstratiou, C., Picone, M., and Mascolo, C. (2012). Don’t kill my ads! balancing privacy in an ad-supported mobile application market, In Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications (HotMobile ‘12), Association for Computing Machinery, New York, NY, USA, Article 2; 1–6. http://dx.doi.org/10.1145/2162081.216208410.1145/2162081.2162084
Search in Google Scholar Back to article
Lin, J., Amini, S., Hong, J. I., Sadeh, N., Lindqvist, J., and Zhang, J. (2012). Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing (UbiComp ‘12), Association for Computing Machinery, New York, NY, USA; 501–510. http://dx.doi.org/10.1145/2370216.237029010.1145/2370216.2370290
Search in Google Scholar Back to article
Lin, J. (2013). Understanding and capturing people’s mobile app privacy preferences, Ph.D. Dissertation, Carnegie Mellon University, PA, USA; No. CMU-CS-13-127.
Search in Google Scholar Back to article
McDonald, A. M., and Cranor, L. F. (2008). The Cost of Reading Privacy Policies, I/S: A Journal of Law and Policy for the Information Society, 4(3); 540–565.
Search in Google Scholar Back to article
Melicher, W., Kurilova, D., Segreti, S. M., Kalvani, P., Shay, R., Ur, B., Bauer, L., Christin, N., Cranor, L. F., and Mazurek, M. L. (2016). Usability and Security of Text Passwords on Mobile Devices, In Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems (CHI ‘16), Association for Computing Machinery, New York, NY, USA; 527–539. https://doi.org/10.1145/2858036.285838410.1145/2858036.2858384
Search in Google Scholar Back to article
Mell, P., Scarfone, K., and Romanosky, S. (2007). A Complete Guide to the Common Vulnerability Scoring System Version 2.0. FIRST-Forum of Incident Response and Security Teams; 1-23.
Search in Google Scholar Back to article
Mobile Security Framework; 2020 [cited 2021 Oct 17]. Available from: https://github.com/MobSF/Mobile-Security-Framework-MobSF.
Search in Google Scholar Back to article
Momen, N. and Fritsch, L. (2020). App-generated digital identities extracted through Android permission-based data access - a survey of app privacy, In: Reinhardt, D., Langweg, H., Witt, B. C. and Fischer, M. (Hrsg.), SICHERHEIT 2020. Bonn: Gesellschaft für Informatik e.V; 15-28. https://doi.org/10.18420/sicherheit2020_01
Search in Google Scholar Back to article
Mylonas, A., Kastania, A., Gritzalis, D. (2012). Delegate the smartphone user? Security awareness in smartphone platforms. Comput. Secur. 34; 47–66. https://doi.org/10.1016/j.cose.2012.11.00410.1016/j.cose.2012.11.004
Search in Google Scholar Back to article
Nigeria Data Protection Regulation; 2019 [cited 2021 Aug 8]. Available from: https://ndpr.nitda.gov.ng/Content/Doc/NigeriaDataProtectionRegulation.pdf.
Search in Google Scholar Back to article
Olejnik, L., Acar, G., Castelluccia, C., and Díaz, C. (2015). The Leaking Battery: A Privacy Analysis of the HTML5 Battery Status API, Lecture Notes in Computer Science, vol. 9481; 254–263. https://doi.org/10.1007/978-3-319-29883-2_1810.1007/978-3-319-29883-2_18
Search in Google Scholar Back to article
Paintsil, E., and Fritsch, L. (2011). A Taxonomy of Privacy and Security Risks Contributing Factors. 6th International Summer School Conference on Privacy and Identity Management for Life, Aug 2010, Helsingborg, Sweden; 52-63. http://dx.doi.org/10.1007/978-3-642-20769-3_510.1007/978-3-642-20769-3_5
Search in Google Scholar Back to article
Paintsil, E., and Fritsch, L. (2013). Executable Model-Based Risk Analysis Method for Identity Management Systems : Using Hierarchical Colored Petri Nets Executable Model-Based Risk Assessment Method for Identity Management Systems, Trust, Privacy, and Security in Digital Business : 10th International Conference, TrustBus 2013, Prague, Czech Republic; 48–61. https://doi.org/10.1007/978-3-642-40343-9_510.1007/978-3-642-40343-9_5
Search in Google Scholar Back to article
Papageorgiou, A., Strigkos, M., Politou, E.A., Alepis, E., Solanas, A., and Patsakis, C. (2018). Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice, vol. 6; 9390-9403. https://doi.org/10.1109/access.2018.279952210.1109/ACCESS.2018.2799522
Search in Google Scholar Back to article
Qian, K., Parizi, R.M., and Lo, D.C. (2018). OWASP Risk Analysis Driven Security Requirements Specification for Secure Android Mobile Software Development, In 2018 IEEE Conference on Dependable and Secure Computing (DSC); 1-2. https://doi.org/10.1109/DESEC.2018.862511410.1109/DESEC.2018.8625114
Search in Google Scholar Back to article
Reidenberg, J.R., Breaux, T., Carnor, L.F. and French, B. (2015). Disagreeable privacy policies: Mismatches between meaning and users’ understanding. Berkeley Technology Law Journal 30(1); 39–68.
Search in Google Scholar Back to article
Ryan, F., Fritz, A., Impiombato, D., and Australian Strategic Policy Institute, International Cyber Policy Centre, issuing body. (2020). TikTok & Wechat : curating and controlling global information flows Australian Strategic Policy Institute, Barton, Australian Capital Territory [cited 2021 Jun 17]. Available from: http://www.jstor.org/stable/resrep26120.7.
Search in Google Scholar Back to article
Seneviratne, S., Seneviratne, A., Mohapatra, P., and Mahanti, A. (2014). Predicting user traits from a snapshot of apps installed on a smartphone. SIGMOBILE Mob. Comput. Commun. Rev. 18 (2); 1–8. http://dx.doi.org/10.1145/2636242.263624410.1145/2636242.2636244
Search in Google Scholar Back to article
Solove, D.J. (2011). Nothing to Hide: The False Tradeoff between Privacy and Security. Yale University Press.
Search in Google Scholar Back to article
Statista (2021). Number of apps available in leading app stores as of 1st quarter 2021; [cited 2021 Jun 17]. Available from: https://www.statista.com/statistics/276623/number-ofapps-available-in-leading-app-stores.
Search in Google Scholar Back to article
Turner, B. (2021). Mobile App Download and Usage Statistics; [cited 2021 Jun 17]. Available from: https://www.bankmycell.com/blog/how-many-phones-are-in-the-world.
Search in Google Scholar Back to article
Vallina-Rodriguez, N., Sundaresan, S., Razaghpanah, A., Nithyanand, R., Allman, M., Kreibich, C., and Gill, P. (2016). Tracking the Trackers: Towards Understanding the Mobile Advertising and Tracking Ecosystem. https://doi.org/10.48550/arXiv.1609.07190
Search in Google Scholar Back to article
Zhang Y., Yang Y., and Wang X. (2018). A Novel Android Malware Detection Approach Based on Convolutional Neural Network, In Proceedings of the 2nd International Conference on Cryptography, Security and Privacy (ICCSP 2018). Association for Computing Machinery, New York, NY, USA; 144–149. https://doi.org/10.1145/3199478.319949210.1145/3199478.3199492
Search in Google Scholar Back to article
Zou, Y., Zhu, J., Wang, X., and Hanzo, L. (2016). A Survey on Wireless Security: Technical Challenges, Recent Advances, and Future Trends, Proceedings of the IEEE, 104; 1727-1765. https://doi.org/10.1109/JPROC.2016.255852110.1109/JPROC.2016.2558521
Search in Google Scholar Back to article

A Multilateral Privacy Impact Analysis Method for Android Applications

Abstract

Paradigm

My account