Visible to the public SaTC: TTP: Small: Mobile Dynamic Privacy and Security Analysis at ScaleConflict Detection Enabled

Project Details

Lead PI

Co-PIs

Performance Period

Sep 01, 2018 - Aug 31, 2021

Institution(s)

International Computer Science Institute

Award Number


The International Computer Science Institute (ICSI) is developing a framework to automatically detect privacy violations in mobile applications. The project leverages prototype work in augmenting the Android operating system with instrumentation to detect when applications access sensitive user data, what they do with it, and with whom they share it. The project modifies this system to support the analysis of thousands of applications in parallel, through virtualization. This infrastructure enables better understanding of the mobile privacy landscape, as well as making available new techniques for auditing programs at scale. The project offers end-users an online resource (https://www.appcensus.mobi/) to research the privacy behaviors of their applications; regulators can use these tools for enforcement, and developers can use them to detect and fix privacy violations in their mobil applications prior to releasing them.

Current program analysis approaches either do not actually observe program execution, and instead only examine program code, or do not scale well. This approach instruments the operating system and then uses simulated user behavior via computer-generated user interface events to passively observe what personal information applications access and exfiltrate. A prototype of the framework was used to detect thousands of potential violations of the Children's Online Privacy Protection Act (COPPA). This project expands that initial infrastructure to enable evaluation of thousands of applications simultaneously with real user input from crowdworkers, as well as to offer a programming interface for both developers and regulators to be able to evaluate new mobile applications on demand.

Serge Egelman is Research Director of the Usable Security & Privacy Group at the International Computer Science Institute (ICSI) and also holds an appointment in the Department of Electrical Engineering and Computer Sciences (EECS) at the University of California, Berkeley. He leads the Berkeley Laboratory for Usable and Experimental Security (BLUES), which is the amalgamation of his ICSI and UCB research groups. Serge's research focuses on the intersection of privacy, computer security, and human-computer interaction, with the specific aim of better understanding how people make decisions surrounding their privacy and security, and then creating data-driven improvements to systems and interfaces. This has included human subjects research on social networking privacy, access controls, authentication mechanisms, web browser security warnings, and privacy-enhancing technologies. His work has received multiple best paper awards, including seven ACM CHI Honorable Mentions, the 2012 Symposium on Usable Privacy and Security (SOUPS) Distinguished Paper Award for his work on smartphone application permissions, as well as the 2017 SOUPS Impact Award, and the 2012 Information Systems Research Best Published Paper Award for his work on consumers' willingness to pay for online privacy. He received his PhD from Carnegie Mellon University and prior to that was an undergraduate at the University of Virginia. He has also performed research at NIST, Brown University, Microsoft Research, and Xerox PARC.