Contextualizing Privacy Decisions for Better Prediction (and Protection)

Modern mobile operating systems implement an ask-on-first-use policy to regulate applications' access to private user data: the user is prompted to allow or deny access to a sensitive resource the first time an app attempts to use it. Prior research shows that this model may not adequately capture user privacy preferences because subsequent requests may occur under varying contexts. To address this shortcoming, we implemented a novel privacy management system in Android, in which we use contextual signals to build a classifier that predicts user privacy preferences under various scenarios. We performed a 37-person field study to evaluate this new permission model under normal device usage. From our exit interviews and collection of over 5 million data points from participants, we show that this new permission model reduces the error rate by 75% (i.e., fewer privacy violations), while preserving usability. We offer guidelines for how platforms can better support user privacy decision making.

[1]  Elisa Bertino,et al.  IdentiDroid: Android can finally Wear its Anonymous Suit , 2014, Trans. Data Priv..

[2]  Alessandra Gorla,et al.  Checking app behavior against app descriptions , 2014, ICSE.

[3]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[4]  Michalis Faloutsos,et al.  Permission evolution in the Android ecosystem , 2012, ACSAC '12.

[5]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[6]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[7]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[8]  David A. Wagner,et al.  Choice Architecture and Smartphone Privacy: There's a Price for That , 2012, WEIS.

[9]  Hao Chen,et al.  revDroid: Code Analysis of the Side Effects after Dynamic Permission Revocation of Android Apps , 2016, AsiaCCS.

[10]  Lujo Bauer,et al.  More than skin deep: measuring effects of the underlying model on access-control system usability , 2011, CHI.

[11]  David A. Wagner,et al.  I've got 99 problems, but vibration ain't one: a survey of smartphone users' concerns , 2012, SPSM '12.

[12]  Norman M. Sadeh,et al.  Modeling Users' Mobile App Privacy Preferences: Restoring Usability in a Sea of Permission Settings , 2014, SOUPS.

[13]  Dennis G. Kafura,et al.  DroidBarrier: know what is executing on your android , 2014, CODASPY '14.

[14]  S. Hormuth The sampling of experiences in situ , 1986 .

[15]  David A. Wagner,et al.  Turtle Guard: Helping Android Users Apply Contextual Privacy Preferences , 2017, SOUPS.

[16]  Helen Nissenbaum,et al.  Privacy in Context - Technology, Policy, and the Integrity of Social Life , 2009 .

[17]  David A. Wagner,et al.  When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources , 2013, SOUPS.

[18]  Dan Grossman,et al.  AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems , 2016, CCS.

[19]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[20]  David A. Wagner,et al.  How to Ask for Permission , 2012, HotSec.

[21]  Alessandro Acquisti,et al.  Follow My Recommendations: A Personalized Privacy Assistant for Mobile App Permissions , 2016, SOUPS.

[22]  Helen Nissenbaum,et al.  Privacy and contextual integrity: framework and applications , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[23]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[24]  Gianluca Stringhini,et al.  Permissions snapshots: Assessing users' adaptation to the Android runtime permission model , 2016, 2016 IEEE International Workshop on Information Forensics and Security (WIFS).

[25]  Daniel Votipka,et al.  User Interactions and Permission Use on Android , 2017, CHI.

[26]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[27]  Norman M. Sadeh,et al.  Reconciling mobile app privacy and usability on smartphones: could user privacy profiles help? , 2014, WWW.

[28]  Lujo Bauer,et al.  Android taint flow analysis for app sets , 2014, SOAP '14.

[29]  Chih-Jen Lin,et al.  LIBSVM: A library for support vector machines , 2011, TIST.

[30]  Nina Taft,et al.  Exploring decision making with Android's runtime permission dialogs using in-context surveys , 2017, SOUPS.

[31]  Seungyeop Han,et al.  Short paper: enhancing mobile application permissions with runtime feedback and constraints , 2012, SPSM '12.

[32]  Mohammad Emtiyaz Khan,et al.  SmarPer: Context-Aware and Automatic Runtime-Permissions for Mobile Devices , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[33]  David A. Wagner,et al.  The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[34]  Hui Xiong,et al.  Mobile app recommendations with security and privacy awareness , 2014, KDD.

[35]  David A. Wagner,et al.  The effect of developer-specified explanations for permission requests on smartphone user behavior , 2014, CHI.

[36]  Gianluca Stringhini,et al.  A Comparative Study of Android Users' Privacy Preferences Under the Runtime Permission Model , 2017, HCI.

[37]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[38]  Tadayoshi Kohno,et al.  Securing Embedded User Interfaces: Android and Beyond , 2013, USENIX Security Symposium.