InShopnito: an advanced yet privacy-friendly mobile shopping application

Mobile Shopping Applications (MSAs) are rapidly gaining popularity. They enhance the shopping experience, by offering customized recommendations or incorporating customer loyalty programs. Although MSAs are quite effective at attracting new customers and binding existing ones to a retailer's services, existing MSAs have several shortcomings. The data collection practices involved in MSAs and the lack of transparency thereof are important concerns for many customers. This paper presents inShopnito, a privacy-preserving mobile shopping application. All transactions made in inShopnito are unlinkable and anonymous. However, the system still offers the expected features from a modern MSA. Customers can take part in loyalty programs and earn or spend loyalty points and electronic vouchers. Furthermore, the MSA can suggest personalized recommendations even though the retailer cannot construct rich customer profiles. These profiles are managed on the smartphone and can be partially disclosed in order to get better, customized recommendations. Finally, we present an implementation called inShopnito, of which the security and performance is analyzed. In doing so, we show that it is possible to have a privacy-preserving MSA without having to sacrifice practicality

Efficient Oblivious Computation Techniques for Privacy-Preserving Mobile Applications

Research area: Information Security and Cryptography, Networking and CommunicationsResearch topic: Privacy-Preserving Computation, Mobile Application SecurityThe growth of smartphone capability has led to an explosion of new applications. Many of the most useful apps use context-sensitive data, such as GPS location or social network information. In these cases, users may not be willing to release personal information to untrusted parties. Currently, the solutions to performing computation on encrypted inputs use garbled circuits combined with a variety of optimizations. However, the capability of resource-constrained smartphones for evaluating garbled circuits in any variation is uncertain in practice. In [1], it is shown that certain garbled circuit evaluations can be optimized by using homomorphic encryption. In this paper, we take this concept to its logical extreme with Efficient Mobile Oblivious Computation (EMOC), a technique that completely replaces garbled circuits with homomorphic operations on ciphertexts. We develop applications to securely solve the millionaire’s problem, send tweets based on location, and compute common friends in a social network, then prove equivalent privacy guarantees to analogous constructions using garbled circuits. We then demonstrate up to 68% runtime reduction from the most efficient garbled circuit implementation. In so doing, we demonstrate a practical technique for developing privacy-preserving applications on the mobile platform

HideMyApp: Hiding the Presence of Sensitive Apps on Android

Millions of users rely on mobile health (mHealth) apps to manage their wellness and medical conditions. Although the popularity of such apps continues to grow, several privacy and security challenges can hinder their potential. In particular, the simple fact that an mHealth app is installed on a user’s phone can reveal sensitive information about the user’s health. Due to Android’s open design, any app, even without permissions, can easily check for the presence of a specific app or collect the entire list of installed apps on the phone. Our analysis shows that Android apps expose a significant amount of metadata, which facilitates fingerprinting them. Many third parties are interested in such information: Our survey of 2917 popular apps in the Google Play Store shows that around 57% of these apps explicitly query for the list of installed apps. Therefore, we designed and implemented HideMyApp (HMA), an effective and practical solution for hiding the presence of sensitive apps from other apps. HMA does not require any changes to the Android operating system or to apps yet still supports their key functionalities. By using a diverse dataset of both free and paid mHealth apps, our experimental evaluation shows that HMA supports the main functionalities in most apps and introduces acceptable overheads at runtime (i.e., several milliseconds); these findings were validated by our user-study (N=30). In short, we show that the practice of collecting information about installed apps is widespread and that our solution, HMA, provides a robust protection against such a threat

HideMyApp : Hiding the Presence of Sensitive Apps on Android

Millions of users rely on mobile health (mHealth) apps to manage their wellness and medical conditions. Although the popularity of such apps continues to grow, several privacy and security challenges can hinder their potential. In particular, the simple fact that an mHealth app is installed on a user’s phone can reveal sensitive information about the user’s health. Due to Android’s open design, any app, even without per- missions, can easily check for the presence of a specific app or collect the entire list of installed apps on the phone. Our analysis shows that Android apps expose a significant amount of metadata, which facilitates fingerprinting them. Many third parties are interested in such information: Our survey of 2917 popular apps in the Google Play Store shows that around 57% of these apps explicitly query for the list of installed apps. Therefore, we designed and implemented HideMyApp (HMA), an effective and practical solution for hiding the presence of sensitive apps from other apps. HMA does not require any changes to the Android operating system or to apps yet still supports their key functionalities. By using a diverse dataset of both free and paid mHealth apps, our experimental eval- uation shows that HMA supports the main functionalities in most apps and introduces acceptable overheads at runtime (i.e., several milliseconds); these findings were validated by our user-study (N = 30). In short, we show that the practice of collecting information about installed apps is widespread and that our solution, HMA, provides a robust protection against such a threat

SmarPer: Context-Aware and Automatic Runtime-Permissions for Mobile Devices

Permission systems are the main defense that mobile platforms, such as Android and iOS, offer to users to protect their private data from prying apps. However, due to the tension between usability and control, such systems have several limitations that often force users to overshare sensitive data. We address some of these limitations with SmarPer, an advanced permission mechanism for Android. To address the rigidity of current permission systems and their poor matching of users’ privacy preferences, SmarPer relies on contextual information and machine learning methods to predict permission decisions at runtime. Note that the goal of SmarPer is to mimic the users’ decisions, not to make privacy-preserving decisions per se. Using our SmarPer implementation, we collected 8,521 runtime permission decisions from 41 participants in real conditions. With this unique data set, we show that using an efficient Bayesian linear regression model results in a mean correct classification rate of 80% (±3%). This represents a mean relative reduction of approximately 50% in the number of incorrect decisions when compared with a user-defined static permission policy, i.e., the model used in current permission systems. SmarPer also focuses on the suboptimal trade-off between privacy and utility; instead of only “allow” or “deny” type of decisions, SmarPer also offers an “obfuscate” option where users can still obtain utility by revealing partial information to apps. We implemented obfuscation techniques in SmarPer for different data types and evaluated them during our data collection campaign. Our results show that 73% of the participants found obfuscation useful and it accounted for almost a third of the total number of decisions. In short, we are the first to show, using a large dataset of real in situ permission decisions, that it is possible to learn users’ unique decision patterns at runtime using contextual information while supporting data obfuscation; this is an important step towards automating the management of permissions in smartphones

ORide: A Privacy-Preserving yet Accountable Ride-Hailing Service

In recent years, ride-hailing services (RHSs) have become increasingly popular, serving millions of users per day. Such systems, however, raise significant privacy concerns, because service providers are able to track the precise mobility patterns of all riders and drivers. In this paper, we propose ORide (Oblivious Ride), a privacy-preserving RHS based on somewhat-homomorphic encryption with optimizations such as ciphertext packing and transformed processing. With ORide, a service provider can support the matching of riders and drivers without learning their identities or location infor- mation. ORide offers riders with fairly large anonymity sets (e.g., several thousands), even in sparsely-populated areas. In addition, ORide supports key RHSs features such as easy payment, reputation scores, accountability, and retrieval of lost items. Using real data-sets consisting of millions of rides, we show that the computational and network overhead introduced by ORide is acceptable. For example, ORide only adds several milliseconds to ride-hailing operations and the extra driving distance for a driver is less than 0.5 km in more than 75% of the cases evaluated. In short, we show that a RHS can offer strong privacy guarantees to both riders and drivers while maintaining the convenience of its services

PrivateRide: A Privacy-Enhanced Ride-Hailing Service

In the past few years, we have witnessed a rise in the popularity of ride-hailing services (RHSs), an online marketplace that enables accredited drivers to use their own cars to drive ride-hailing users. Unlike other transportation services, RHSs raise significant privacy concerns, as providers are able to track the precise mobility patterns of millions of riders worldwide. We present the first survey and analysis of the privacy threats in RHSs. Our analysis exposes high-risk privacy threats that do not occur in conventional taxi services. Therefore, we propose PrivateRide, a privacy-enhancing and practical solution that offers anonymity and location privacy for riders, and protects drivers’ information from harvesting attacks. PrivateRide lowers the high-risk privacy threats in RHSs to a level that is at least as low as that of many taxi services. Using real data-sets from Uber and taxi rides, we show that PrivateRide significantly enhances riders’ privacy, while preserving tangible accuracy in ride matching and fare calculation, with only negligible effects on convenience. Moreover, by using our Android implementation for experimental evaluations, we show that PrivateRide’s overhead during ride setup is negligible. In short, we enable privacy-conscious riders to achieve levels of privacy that are not possible in current RHSs and even in some conventional taxi services, thereby offering a potential business differentiator

Practical authentication in large-scale internet applications

Due to their massive user base and request load, large-scale Internet applications have mainly focused on goals such as performance and scalability. As a result, many of these applications rely on weaker but more efficient and simpler authentication mechanisms. However, as recent incidents have demonstrated, powerful adversaries are exploiting the weaknesses in such mechanisms. While more robust authentication mechanisms exist, most of them fail to address the scale and security needs of these large-scale systems. In this dissertation we demonstrate that by taking into account the specific requirements and threat model of large-scale Internet applications, we can design authentication protocols for such applications that are not only more robust but also have low impact on performance, scalability and existing infrastructure. In particular, we show that there is no inherent conflict between stronger authentication and other system goals. For this purpose, we have designed, implemented and experimentally evaluated three robust authentication protocols: Proxychain, for SIP-based VoIP authentication; One-Time Cookies (OTC), for Web session authentication; and Direct Validation of SSL/TLS Certificates (DVCert), for server-side SSL/TLS authentication. These protocols not only offer better security guarantees, but they also have low performance overheads and do not require additional infrastructure. In so doing, we provide robust and practical authentication mechanisms that can improve the overall security of large-scale VoIP and Web applications.PhDCommittee Co-Chair: Ahamad, Mustaque; Committee Co-Chair: Traynor, Patrick; Committee Member: Beyah, Raheem; Committee Member: Boldyreva, Alexandra; Committee Member: Giffin, Jo