Project Seminar: Privacy in smartphone ecosystems
|Type of Lecture:||Seminar|
Content of the Course
Smartphone apps provide utility to their users by providing personalized and context-sensitive services. To achieve this, smartphone platforms provide those apps with access to a multiplicity of sensitive resources on the device e.g., device information, geolocation data, and user behavior information obtained from sensors. This capability however, poses important risks in regard to user privacy, especially considering that apps do not provide an appropriate level of transparency related to sensitive information processing.
The objective of this research project is to perform an extensive analysis of the state of the art in which different methodologies will be analyzed. Novel approaches will be investigated, and evaluated, specifically those emphasizing on understanding aspects such as context of app usage and purpose and functionality of apps when assessing their privacy properties.
Each project will be implemented by a group of students and will be focused on a specific perspective of the problem. Students focusing on the technical aspects are expected to have basic skills in
Topic 1: ““Transparency of smartphone apps”
Transparency is an important privacy principle, and strongly associated to the right of individuals to be informed about how and by whom their personal data have been processed, as well as the logic involved, such as data flows and its consequences. Human-computer interaction (HCI) techniques have the potential to substantially help users to better understand the privacy implications of the processing of their personal information especially for smartphone apps and in a similar form, support them to more easily have control of their data. Therefore, this project aims at identifying and addressing the challenges regarding user interface for providing transparency in smartphone apps. To this end, the project will investigate about the level of granularity by which users should be informed about the processing of their personal identifiable information and sensitive personal data. A literature review of HCI techniques, methods and tools to enhance transparency will be performed. Selected techniques will be analyzed and compared in terms of usability and usefulness, as well as the trade-offs with regard to commercial privacy requirements.
Topic 2: “Assessing privacy of smartphone apps through crowdsource comments”
Due to the lack of an appropriate level of transparency with regard to the processing of sensitive information by smartphone apps, smartphone users cannot identify data leakages and assess how their apps impact their privacy. Current privacy indicators in smartphone ecosystems have been shown to be ineffective regarding risk communication. Further, there are no means to help users make informed decisions regarding app selection. This project will investigate appropriate methods to support informed decision-making, by assessing the privacy of smartphones apps using crowd-source comments. It will provide a privacy risk score that will consider additional factors such as the context of app usage and its purpose and functionality. To this end, an extensive literature review will be performed, promising approaches will be identified and evaluated towards the implementation of a prototype using that for instance will benefit of machine learning techniques to identify the context and usage of the application as well as privacy related comments and ultimately provide a privacy risk score.
Topic 3: “Assessing privacy of smartphone apps through the analysis of data flows”
In current smartphone ecosystems a large number of available applications lack of proper information with regard their data access behavior, i.e. they are often poorly understood, in particular concerning their activities and functions related to privacy and security. In this regard, it is vital to provide users with information about the privacy risk of the installed applications (or desired to install); for instance, an application can lead to privacy risk because insecure data access permissions have been implemented in it. Therefore, proper mechanisms to automatically detect and evaluate the security risks and privacy invasiveness of smartphone apps are needed. To this end, a literature review is first needed to analyze and investigate which characteristics make an application a potential danger with regard to user's security and privacy. Afterwards, a technical/mathematical approach is required to provide a privacy score that will take into consideration the behavior of the application with regard to access permissions, data flows, and frequency of access and context/usage of the application
Topic 4: “Privacy risk indicators for smartphone apps”
Nowadays, it has become obvious that smartphone apps can easily exploit personal identifiable and sensitive information from users installing the applications in their smartphones. While users have become increasingly concerned towards their privacy, it has also been proved that smartphone users usually ignore any privacy related indicators. A potential reason could be that those indicators are not appropriate enough to provide enough awareness and at the same time encourage users to take proper measures. In this regard, application designers/developers could make the indicators more attractive and usable for users (from a psychological perspective). Therefore, the goal of this project is to provide a reliable foundation to highlight the importance of the psychological aspects of privacy when designing of privacy indicators for smartphone applications. The important aspect of this project is to clarify the psychological influences on the privacy indicators in smartphone apps (from both the application developers' and users' point of views). First, an extensive literature review should be done in order to classify the crucial psychological factors which have been ignored by the developers in designing of privacy indicators. After this classification, a case study should be performed (between 10 to 20 participants) to assess and measure the classification of the psychological factors in terms of usability and usefulness in order to determine whether they are important to the real users or not.
K. Y. Huang, "Challenges in Human-Computer Interaction Design for Mobile Devices," Proceedings of the World Congress on Engineering and Computer Science, USA, 2009.
I. Liccardi, J. Pato, and D. J. Weitzner, "Improving Mobile App Selection through Transparency and Better Permission Analysis," Journal of Privacy and Confidentiality (2013) 5, No. 2, 1–55.
L. Cen, L. Si, N. Li, and H. Jin, "User Comment Analysis for Android apps and CSPI Detection with Comment Expansion," Proceedings of the 1st International Workshop on PrivacyPreserving IR: When Information Retrieval Meets Privacy and Security (PIR 2014), 2014.
D. Kong, L. Cen, and H. Jin, "AUTOREB: Automatically Understanding the Review-to-Behavior Fidelity in Android Applications," Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, 2015.
Y. Jing, G. J. Ahn, Z. Zhao, and H. Hu, "RiskMon: Continuous and Automated Risk Assessment of Mobile Applications," Proceedings of the 4th ACM conference on Data and application security and privacy, 2014.
A. Mylonas, M. Theoharidou, and D. Gritzalis, "Assessing Privacy Risks in Android: A User-Centric Approach," Lecture Notes in Computer Science, 2014.
L. Kraus, I. Wechsung, and S. Moller, "Exploring PsychologicalNeed Fulfillment for Security and Privacy Actions onSmartphones," Proceedings of the 12thSymposium on Usable Privacy and Security, 2016.
M. Baddeley, "A Behavioural Analysis of Online Privacy and Security," Cambridge Working Papers in Economics, 2011.
The course registration is mandatory and will take place electronically via m-chair.de (registration section of the project seminar) within the period 1st to 10th of October. The maximum number of students allowed for this project seminar is 12 and the seminar participants will be chosen by the first-come first-served principle. If the maximum number of students is exceeded, the registration system will offer a waiting list for further potential participants. Once the registration deadline has expired, all course applicants will be notified via email about their final registration status.
The course registration does not replace the examination registration, which is needed to finally get graded in this course.
Examination registration and withdrawal take place within the period 13th to 26th of October 2016. Students will have to sign the registration list during the organizational Meeting on the 25th of October.
Time: 10:00 - 12:00