Are people picky about what Android apps they'll install? No. Does anyone care? Yes.

1. Using Authorization Logic to
Capture User Policies in
Mobile Ecosystems
Joseph Hallett
J.Hallett@sms.ed.ac.uk

2. Are people picky about
what they’ll install?

3. no!
(mostly)

4. App stores sell apps
• How we distribute software on mobile devices
• Lots of choice of apps
• Partially curated by store owners
• Mainly for malware and quality control
• …but some still slips through
• …especially in the third-party stores

5. Apps access data
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone

6. …but it’s mostly legitimate
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
google maps
facebook messager
amazon’s app store
anything web based
(everything)
instagram

7. …but it’s maybe legitimate?
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
local advertising
marketing
analytics
targeted advertising
…spying?

8. Does anyone care?

9. yes!

10. Privacy preferences
• Fantastic paper from SOUPS 2014
• Modelling Users’ Mobile App Privacy Preferences:
Restoring Usability in a Sea of Permission Settings
Jialiu Lin, Bin Liu, Norman Sadeh, Jason I. Hong
• Figured out why some apps need certain permissions
• Asked users if they were okay with that

11. Four kinds of users
• From the users’ answers they discovered four different
clusters of users
• Conservatives (12%)
• Advanced (18%)
• Fencesitters (48%)
• Unconcerned (22%)

12. • Unconcerned users didn’t care
• Happy to disclose data to third
parties
• Little bit uncomfortable granting
account info to social networks
• Fencesitters seemed ambivalent
• Didn’t actively like or dislike
anything
• User fatigue?
• Conservatives really care
• Don’t want anyone to have
anything for any reason
• Advanced users are concerned
but pragmatic
• Okay giving social networks info
• Okay giving coarse information

13. Users have privacy preferences
• Do they make app choices on the basis of them?
• Can we help them make that decision?
• Can we warn them when they’re making a bad decision?

14. AppPAL

15. an authorization logic
for picking apps

16. AppPAL
• Based on SecPAL
• Used for access control in distributed systems
• Written in Java, runs on Android
• Lets principals (users) make judgements about apps

17. alice says
apk://com.rovio.angrybirds
isRunnable.

18. alice says
apk://com.rovio.angrybirds
isRunnable.
speaker
subject
predicate

19. alice says App isRunnable
if App meets(conservativePolicy).

20. alice says App isRunnable
if App meets(conservativePolicy).
variables
conditionals
constant

21. alice says App isRunnable
if App meets(workPolicy)
where currentLocation(work) = true,
hasPermission(App, location) = true.

22. constraint
checked at
query time
implicit in
the app
alice says App isRunnable
if App meets(workPolicy)
where currentLocation(work) = true,
hasPermission(App, location) = true.

23. alice says itdepartment can-say
App meets(workPolicy).

24. alice says itdepartment can-say
App meets(workPolicy).
delegationdelegatee

25. alice says itdepartment can-say inf
App meets(workPolicy).
strictly speaking
either delegation where
further delegation is
allowed or…

26. alice says itdepartment can-say 0
App meets(workPolicy).
…where it is not

27. alice says
ian can-act-as itdepartment.

28. alice says
ian can-act-as itdepartment.
role
assignment

29. alice says
apk://com.rovio.angrybirds.space
can-act-as
apk://com.rovio.angrybirds
role
assignment
not limited to
speakers

30. So do users follow
privacy policies?

31. Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly
install apps which satisfy the policy

32. Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly
install apps which satisfy the policy
this data is
hard to get

33. Carat
• Project from UC Berkeley and University of Helsinki
• Measures power usage of the apps on your phone
• Also collects anonymised app installation
data for researchers
• Users replaced with an incrementing number
• Apps replaced with hash of package name

34. Carat
• We identified 4,300 apps out of ~90,000
• Selected 44,000 users for whom we knew
at least 20 app installations
• (after taking into account system and
common apps like Facebook and Twitter)

35. Privacy policies in AppPAL
• Approximated the Lin et al.
policies as sets of permissions
• If a group of users felt
uncomfortable about a
permission for any reason we
banned it.
• Not as subtle as we’d like but a
reasonable approximation.
C A F U
GET_ACCOUNTS ✘ ✘ ✘ ✘
ACCESS_FINE_LOCATION ✘ ✘ ✘
READ_CONTACT ✘ ✘ ✘
READ_PHONE_STATE ✘ ✘
SEND_SMS ✘ ✘
ACCESS_COARSE_LOCATION ✘

36. Limitations
• We’re using an approximation of the policies
• We have only a partial purchase history
• …so we can only test if a sample of a user’s apps meet the
policies
• We might not have the same version as the user
• Permissions can increase or decrease; apps change
• …but typically only increase

37. Results

38. 0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00
%age of user’s apps meeting policy
Usercount
variable
C
A
F
U

39. 0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00
%age of user’s apps meeting policy
Usercount
variable
C
A
F
UAlmost
no one follows
a policy all the
time

40. 0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00
%age of user’s apps meeting policy
Usercount
variable
C
A
F
U
…or even
some of the
time

41. C A F U
≥ 50%
179
(0.41%)
206
(0.47%)
696
(1.58%)
2390
(5.43%)
≥ 60%
45
(0.10%)
49
(0.11%)
209
(0.48%)
867
(2.0%)
≥ 70%
18
(0.04%)
19
(0.04%)
79
(0.18%)
331
(0.75%)
≥ 80%
15
(0.03%)
16
(0.04%)
49
(0.11%)
151
(0.34%)
≥ 90%
13
(0.03%)
14
(0.03%)
37
(0.08%)
69
(0.16%)
= 100%
13
(0.03%)
14
(0.03%)
37
(0.08%)
67
(0.15%)

42. C A F U
≥ 50%
179
(0.41%)
206
(0.47%)
696
(1.58%)
2390
(5.43%)
≥ 60%
45
(0.10%)
49
(0.11%)
209
(0.48%)
867
(2.0%)
≥ 70%
18
(0.04%)
19
(0.04%)
79
(0.18%)
331
(0.75%)
≥ 80%
15
(0.03%)
16
(0.04%)
49
(0.11%)
151
(0.34%)
≥ 90%
13
(0.03%)
14
(0.03%)
37
(0.08%)
69
(0.16%)
= 100%
13
(0.03%)
14
(0.03%)
37
(0.08%)
67
(0.15%)
but it
isn’t zero

43. What about malware?

44. 0
50
100
150
0.7 0.8 0.9 1.0
%age of user’s apps meeting policy
Usercount
variable
not PUP
not Malware

45. 0
50
100
150
0.7 0.8 0.9 1.0
%age of user’s apps meeting policy
Usercount
variable
not PUP
not Malware
Almost
no malware
installed

46. Do users who follow a policy
install less malware?

47. 0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%ageofappsmeeting‘Not−PUP’policy

48. yes!
0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%ageofappsmeeting‘Not−PUP’policy

49. So what did we learn?

50. • What people say and what people do are
two different things
• Being picky seems to stop you installing rubbish
• AppPAL works great for exploring properties of apps

51. What is next?

52. • On device policy checking
• check your installed apps against a policy
• Building stores with policies
• searching and building stores with policies
• What is causing this disconnect?
• fatigue? lack of awareness? lack of choice?

53. thanks!
J.Hallett@sms.ed.ac.uk