Is Your Phone You? How Privacy Policies of Mobile Apps Allow the Use of Your Personally Identifiable Information

People continue to store their sensitive information in their smart-phone applications. Users seldom read an app’s privacy policy to see how their information is being collected, used, and shared. In this paper, using a reference list of over 600 Personally Identifiable Information (PII) attributes, we investigate the privacy policies of 100 popular health and fitness mobile applications in both Android and iOS app markets to find the set of personal information these apps collect, use and share. The reference list of PII was independently built from a longitudinal study at The University of Texas investigating thousands of identity theft and fraud cases where PII attributes and associated value and risks were empirically quantified. This research leverages the reference PII list to identify and analyze the value of personal information collected by the mobile apps and the risk of disclosing this information. We found that the set of PII collected by these mobile apps covers 35% of the entire reference set of PII and, due to dependencies between PII attributes, these mobile apps have a likelihood of indirectly impacting 70% of the reference PII if breached. For a specific app, we discovered the monetary loss could reach $1M if the set of sensitive data it collects is breached. We finally utilize Bayesian inference to measure risks of a set of PII gathered by apps: the probability that fraudsters can discover, impersonate and cause harm to the user by misusing only the PII the mobile apps collected.

[1]  Malcolm Hall,et al.  ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing , 2013, MobiSys '13.

[2]  K. Suzanne Barber,et al.  Enhancing and Evaluating Identity Privacy and Authentication Strength by Utilizing the Identity Ecosystem , 2018, WPES@CCS.

[3]  Agusti Solanas,et al.  Security and Privacy Analysis of Mobile Health Applications: The Alarming State of Practice , 2018, IEEE Access.

[4]  Shuang Zhao,et al.  I Know Where You All Are! Exploiting Mobile Social Apps for Large-Scale Location Privacy Probing , 2016, ACISP.

[5]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[6]  John Conyers,et al.  U.S. Citizenship and Immigration Services , 2020, Federal Regulatory Guide.

[7]  Kim-Kwang Raymond Choo,et al.  A Generic Process to Identify Vulnerabilities and Design Weaknesses in iOS Healthcare Apps , 2015, 2015 48th Hawaii International Conference on System Sciences.

[8]  Chandrajit L. Bajaj,et al.  Predicting and explaining identity risk, exposure and cost using the ecosystem of identity attributes , 2016, 2016 IEEE International Carnahan Conference on Security Technology (ICCST).

[9]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[10]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[11]  Ali Sunyaev,et al.  Availability and quality of mobile health app privacy policies , 2015, J. Am. Medical Informatics Assoc..

[12]  Mark Rowan,et al.  A Privacy Policy Comparison of Health and Fitness Related Mobile Applications , 2014, EUSPN/ICTH.

[13]  Lorrie Faith Cranor,et al.  "Little brothers watching you": raising awareness of data leaks on smartphones , 2013, SOUPS.

[14]  Arnaud Legout,et al.  Using the Middle to Meddle with Mobile , 2013 .

[15]  D. Wetherall,et al.  A Study of Third-Party Tracking by Mobile Apps in the Wild , 2012 .

[16]  Razieh Nokhbeh Zaeem,et al.  Identity Threat Assessment and Prediction , 2019 .

[17]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[18]  Eric Smith iPhone Applications & Privacy Issues: An Analysis of Application Transmission of iPhone Unique Device Identifiers (UDIDs) , 2010 .

[19]  Chang Liu,et al.  An Examination of Privacy Policies in Fortune 500 Web Sites , 2002 .

[20]  George Theodorakopoulos,et al.  Sensitive Data in Smartphone Applications: Where Does It Go? Can It Be Intercepted? , 2017, ATCS/SePrIoT@SecureComm.