AbstractLike most modern software, secure messaging apps rely on third-party components to implement important app functionality. Although this practice reduces engineering costs, it also introduces the risk of inadvertent privacy breaches due to misconfiguration errors or incomplete documentation. Our research investigated secure messaging apps’ usage of Google’s Firebase Cloud Messaging (FCM) service to send push […]
Tag: mobile
Log: It’s Big, It’s Heavy, It’s Filled with Personal Data! Measuring the Logging of Sensitive Information in the Android Ecosystem (USENIX Sec ’23)
AbstractAndroid offers a shared system that multiplexes all logged data from all system components, including both the operating system and the console output of apps that run on it. A security mechanism ensures that user-space apps can only read the log entries that they create, though many “privileged” apps are exempt from this restriction. This […]
Lessons in VCR Repair: Compliance of Android App Developers with the California Consumer Privacy Act (CCPA) (PETS ’23)
AbstractThe California Consumer Privacy Act (CCPA) provides California residents with a range of enhanced privacy protections and rights. Our research investigated the extent to which Android app developers comply with the provisions of the CCPA that require them to provide consumers with accurate privacy notices and respond to “verifiable consumer requests” (VCRs) by disclosing personal […]
Developers Say the Darnedest Things: Privacy Compliance Processes Followed by Developers of Child-Directed Apps (PETS ’22)
Abstract We investigate the privacy compliance processes followed by developers of child-directed mobile apps. While children’s online privacy laws have existed for decades in the US, prior research found relatively low rates of compliance. Yet, little is known about how compliance issues come to exist and how compliance processes can be improved to address them. […]
Users’ Expectations About and Use of Smartphone Privacy and Security Settings (CHI ’22)
AbstractWith the growing smartphone penetration rate, smartphone settings remain one of the main models for information privacy and security controls. Yet, their usability is largely understudied, especially with respect to the usability impact on underrepresented socio-economic and low-tech groups. In an online survey with 178 users, we find that many people are not aware of […]
Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with PoliCheck (USENIX Sec ’20)
Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. Actions Speak Louder than Words: Entity-Sensitive Privacy Policy and Data Flow Analysis with POLICHECK. In Proceedings of the 29th USENIX Security Symposium. USENIX Assoc., Berkeley, CA, USA. 2020.
Disaster Privacy/Privacy Disaster (JASIST ’20)
AbstractPrivacy expectations during disasters differ significantly from nonemergency situations. This paper explores the actual privacy practices of popular disaster apps, highlighting location information flows. Our empirical study compares content analysis of privacy policies and government agency policies, structured by the contextual integrity framework, with static and dynamic app analysis documenting the personal data sent by […]
The Price is (Not) Right: Comparing Privacy in Free and Paid Apps (PETS ’20)
AbstractIt is commonly assumed that “free” mobile apps come at the cost of consumer privacy and that paying for apps could offer consumers protection from behavioral advertising and long-term tracking. This work empirically evaluates the validity of this assumption by comparing the privacy practices of free apps and their paid premium versions, while also gauging […]
50 Ways to Leak Your Data: An Exploration of Apps’ Circumvention of the Android Permissions System (USENIX Sec ’19)
Abstract Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources. However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels. Side channels present in the implementation of the permission system allow apps to access the data […]
On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies (ConPro ’19)
AbstractThe dominant privacy framework of the information age relies on notions of “notice and consent.” That is, service providers will disclose, often through privacy policies, their data collection practices, and users can then consent to their terms. However, it is unlikely that most users comprehend these disclosures, which is due in no small part to […]