4. App stores sell apps
• How we distribute software on mobile devices
• Lots of choice of apps
• Partially curated by store owners
• Mainly for malware and quality control
• …but some still slips through
• …especially in the third-party stores
5. Apps access data
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
6. …but it’s mostly legitimate
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
google maps
facebook messager
amazon’s app store
anything web based
(everything)
instagram
7. …but it’s maybe legitimate?
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
local advertising
marketing
analytics
targeted advertising
…spying?
10. Privacy preferences
• Fantastic paper from SOUPS 2014
• Modelling Users’ Mobile App Privacy Preferences:
Restoring Usability in a Sea of Permission Settings
Jialiu Lin, Bin Liu, Norman Sadeh, Jason I. Hong
• Figured out why some apps need certain permissions
• Asked users if they were okay with that
11. Four kinds of users
• From the users’ answers they discovered four different
clusters of users
• Conservatives (12%)
• Advanced (18%)
• Fencesitters (48%)
• Unconcerned (22%)
12. • Unconcerned users didn’t care
• Happy to disclose data to third
parties
• Little bit uncomfortable granting
account info to social networks
• Fencesitters seemed ambivalent
• Didn’t actively like or dislike
anything
• User fatigue?
• Conservatives really care
• Don’t want anyone to have
anything for any reason
• Advanced users are concerned
but pragmatic
• Okay giving social networks info
• Okay giving coarse information
13. Users have privacy preferences
• Do they make app choices on the basis of them?
• Can we help them make that decision?
• Can we warn them when they’re making a bad decision?
16. AppPAL
• Based on SecPAL
• Used for access control in distributed systems
• Written in Java, runs on Android
• Lets principals (users) make judgements about apps
19. alice says App isRunnable
if App meets(conservativePolicy).
20. alice says App isRunnable
if App meets(conservativePolicy).
variables
conditionals
constant
21. alice says App isRunnable
if App meets(workPolicy)
where currentLocation(work) = true,
hasPermission(App, location) = true.
22. constraint
checked at
query time
implicit in
the app
alice says App isRunnable
if App meets(workPolicy)
where currentLocation(work) = true,
hasPermission(App, location) = true.
31. Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly
install apps which satisfy the policy
32. Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly
install apps which satisfy the policy
this data is
hard to get
33. Carat
• Project from UC Berkeley and University of Helsinki
• Measures power usage of the apps on your phone
• Also collects anonymised app installation
data for researchers
• Users replaced with an incrementing number
• Apps replaced with hash of package name
34. Carat
• We identified 4,300 apps out of ~90,000
• Selected 44,000 users for whom we knew
at least 20 app installations
• (after taking into account system and
common apps like Facebook and Twitter)
35. Privacy policies in AppPAL
• Approximated the Lin et al.
policies as sets of permissions
• If a group of users felt
uncomfortable about a
permission for any reason we
banned it.
• Not as subtle as we’d like but a
reasonable approximation.
C A F U
GET_ACCOUNTS ✘ ✘ ✘ ✘
ACCESS_FINE_LOCATION ✘ ✘ ✘
READ_CONTACT ✘ ✘ ✘
READ_PHONE_STATE ✘ ✘
SEND_SMS ✘ ✘
ACCESS_COARSE_LOCATION ✘
36. Limitations
• We’re using an approximation of the policies
• We have only a partial purchase history
• …so we can only test if a sample of a user’s apps meet the
policies
• We might not have the same version as the user
• Permissions can increase or decrease; apps change
• …but typically only increase
39. 0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00
%age of user’s apps meeting policy
Usercount
variable
C
A
F
UAlmost
no one follows
a policy all the
time
50. • What people say and what people do are
two different things
• Being picky seems to stop you installing rubbish
• AppPAL works great for exploring properties of apps
52. • On device policy checking
• check your installed apps against a policy
• Building stores with policies
• searching and building stores with policies
• What is causing this disconnect?
• fatigue? lack of awareness? lack of choice?