Visible to the public Scalable Privacy Analysis - July 2021Conflict Detection Enabled

Submitted by Serge Egelman on Thu, 08/26/2021 - 12:34pm

PI(s), Co-PI(s), Researchers:

  • Serge Egelman (ICSI)
  • Narseo Vallina-Rodriguez (ICSI)
  • Primal Wijesekera (ICSI)
  • Abbas Razaghpannah (ICSI)

HARD PROBLEM(S) ADDRESSED
Scalability and Composability, Policy-Governed Secure Collaboration, Metrics

PUBLICATIONS

  • Nothing to report this quarter.

KEY HIGHLIGHTS

  • We are performing a study on root detection in mobile apps (i.e., anti-analysis techniques): We built a corpus of thousands of apps that we identified as using root/emulation/debugging detection techniques, and are in the process of running each of these apps twice, once with the anti-anti-analysis measures enabled and disabled. We are currently in the process of analyzing the data to examine how apps behave differently when they detect that a device has been rooted/emulated. We expect to submit this paper to a security conference in the fall.

  • Study of targeted mobile ad networks: Using our network traffic instrumentation, we're starting to perform another study to examine how ad networks process personal information and whether they ovey opt-out flags to disable behavioral targeting. Using our instrumentation, we're reverse-engineering several ad network APIs, which will allow us to conduct realtime actions that can be used for controlled experiments (e.g., examining the impact of gender information by examining how ads and their associated pricing change as a function of the user's specified gender). In a similar manner, we plan to examine whether various ad networks are obeying flags for complying with various privacy laws or disabling behavioral targeting.

    Our instrumentation allows us to see all bid data from ~30 ad networks, and so by creating ad auctions by spoofing app traffic, we can perform controlled experiments to manipulate elements of the request (independent variables, such as whether a profile is attached to the identifers, whether privacy flags are present, and the user's demographics) to examine their impact on the dependent variables, which are the amounts of each bid and the types of ads offered.

  • Studying developers: We are beginning several studies this year to examine developers' perspectives, since one of the key issues that we've uncovered is that most privacy issues in mobile apps are due to misbehaving or misconfigured SDKs. Thus, we're using AppCensus data to identify apps with questionable privacy behaviors (including specifically looking at children's apps, since that's a regulated area), and then inviting their developers to interviews/surveys about their compliance practices. We recently surveyed developers of kids' apps about their compliance with child privacy laws, and are in the process of analyzing the results, ideally to be submitted somewhere in the fall or spring. Our goal is to understand compliance processes.

COMMUNITY ENGAGEMENTS

  • PI Egelman testified before the U.S. Senate on mobile privacy, specifically apps' compliance with COPPA and how COPPA could be improved.

EDUCATIONAL ADVANCES:

  • Nothing to report this quarter.
Groups: