2,399 research outputs found
After Over-Privileged Permissions: Using Technology and Design to Create Legal Compliance
Consumers in the mobile ecosystem can putatively protect their privacy with the use of application permissions. However, this requires the mobile device owners to understand permissions and their privacy implications. Yet, few consumers appreciate the nature of permissions within the mobile ecosystem, often failing to appreciate the privacy permissions that are altered when updating an app. Even more concerning is the lack of understanding of the wide use of third-party libraries, most which are installed with automatic permissions, that is permissions that must be granted to allow the application to function appropriately. Unsurprisingly, many of these third-party permissions violate consumers’ privacy expectations and thereby, become “over-privileged” to the user. Consequently, an obscurity of privacy expectations between what is practiced by the private sector and what is deemed appropriate by the public sector is exhibited. Despite the growing attention given to privacy in the mobile ecosystem, legal literature has largely ignored the implications of mobile permissions. This article seeks to address this omission by analyzing the impacts of mobile permissions and the privacy harms experienced by consumers of mobile applications. The authors call for the review of industry self-regulation and the overreliance upon simple notice and consent. Instead, the authors set out a plan for greater attention to be paid to socio-technical solutions, focusing on better privacy protections and technology embedded within the automatic permission-based application ecosystem
Comprehension of Ads-supported and Paid Android Applications: Are They Different?
The Android market is a place where developers offer paid and-or free apps to
users. Free apps are interesting to users because they can try them immediately
without incurring a monetary cost. However, free apps often have limited
features and-or contain ads when compared to their paid counterparts. Thus,
users may eventually need to pay to get additional features and-or remove ads.
While paid apps have clear market values, their ads-supported versions are not
entirely free because ads have an impact on performance.
In this paper, first, we perform an exploratory study about ads-supported and
paid apps to understand their differences in terms of implementation and
development process. We analyze 40 Android apps and we observe that (i)
ads-supported apps are preferred by users although paid apps have a better
rating, (ii) developers do not usually offer a paid app without a corresponding
free version, (iii) ads-supported apps usually have more releases and are
released more often than their corresponding paid versions, (iv) there is no a
clear strategy about the way developers set prices of paid apps, (v) paid apps
do not usually include more functionalities than their corresponding
ads-supported versions, (vi) developers do not always remove ad networks in
paid versions of their ads-supported apps, and (vii) paid apps require less
permissions than ads-supported apps. Second, we carry out an experimental study
to compare the performance of ads-supported and paid apps and we propose four
equations to estimate the cost of ads-supported apps. We obtain that (i)
ads-supported apps use more resources than their corresponding paid versions
with statistically significant differences and (ii) paid apps could be
considered a most cost-effective choice for users because their cost can be
amortized in a short period of time, depending on their usage.Comment: Accepted for publication in the proceedings of the IEEE International
Conference on Program Comprehension 201
Encouraging Privacy-Aware Smartphone App Installation: Finding out what the Technically-Adept Do
Smartphone apps can harvest very personal details
from the phone with ease. This is a particular privacy concern.
Unthinking installation of untrustworthy apps constitutes risky
behaviour. This could be due to poor awareness or a lack of knowhow:
knowledge of how to go about protecting privacy. It seems
that Smartphone owners proceed with installation, ignoring any
misgivings they might have, and thereby irretrievably sacrifice
their privacy
Using Hover to Compromise the Confidentiality of User Input on Android
We show that the new hover (floating touch) technology, available in a number
of today's smartphone models, can be abused by any Android application running
with a common SYSTEM_ALERT_WINDOW permission to record all touchscreen input
into other applications. Leveraging this attack, a malicious application
running on the system is therefore able to profile user's behavior, capture
sensitive input such as passwords and PINs as well as record all user's social
interactions. To evaluate our attack we implemented Hoover, a proof-of-concept
malicious application that runs in the system background and records all input
to foreground applications. We evaluated Hoover with 40 users, across two
different Android devices and two input methods, stylus and finger. In the case
of touchscreen input by finger, Hoover estimated the positions of users' clicks
within an error of 100 pixels and keyboard input with an accuracy of 79%.
Hoover captured users' input by stylus even more accurately, estimating users'
clicks within 2 pixels and keyboard input with an accuracy of 98%. We discuss
ways of mitigating this attack and show that this cannot be done by simply
restricting access to permissions or imposing additional cognitive load on the
users since this would significantly constrain the intended use of the hover
technology.Comment: 11 page
PlaceRaider: Virtual Theft in Physical Spaces with Smartphones
As smartphones become more pervasive, they are increasingly targeted by
malware. At the same time, each new generation of smartphone features
increasingly powerful onboard sensor suites. A new strain of sensor malware has
been developing that leverages these sensors to steal information from the
physical environment (e.g., researchers have recently demonstrated how malware
can listen for spoken credit card numbers through the microphone, or feel
keystroke vibrations using the accelerometer). Yet the possibilities of what
malware can see through a camera have been understudied. This paper introduces
a novel visual malware called PlaceRaider, which allows remote attackers to
engage in remote reconnaissance and what we call virtual theft. Through
completely opportunistic use of the camera on the phone and other sensors,
PlaceRaider constructs rich, three dimensional models of indoor environments.
Remote burglars can thus download the physical space, study the environment
carefully, and steal virtual objects from the environment (such as financial
documents, information on computer monitors, and personally identifiable
information). Through two human subject studies we demonstrate the
effectiveness of using mobile devices as powerful surveillance and virtual
theft platforms, and we suggest several possible defenses against visual
malware
- …