Expecting the Unexpected in Security Violations in Mobile Apps

personal data. This increased access and control may raise users’ perception of heightened privacy leakage and security issues. This is especially the case if users’ awareness and expectations of this external access and control is not accurately recognized through proper security declarations. This proposal thus attempts to put forth an investigation on the effect of mobile users’ privacy expectation disconfirmation on their continued usage intention of mobile apps sourced from app distribution stores. Drawing upon the APCO framework, security awareness literature and the expectation-disconfirmation perspective, two key types of security awareness information are identified; namely access annotation and modification annotation. It is noted that these types of information can be emphasized in app distribution stores to reduce subsequent privacy expectation disconfirmation. Hence, this study plans to examine the downstream effect of privacy expectation disconfirmation on users’ continued usage intention. To operationalize this research, a laboratory experiment will be conducted

Understanding and measuring privacy violations in Android apps

Increasing data collection and tracking of consumers by today’s online services is becoming a major problem for individuals’ rights. It raises a serious question about whether such data collection can be legally justified under legislation around the globe. Unfortunately, the community lacks insight into such violations in the mobile ecosystem. In this dissertation, we approach these problems by presenting a line of work that provides a comprehensive understanding of privacy violations in Android apps in the wild and automatically measures such violations at scale. First, we build an automated tool that detects unexpected data access based on user perception when interacting with the apps’ user interface. Subsequently, we perform a large-scale study on Android apps to understand how prevalent violations of GDPR’s explicit consent requirement are in the wild. Finally, until now, no study has systematically analyzed the currently implemented consent notices and whether they conform to GDPR in mobile apps. Therefore, we propose a mostly automated and scalable approach to identify the current practices of implemented consent notices. We then develop an automatic tool that detects data sent out to the Internet with different consent conditions. Our result shows the urgent need for more transparent user interface designs to better inform users of data access and call for new tools to support app developers in this endeavor.Die zunehmende Datenerfassung und Verfolgung von Konsumenten durch die heutigen Online-Dienste wird zu einem großen Problem für individuelle Rechte. Es wirft eine ernsthafte Frage auf, ob eine solche Datenerfassung nach der weltweiten Gesetzgebung juristisch begründet werden kann. Leider hat die Gemeinschaft keinen Einblick in diese Verstöße im mobilen Ökosystem. In dieser Dissertation nähern wir uns diesen Problemen, indem wir eine Arbeitslinie vorstellen, die ein umfassendes Verständnis von Datenschutzverletzungen in Android- Apps in der Praxis bietet und solche Verstöße automatisch misst. Zunächst entwickeln wir ein automatisiertes Tool, das unvorhergesehene Datenzugriffe basierend auf der Nutzung der Benutzeroberfläche von Apps erkennt. Danach führen wir eine umfangreiche Studie zu Android-Apps durch, um zu verstehen, wie häufig Verstöße gegen die ausdrückliche Zustimmung der GDPR vorkommen. Schließlich hat bis jetzt keine Studie systematisch die gegenwärtig implementierten Zustimmungen und deren Übereinstimmung mit der GDPR in mobilen Apps analysiert. Daher schlagen wir einen meist automatisierten und skalierbaren Ansatz vor, um die aktuellen Praktiken von Zustimmungen zu identifizieren. Danach entwickeln wir ein Tool, das Daten erkennt, die mit unterschiedlichen Zustimmungsbedingungen ins Internet gesendet werden. Unser Ergebnis zeigt den dringenden Bedarf an einer transparenteren Gestaltung von Benutzeroberflächen, um die Nutzer besser über den Datenzugriff zu informieren, und wir fordern neue Tools, die App-Entwickler bei diesem Unterfangen unterstützen. ii

Android Permissions Remystified: A Field Study on Contextual Integrity

Due to the amount of data that smartphone applications can potentially access, platforms enforce permission systems that allow users to regulate how applications access protected resources. If users are asked to make security decisions too frequently and in benign situations, they may become habituated and approve all future requests without regard for the consequences. If they are asked to make too few security decisions, they may become concerned that the platform is revealing too much sensitive information. To explore this tradeoff, we instrumented the Android platform to collect data regarding how often and under what circumstances smartphone applications are accessing protected resources regulated by permissions. We performed a 36-person field study to explore the notion of "contextual integrity," that is, how often are applications accessing protected resources when users are not expecting it? Based on our collection of 27 million data points and exit interviews with participants, we examine the situations in which users would like the ability to deny applications access to protected resources. We found out that at least 80% of our participants would have preferred to prevent at least one permission request, and overall, they thought that over a third of requests were invasive and desired a mechanism to block them

Tethering Applications and Open Internet Rules for the Mobile Broadband: Lessons from the FCC-Verizon Settlement

This note investigates the regulation of mobile broadband using tethering applications as an example of how to apply net neutrality rules. Part II looks at the recent history of the FCC Open Internet regulations and the rapid advances in the speed, capabilities, and prevalence of mobile broadband as a primary means of Internet access. Part III discusses the 2012 settlement reached between Verizon and the FCC over Verizon\u27s request that Google remove tethering apps from the Android Store. Following that, Part IV assesses the merits of the FCC\u27s current approach to enforcing net neutrality policy via contractual provisions attached to the sale of blocks of the wireless spectrum at auction. Using the contrasting examples of iTether and the FCCVerizon settlement, this note will argue that the current regulatory regime is ineffective because: (a) the FCC can only control blocking of mobile tethering apps through providers subject to wireless spectrum licensing terms (which state that licensees may not block apps); (b) in most cases, platform designers (e.g. Apple and Google), not providers, do the actual blocking by pulling tethering apps from their stores; and (c) therefore, the FCC cannot control the blocking of tethering apps in most cases

Uncertain Terms

Health apps collect massive amounts of sensitive consumer data, including information about users’ reproductive lives, mental health, and genetics. As a result, consumers in this industry may shop for privacy terms when they select a product. Yet our research reveals that many digital health tech companies reserve the right to unilaterally amend their terms of service and their privacy policies. This ability to make one-sided changes undermines the market for privacy, leaving users vulnerable. Unfortunately, the current law generally tolerates unilateral amendments, despite fairness and efficiency concerns. We therefore propose legislative, regulatory, and judicial solutions to better protect consumers of digital health tech and beyond

Classification Models for Preventing Juvenile Crimes Committed with Malware Apps

Spectacular developments that were recorded in the field of software engineering in recent years have led to the influx of software industry with series of computer apps such as dating apps, games apps, entertainment apps, banking apps, Photoshop apps, meetings and virtual conferencing apps. Studies have shown that most computer apps are widely accessible to adults and juveniles to download and effortlessly navigate through them. However, researchers have now revealed the existence of malware apps as new groups of computer apps that are strongly competing with legitimate computer apps and the latest rates at which some juveniles can adopt them to commit crimes. These discoveries have raised serious doubts about the elements of the crimes, the circumstances that surround vulnerable children to commit the crimes and how these dilemmas are rarely buttressed by pragmatic studies over the years. This chapter adopts mixed methods to critically explore the above issues. Qualitative interviews of 60 teenagers (between the ages of 10 and 17) and 20 grown-up children (between the ages of 18 and 22) together with 5 professionals were carried out. The analysis extended the generic elements of juvenile crime and raised new legal dilemmas regarding the concepts of transfer of criminal liability, compelled (or obligated) liability, ‘act’ that constitutes juvenile crimes and the restrictive applicability regarding criminal consent of extremely young children that are still under the tutelage and guidance of their parents

Usability and Security in Medication. Administration Applications

The traditional process of filling the medicine trays and dispensing the medicines to the patients in the hospitals is manually done by reading the printed paper medicinechart. This process can be very strenuous and error-prone, given the number of sub-tasksinvolved in the entire workflow and the dynamic nature of the work environment.Therefore, efforts are being made to digitalise the medication dispensation process byintroducing a mobile application called Smart Dosing application. The introduction ofthe Smart Dosing application into hospital workflow raises security concerns and callsfor security requirement analysis. This thesis is written as a part of the smart medication management project at EmbeddedSystems Laboratory, A˚bo Akademi University. The project aims at digitising the medicine dispensation process by integrating information from various health systems, and making them available through the Smart Dosing application. This application is intended to be used on a tablet computer which will be incorporated on the medicine tray. The smart medication management system include the medicine tray, the tablet device, and the medicine cups with the cup holders. Introducing the Smart Dosing application should not interfere with the existing process carried out by the nurses, and it should result in minimum modifications to the tray design and the workflow. The re-designing of the tray would include integrating the device running the application into the tray in a manner that the users find it convenient and make less errors while using it. The main objective of this thesis is to enhance the security of the hospital medicine dispensation process by ensuring the security of the Smart Dosing application at various levels. The methods used for writing this thesis was to analyse how the tray design, and the application user interface design can help prevent errors and what secure technology choices have to be made before starting the development of the next prototype of the Smart Dosing application. The thesis first understands the context of the use of the application, the end-users and their needs, and the errors made in everyday medication dispensation workflow by continuous discussions with the nursing researchers. The thesis then gains insight to the vulnerabilities, threats and risks of using mobile application in hospital medication dispensation process. The resulting list of security requirements was made by analysing the previously built prototype of the Smart Dosing application, continuous interactive discussions with the nursing researchers, and an exhaustive state-of-the-art study on security risks of using mobile applications in hospital context. The thesis also uses Octave Allegro method to make the readers understand the likelihood and impact of threats, and what steps should be taken to prevent or fix them. The security requirements obtained, as a result, are a starting point for the developers of the next iteration of the prototype for the Smart Dosing application.Siirretty Doriast

Client-Clinician Texting: An Expansion of the Clinical Holding Environment

While there has been a surge in the texting literature related to the innovative uses of mobile technology in clinical social work practice, there is a dearth of knowledge related to the use of texting between clients and clinicians. Regardless of a clinician’s individual preference for using texting, cultural paradigm shifts in communication and interpersonal expectations will require incorporation of texting technology to meet client demands. This two-part dissertation provides a critical review of the literature that chronicles the rapid diffusion of texting into American culture and identifies its current use in psychotherapy. It demonstrates a significant gap related to its impact on the therapeutic relationship, as well as the absence of theoretical evolution to guide practice. An accompanying article expands relational theory as a way to conceptualize texting and texting behaviors in order to make responsible and purposeful decisions when integrating this technology. Composite case vignettes will demonstrate how “theoretical knowing” can be translated into “clinical doing” to address this current gap between theory and practice