Visible to the public Scalable Privacy Analysis - April 2021Conflict Detection Enabled

Submitted by Serge Egelman on Thu, 08/26/2021 - 12:25pm

PI(s), Co-PI(s), Researchers:

  • Serge Egelman (ICSI)
  • Narseo Vallina-Rodriguez (ICSI)
  • Primal Wijesekera (ICSI)
  • Abbas Razaghpannah (ICSI)

HARD PROBLEM(S) ADDRESSED
Scalability and Composability, Policy-Governed Secure Collaboration, Metrics

PUBLICATIONS

  • Nothing to report this quarter.

KEY HIGHLIGHTS

  • We are performing a study on root detection in mobile apps (i.e., anti-analysis techniques): A large portion of the reporting period was spent identifying various root and emulation detection techniques. We examined traffic from thousands of apps to identify HTTP parameters that appeared to be used to report root/emulation detection, as well as through static analysis of the app binaries. We then modified our custom Android fork to include code to counter all of the detection methods that we discovered (i.e., we've created anti-anti-analysis instrumentation that we can turn on/off at will). Next, we plan to run the apps using these techniques as part of a study on why they're used.

  • Study of targeted mobile ad networks: Using our network traffic instrumentation, we're starting to perform another study to examine how ad networks process personal information and whether they ovey opt-out flags to disable behavioral targeting. Using our instrumentation, we're reverse-engineering several ad network APIs, which will allow us to conduct realtime actions that can be used for controlled experiments (e.g., examining the impact of gender information by examining how ads and their associated pricing change as a function of the user's specified gender). In a similar manner, we plan to examine whether various ad networks are obeying flags for complying with various privacy laws or disabling behavioral targeting.

  • Studying developers: We are beginning several studies this year to examine developers' perspectives, since one of the key issues that we've uncovered is that most privacy issues in mobile apps are due to misbehaving or misconfigured SDKs. Thus, we're using AppCensus data to identify apps with questionable privacy behaviors (including specifically looking at children's apps, since that's a regulated area), and then inviting their developers to interviews/surveys about their compliance practices.

COMMUNITY ENGAGEMENTS

  • Nothing to report this quarter.

EDUCATIONAL ADVANCES:

  • Nothing to report this quarter.
Groups: