Category: Publications

Evaluating and Redefining Smartphone Permissions with Contextualized Justifications for Mobile Augmented Reality Apps (SOUPS ’21)

AbstractAugmented reality (AR), and specifically mobile augmented reality (MAR), gained much public attention after the success of Pokémon Go in 2016, and since then has found application in online games, social media, entertainment, real estate, interior design, and other services. MAR apps are highly dependent on real time context-specific information provided by the different sensors […]

Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck (USENIX Sec ’20)

Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with POLICHECK. In Proceedings of the 29th USENIX Security Symposium. USENIX Assoc., Berkeley, CA, USA. 2020.

Empirical Measurement of Systemic 2FA Usability (USENIX Sec ’20)

AbstractTwo-Factor Authentication (2FA) hardens an organization against user account compromise, but adds an extra step to organizations’ mission-critical tasks. We investigate to what extent quantitative analysis of operational logs of 2FA systems both supports and challenges recent results from user studies and surveys identifying usability challenges in 2FA systems. Using tens of millions of logs […]

“You’ve Got Your Nice List of Bugs, Now What?” Vulnerability Discovery and Management Processes in the Wild (SOUPS ’20)

AbstractOrganizational security teams have begun to specialize, and as a result, the existence of red, blue, and purple teams have been used as signals for an organization’s security maturity. There is also now a rise in the use of third-party contractors who offer services such as incident response or penetration testing. Additionally, bug bounty programs […]

Disaster Privacy/Privacy Disaster (JASIST ’20)

AbstractPrivacy expectations during disasters differ significantly from nonemergency situations. This paper explores the actual privacy practices of popular disaster apps, highlighting location information flows. Our empirical study compares content analysis of privacy policies and government agency policies, structured by the contextual integrity framework, with static and dynamic app analysis documenting the personal data sent by […]

Privacy Controls for Always-Listening Devices (NSPW ’19)

AbstractIntelligent voice assistants (IVAs) and other voice-enabled devices already form an integral component of the Internet of Things and will continue to grow in popularity. As their capabilities evolve, they will move beyond relying on the wake-words today’s IVAs use, engaging instead in continuous listening. Though potentially useful, the continuous recording and analysis of speech […]

Nudge Me Right: Personalizing Online Security Nudges to People’s Decision-Making Styles (CHB ’20)

AbstractNudges are simple and effective interventions that alter the architecture in which people make choices in order to help them make decisions that could benefit themselves or society. For many years, researchers and practitioners have used online nudges to encourage users to choose stronger and safer passwords. However, the effects of such nudges have been […]

Conducting Privacy-Sensitive Surveys: A Case Study of Civil Society Organizations (CHI Workshops ’20)

AbstractCompared to other organizations, civil society organizations (CSOs) often operate in elevated-risk contexts, and attacks against them carry much greater ramifications, including threats to freedom of expression, liberty, and life. We aim to capture the factors that affect the attitudes and intentions of CSO employees to engage in security and privacy behaviors by using a […]

The Price is (Not) Right: Comparing Privacy in Free and Paid Apps (PETS ’20)

AbstractIt is commonly assumed that “free” mobile apps come at the cost of consumer privacy and that paying for apps could offer consumers protection from behavioral advertising and long-term tracking. This work empirically evaluates the validity of this assumption by comparing the privacy practices of free apps and their paid premium versions, while also gauging […]

Investigating Users’ Preferences and Expectations for Always-Listening Voice Assistants (IMWUT ’19)

AbstractMany consumers now rely on different forms of voice assistants, both stand-alone devices and those built into smartphones. Currently, these systems react to specific wake-words, such as “Alexa,” “Siri,” or “Ok Google.” However, with advancements in natural language processing, the next generation of voice assistants could instead always listen to the acoustic environment and proactively […]