Application Transiency: Towards a Fair Trade of Personal Information for Application Services

Smartphone users are offered a plethora of applications providing services, such as games and entertainment. In 2018, 94% of applications on Google Play were advertised as “free”. However, many of these applications obtain undefined amounts of personal information from unaware users. In this paper, we introduce transiency: a privacy-enhancing feature that prevents applications from running unless explicitly opened by the user. Transient applications can only collect sensitive user information while they are being used, and remain disabled otherwise. We show that a transient app would not be able to detect a sensitive user activity, such as a daily commute to work, unless it was used during the activity. We define characteristics of transient applications and find that, of the top 100 free apps on Google Play, 88 could be made transient. By allowing the user to decide when to allow an app to collect their data, we move towards a fair trade of personal information for application services.

[1]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[2]  Piotr Sapiezynski,et al.  Investigating sources of PII used in Facebook’s targeted advertising , 2019, Proc. Priv. Enhancing Technol..

[3]  Nikita Borisov,et al.  Every Move You Make: Exploring Practical Issues in Smartphone Motion Sensor Fingerprinting and Countermeasures , 2018, Proc. Priv. Enhancing Technol..

[4]  Anderson Santana de Oliveira,et al.  Analyzing Remote Server Locations for Personal Data Transfers in Mobile Apps , 2017, Proc. Priv. Enhancing Technol..

[5]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[6]  Lorrie Faith Cranor,et al.  Turtles, Locks, and Bathrooms: Understanding Mental Models of Privacy Through Illustration , 2018, Proc. Priv. Enhancing Technol..

[7]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[8]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[9]  Jeffrey S. Foster,et al.  User Comfort with Android Background Resource Accesses in Different Contexts , 2018, SOUPS @ USENIX Security Symposium.

[10]  Joonhwan Lee,et al.  Why do smartphone users hesitate to delete unused apps? , 2018, MobileHCI Adjunct.

[11]  Jean-Pierre Hubaux,et al.  PrivateRide: A Privacy-Enhanced Ride-Hailing Service , 2017, Proc. Priv. Enhancing Technol..

[12]  Nicola Dell,et al.  The Spyware Used in Intimate Partner Violence , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[13]  Mark Stamp,et al.  Information security - principles and practice , 2005 .

[14]  Guevara Noubir,et al.  Mitigating Location Privacy Attacks on Mobile Devices using Dynamic App Sandboxing , 2018, Proc. Priv. Enhancing Technol..

[15]  Patrick Traynor,et al.  Regulators, Mount Up! Analysis of Privacy Policies for Mobile Money Services , 2017, SOUPS.

[16]  David A. Wagner,et al.  The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[17]  Alessandro Acquisti,et al.  Format vs. Content: The Impact of Risk and Presentation on Disclosure Decisions , 2017, SOUPS.

[18]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[19]  David A. Wagner,et al.  I've got 99 problems, but vibration ain't one: a survey of smartphone users' concerns , 2012, SPSM '12.

[20]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[21]  Trent Jaeger Operating System Security , 2008, Operating System Security.

[22]  Nina Taft,et al.  Exploring decision making with Android's runtime permission dialogs using in-context surveys , 2017, SOUPS.

[23]  David A. Wagner,et al.  Turtle Guard: Helping Android Users Apply Contextual Privacy Preferences , 2017, SOUPS.

[24]  Mark Silberstein,et al.  Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices , 2018, Proc. Priv. Enhancing Technol..

[25]  Erik C. Rye,et al.  Exploiting TLS Client Authentication for Widespread User Tracking , 2018, Proc. Priv. Enhancing Technol..

[26]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[27]  David A. Wagner,et al.  Choice Architecture and Smartphone Privacy: There's a Price for That , 2012, WEIS.

[28]  Yu Pu,et al.  Valuating Friends' Privacy: Does Anonymity of Sharing Personal Data Matter? , 2017, SOUPS.

[29]  Yuqiong Sun,et al.  AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings , 2017, USENIX Security Symposium.

[30]  Alessandro Acquisti,et al.  Expecting the Unexpected: Understanding Mismatched Privacy Expectations Online , 2016, SOUPS.

[31]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[32]  Aaron Alva,et al.  Cross-Device Tracking: Measurement and Disclosures , 2017, Proc. Priv. Enhancing Technol..

[33]  Christo Wilson,et al.  Diffusion of User Tracking Data in the Online Advertising Ecosystem , 2018, Proc. Priv. Enhancing Technol..

[34]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[35]  Alessandro Acquisti,et al.  Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions , 2016, SOUPS.

[36]  Michael K. Reiter,et al.  To Permit or Not to Permit, That is the Usability Question: Crowdsourcing Mobile Apps’ Privacy Permission Settings , 2017, Proc. Priv. Enhancing Technol..

[37]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.