论文信息 - Bind your phone number with caution: automated user profiling through address book matching on smartphone

Bind your phone number with caution: automated user profiling through address book matching on smartphone

Due to the cost-efficient communicating manner and attractive user experience, messenger applications have dominated every smartphone in recent years. Nowadays, Address Book Matching, a new feature that helps people keep in touch with real world contacts, has been loaded in many popular messenger applications, which unfortunately as well brings severe privacy issues to users. In this paper, we propose a novel method to abuse such feature to automatically collect user profiles. This method can be applied to any application equipped with Address Book Matching independent of mobile platforms. We also build a prototype on Android to verify the effectiveness of our method. Moreover, we integrate profiles gathered from different messenger applications and provide insights by performing a consistency and authenticity analysis on user profile fields. As our experiments show, the abuse of Address Book Matching can cause severe user privacy leakage. Finally, we provide some countermeasures for developers to avoid this issue when designing messenger applications.

[1] Christopher Krügel,et al. PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[2] Markus Jakobsson,et al. Why and How to Perform Fraud Experiments , 2008, IEEE Security & Privacy.

[3] Alastair R. Beresford,et al. MockDroid: trading privacy for application functionality on smartphones , 2011, HotMobile '11.

[4] Christopher Krügel,et al. Abusing Social Networks for Automated User Profiling , 2010, RAID.

[5] Jessica Staddon,et al. Indirect content privacy surveys: measuring privacy without asking about it , 2011, SOUPS.

[6] Leyla Bilge,et al. All your contacts are belong to us: automated identity theft attacks on social networks , 2009, WWW '09.

[7] Edgar R. Weippl,et al. Guess Who's Texting You? Evaluating the Security of Smartphone Messaging Applications , 2012, NDSS.

[8] Byung-Gon Chun,et al. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[9] Yajin Zhou,et al. Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.