©2014 Carnegie Mellon University : 1 
How to Analyze the Privacy 
of 1 Million Smartphone Apps 
Oct 30 2014 
Jason Hong 
j...
©2014 Carnegie Mellon University : 2 
In the near future, our 
smartphones will know 
everything about us
©2014 Carnegie Mellon University : 3 
Smartphones are Intimate 
• Mobile phones and 
millennials (Cisco 2012): 
• 75% use ...
©2014 Carnegie Mellon University : 4 
Lots of Data on Smartphones 
Who we know 
(contact list) 
Who we call 
(call log) 
W...
©2014 Carnegie Mellon University : 5 
Lots of Data on Smartphones 
Where we go 
(gps, foursquare) 
Photos 
(some geotagged...
©2014 Carnegie Mellon University : 6 
The Opportunity 
• We are creating 
a worldwide 
sensor network 
with these 
smartph...
©2014 Carnegie Mellon University : 7 
These Capabilities Can Be 
Used for Tremendous Good 
• Ex. detecting onset of depres...
©2014 Carnegie Mellon University : 8 
These Capabilities Can Also 
Be Creepy and Invasive 
Shared your location, 
gender, ...
©2014 Carnegie Mellon University : 9 
Many Smartphone Apps Have 
“Unusual” Permissions 
Location Data 
Unique device ID 
L...
Nissan Maxima Gear Shift 
©2014 Carnegie Mellon University : 10
©2014 Carnegie Mellon University : 11 
Privacy as Expectations 
• Apply this same idea of mental 
models for privacy 
– Co...
©2014 Carnegie Mellon University : 12 
85% users were surprised this app 
sent their phone’s unique ID to 
mobile ads prov...
©2014 Carnegie Mellon University : 13 
Results for Location Data 
(N=20 per app, Expectations Condition) 
App Comfort Leve...
Scaling Up to 1 Million Apps 
©2014 Carnegie Mellon University : 14
©2014 Carnegie Mellon University : 15 
Scaling Up to 1 Million Apps 
• Crawled 1M apps on Google Play 
• Created a model t...
©2014 Carnegie Mellon University : 16
©2014 Carnegie Mellon University : 17 
What 
permissions 
used and why
©2014 Carnegie Mellon University : 18 
Libraries are 
reusable pieces 
of code 
Most sensitive 
data requests 
due to thir...
©2014 Carnegie Mellon University : 19 
Check it out at 
privacygrade.org
©2014 Carnegie Mellon University : 20 
Reflections on Privacy 
• FTC overwhelmed by sheer numbers 
– Too many web sites, h...
©2014 Carnegie Mellon University : 21 
Reflections on Privacy 
• FTC (and third parties) need better tools 
to detect priv...
©2014 Carnegie Mellon University : 22 
Reflections on Privacy 
• Operating Systems / App Markets 
– Nearly every app distr...
©2014 Carnegie Mellon University : 23 
Thanks! 
More info at cmuchimps.org 
or email jasonh@cs.cmu.edu 
• Shah Amini 
• So...
Upcoming SlideShare
Loading in …5
×

How to Analyze the Privacy of 1 Million Smartphone Apps

25,785 views

Published on

These slides are from a briefing to Congressional staffers about privacy, October 30 2014. It talks about our ongoing work with PrivacyGrade.org, which uses crowdsourcing techniques plus static analysis techniques to infer the privacy-related behaviors of apps.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
25,785
On SlideShare
0
From Embeds
0
Number of Embeds
13,064
Actions
Shares
0
Downloads
6
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Professor in School of Computer Science at Carnegie Mellon University
    Past work
    Anti-phishing research
    Wombat Security
    Location privacy
  • Jason Hong / jasonh@cs.cmu.edu
    I’m a computer scientist, and I’ve been working with sensor-based systems for 15 years
    My claim: in the near future, smartphones will know everything about us
    Our Smartphones will know if we are depressed or not / what our carbon footprint is / what our information needs are before we even know what we need

    Images from
    http://www.androidtapp.com/how-simple-is-your-smartphone-to-use-funny-videos/
    http://www.sfgate.com/crime/article/Absorbed-device-users-oblivious-to-danger-4876709.php#photo-5278749
    http://www.reneweduponadream.com/2012/09/business-without-smartphone-dont-let-it.html
  • Main stats on this page are from:
    http://www.cisco.com/c/en/us/solutions/enterprise/connected-world-technology-report/index.html#~2012

    Additional stats about mobile phones:
    http://www.pewinternet.org/fact-sheets/mobile-technology-fact-sheet/

    -----------------------

    What’s also interesting are trends in how people use these smartphones
    http://blog.sciencecreative.com/2011/03/16/the-authentic-online-marketer/

    http://www.generationalinsights.com/millennials-addicted-to-their-smartphones-some-suffer-nomophobia/
    In fact, Millennials don’t just sleep with their smartphones. 75% use them in bed before going to sleep and 90% check them again first thing in the morning.  Half use them while eating and third use them in the bathroom. A third check them every half hour. Another fifth check them every ten minutes. A quarter of them check them so frequently that they lose count.

    http://www.androidtapp.com/how-simple-is-your-smartphone-to-use-funny-videos/

    Pew Research Center
    Around 83 percent of those 18- to 29-year-olds sleep with their cell phones within reach. 
    http://persquaremile.com/category/suburbia/
  • Pushing further, smartphone data is really intimate
    Location, call logs, SMS, pics, more
  • A grand challenge for computer science
    http://www.flickr.com/photos/robby_van_moor/478725670/
  • On the left is Nissan Maxima gear shift. It turns out my brother was driving in 3rd gear for over a year before I pointed out to him that 3 and D are separate. The older Nissan Maxima gear shift on the right makes it hard to make this mistake.
  • Lin et al, Expectation and Purpose: Understanding User’s Mental Models of Mobile App Privacy thru Crowdsourcing. Ubicomp 2012.
  • In expectations condition, people were told app used a permission but not why.
  • We created a predictive model of people’s concerns using a combination of static analysis and crowdsourcing.
  • DARPA
    Google
    CMU CyLab
  • How to Analyze the Privacy of 1 Million Smartphone Apps

    1. 1. ©2014 Carnegie Mellon University : 1 How to Analyze the Privacy of 1 Million Smartphone Apps Oct 30 2014 Jason Hong jasonh@cs.cmu.edu Computer Human Interaction: Mobility Privacy Security
    2. 2. ©2014 Carnegie Mellon University : 2 In the near future, our smartphones will know everything about us
    3. 3. ©2014 Carnegie Mellon University : 3 Smartphones are Intimate • Mobile phones and millennials (Cisco 2012): • 75% use in bed before sleep • 83% sleep with their phones • 90% check first thing in the morning • A third use in bathroom (!!) • A fifth check every ten minutes
    4. 4. ©2014 Carnegie Mellon University : 4 Lots of Data on Smartphones Who we know (contact list) Who we call (call log) Who we text (sms log)
    5. 5. ©2014 Carnegie Mellon University : 5 Lots of Data on Smartphones Where we go (gps, foursquare) Photos (some geotagged) Sensors (accel, sound, light)
    6. 6. ©2014 Carnegie Mellon University : 6 The Opportunity • We are creating a worldwide sensor network with these smartphones • Can analyze human behavior unprecedented fidelity and scale
    7. 7. ©2014 Carnegie Mellon University : 7 These Capabilities Can Be Used for Tremendous Good • Ex. detecting onset of depression • Ex. understanding cities • Ex. next-gen intelligent agents
    8. 8. ©2014 Carnegie Mellon University : 8 These Capabilities Can Also Be Creepy and Invasive Shared your location, gender, unique phone ID, phone# with advertisers Uploaded your entire contact list to their server (including phone #s)
    9. 9. ©2014 Carnegie Mellon University : 9 Many Smartphone Apps Have “Unusual” Permissions Location Data Unique device ID Location Data Network Access Unique device ID Location Data Unique device ID
    10. 10. Nissan Maxima Gear Shift ©2014 Carnegie Mellon University : 10
    11. 11. ©2014 Carnegie Mellon University : 11 Privacy as Expectations • Apply this same idea of mental models for privacy – Compare what people expect an app to do vs what an app actually does – Emphasize the biggest gaps, misconceptions that many people had App Behavior (What an app actually does) User Expectations (What people think the app does)
    12. 12. ©2014 Carnegie Mellon University : 12 85% users were surprised this app sent their phone’s unique ID to mobile ads providers. 25% users were surprised this app sent their approximate location to dictionary.com for searching nearby words. 10% users were surprised this app wrote contents to their SD card. 0% users were surprised this app could control their audio settings. See all 95% users were surprised this app sent their approximate location to mobile ads providers. 95% users were surprised this app sent their phone’s unique ID to mobile ads providers. 90% users were surprised this app sent their precise location to mobile ads providers. 0% users were surprised this app can control camera flashlight.
    13. 13. ©2014 Carnegie Mellon University : 13 Results for Location Data (N=20 per app, Expectations Condition) App Comfort Level (-2 – 2) Maps 1.52 GasBuddy 1.47 Weather Channel 1.45 • People more Foursquare 0.95 TuneIn Radio 0.60 Evernote 0.15 Angry Birds -0.70 Brightest Flashlight Free -1.15 Toss It -1.2 comfortable when told why app used data (even ads) • Our work helped influence FTC in fining Brightest Flashlight in Dec 2013
    14. 14. Scaling Up to 1 Million Apps ©2014 Carnegie Mellon University : 14
    15. 15. ©2014 Carnegie Mellon University : 15 Scaling Up to 1 Million Apps • Crawled 1M apps on Google Play • Created a model to predict concerns – Ex. Contact list for social network mild – Ex. Contact list for ads very bad • Analyzed 1M apps for behaviors – Advertising, analytics, social net, other • Assigned grades based on model
    16. 16. ©2014 Carnegie Mellon University : 16
    17. 17. ©2014 Carnegie Mellon University : 17 What permissions used and why
    18. 18. ©2014 Carnegie Mellon University : 18 Libraries are reusable pieces of code Most sensitive data requests due to third-party libraries
    19. 19. ©2014 Carnegie Mellon University : 19 Check it out at privacygrade.org
    20. 20. ©2014 Carnegie Mellon University : 20 Reflections on Privacy • FTC overwhelmed by sheer numbers – Too many web sites, hardware, apps • Developers don’t know what to do – State of developer tools also poor • NSF funding flat, unpredictable • Business models predicated on leveraging lots of user data • Too much burden on end-users
    21. 21. ©2014 Carnegie Mellon University : 21 Reflections on Privacy • FTC (and third parties) need better tools to detect privacy problems – Scale up what FTC lawyers manually do today – Consider FTC fund 6.1, 6.2, 6.3 research • Expand NSF funding – Both education and research (centers) • Developers – Consider NIST holding developer conferences to work out best practices for privacy – Longer term: fund scholarships for privacy
    22. 22. ©2014 Carnegie Mellon University : 22 Reflections on Privacy • Operating Systems / App Markets – Nearly every app distributed via markets – Ex. Make devs more aware of 3rd party issues – Ex. Better tools to help average developer – Not clear if much government can do here other than embarrassing Google, Apple • Businesses – Slap wrist of most egregious to set tone – Need to be careful not to squelch innovation • Ex. Facebook Newsfeed initially unpopular – Clearer rules for advertisers
    23. 23. ©2014 Carnegie Mellon University : 23 Thanks! More info at cmuchimps.org or email jasonh@cs.cmu.edu • Shah Amini • Song Luan • Yuvraj Agarwal Special thanks to: • Army Research Office • NSF • Google • CMU Cylab • Jialiu Lin • Norman Sadeh

    ×