Styx: Design and Evaluation of a New Privacy Risk Communication Method for Smartphones

Modern smartphone platforms are highly privacy-affecting but not effective in properly communicating their privacy impacts to its users. Particularly, actual data-access behavior of apps is not considered in current privacy risk communication approaches. We argue that factors such as frequency of access to sensitive information is significantly affecting the privacy-invasiveness of applications. We introduce Styx, a novel privacy risk communication system that provides the user with more meaningful privacy information based on the actual behavior of apps. In a proof-of-concept study we evaluate the effectiveness of Styx. Our results show that more meaningful privacy warnings can increase user trust into smartphone platforms and also reduce privacy concerns.

[1]  Alastair R. Beresford,et al.  MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[2]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[3]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[4]  D. Lazer,et al.  Inferring Social Network Structure using Mobile Phone Data , 2006 .

[5]  Lorrie Faith Cranor,et al.  Improving Computer Security Dialogs , 2011, INTERACT.

[6]  Marco Winckler,et al.  Human-Computer Interaction - INTERACT 2011 - 13th IFIP TC 13 International Conference, Lisbon, Portugal, September 5-9, 2011, Proceedings, Part III , 2011, INTERACT.

[7]  Byung-Gon Chun,et al.  Vision: automated security validation of mobile apps at app markets , 2011, MCS '11.

[8]  Ryosuke Shibasaki,et al.  Activity-Aware Map: Identifying Human Daily Activity Pattern Using Mobile Phone Data , 2010, HBU.

[9]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[10]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[11]  David Lazer,et al.  Inferring friendship network structure by using mobile phone data , 2009, Proceedings of the National Academy of Sciences.

[12]  Liang Gu,et al.  Context-Aware Usage Control for Android , 2010, SecureComm.

[13]  Lorrie Faith Cranor,et al.  Timing is everything?: the effects of timing and placement of online privacy indicators , 2009, CHI.

[14]  Anind K. Dey,et al.  A Conceptual Model and a Metaphor of Everyday Privacy in Ubiquitous Computing Environments , 2002 .

[15]  Gary M. Weiss,et al.  Cell phone-based biometric identification , 2010, 2010 Fourth IEEE International Conference on Biometrics: Theory, Applications and Systems (BTAS).

[16]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[17]  Martin Schrepp,et al.  Construction and Evaluation of a User Experience Questionnaire , 2008, USAB.

[18]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[19]  John Zimmerman,et al.  Mining smartphone data to classify life-facets of social relationships , 2013, CSCW.

[20]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[21]  Gary M. Weiss,et al.  Identifying user traits by mining smart phone accelerometer data , 2011, SensorKDD '11.

[22]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[23]  Pern Hui Chia,et al.  Is this app safe?: a large scale study on application permissions and risk signals , 2012, WWW.

[24]  Daniel Gatica-Perez,et al.  Mining large-scale smartphone data for personality studies , 2013, Personal and Ubiquitous Computing.

[25]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[26]  Ahmad-Reza Sadeghi,et al.  XManDroid: A New Android Evolution to Mitigate Privilege Escalation Attacks , 2011 .

[27]  James A. Landay,et al.  An architecture for privacy-sensitive ubiquitous computing , 2004, MobiSys '04.

[28]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[29]  Gökhan Bal Revealing Privacy-Impacting Behavior Patterns of Smartphone Applications , 2012 .

[30]  Albert-László Barabási,et al.  Understanding individual human mobility patterns , 2008, Nature.

[31]  David A. Wagner,et al.  When it's better to ask forgiveness than get permission: attribution mechanisms for smartphone resources , 2013, SOUPS.

[32]  Patrick D. McDaniel,et al.  On lightweight mobile phone application certification , 2009, CCS.

[33]  Mauro Conti,et al.  CRePE: Context-Related Policy Enforcement for Android , 2010, ISC.

[34]  Lorrie Faith Cranor,et al.  A Conundrum of Permissions: Installing Applications on an Android Smartphone , 2012, Financial Cryptography Workshops.

[35]  Lorrie Faith Cranor,et al.  Security and Usability: Designing Secure Systems that People Can Use , 2005 .

[36]  Hatice Gunes,et al.  Human Behavior Understanding , 2016, Lecture Notes in Computer Science.