Visible to the public Scalable Privacy Analysis - October 2021Conflict Detection Enabled

Submitted by Serge Egelman on Fri, 10/15/2021 - 12:05pm

PI(s), Co-PI(s), Researchers:

  • Serge Egelman (ICSI)
  • Narseo Vallina-Rodriguez (ICSI)
  • Primal Wijesekera (ICSI)
  • Abbas Razaghpannah (ICSI)

HARD PROBLEM(S) ADDRESSED
Scalability and Composability, Policy-Governed Secure Collaboration, Metrics

PUBLICATIONS

  • Nothing to report this quarter.

KEY HIGHLIGHTS

  • Root detection study:

    Our work has so far focused on studying anti-analysis techniques in Android applications. These are programming methods, tools, and other developer choices that, intentionally or otherwise, make it more difficult for researchers to analyze mobile applications. Some notable examples are root detection, emulation detection, debugging environment detection, certificate pinning, using custom non-standard encryption, code obfuscation, and other techniques that end up negatively impacting legitimate privacy and security research.

    Our goal is to identify anti-analysis techniques and understand the reason behind their adoption within the context of the applications.

    Specifically, we have designed and implemented tools to taxonomize root, emulation, and debugging environment detection methods; devised counter-measures to these methods so that we can test apps in our dynamic analysis environment; and planned a measurement study around our findings to study how app behavior changes under different conditions. We are in the process of analyzing our testing data from ~10k apps, and expect to submit to a top tier conference in the next quarter.

  • Study of targeted mobile ad networks:
    Using our network traffic instrumentation, we're starting to perform another study to examine how ad networks process personal information and whether they ovey opt-out flags to disable behavioral targeting. Using our instrumentation, we're reverse-engineering several ad network APIs, which will allow us to conduct realtime actions that can be used for controlled experiments (e.g., examining the impact of gender information by examining how ads and their associated pricing change as a function of the user's specified gender). In a similar manner, we plan to examine whether various ad networks are obeying flags for complying with various privacy laws or disabling behavioral targeting.

    Our instrumentation allows us to see all bid data from ~30 ad networks, and so by creating ad auctions by spoofing app traffic, we can perform controlled experiments to manipulate elements of the request (independent variables, such as whether a profile is attached to the identifers, whether privacy flags are present, and the user's demographics) to examine their impact on the dependent variables, which are the amounts of each bid and the types of ads offered.

    We are now performing controlled experiments, and are identifying additional data points to collect (e.g., what dependent variables we might want to examine).

  • Studying developers:
    We are performing several studies to examine developers' perspectives, since one of the key issues that we've uncovered is that most privacy issues in mobile apps are due to misbehaving or misconfigured SDKs. Thus, we're using AppCensus data to identify apps with questionable privacy behaviors (including specifically looking at children's apps, since that's a regulated area), and then inviting their developers to interviews/surveys about their compliance practices. We recently surveyed developers of kids' apps about their compliance with child privacy laws, and are in the process of analyzing the results, ideally to be submitted somewhere in the fall or spring. Our goal is to understand compliance processes.

    Ironically, while planning to study compliance processes, an IRB snafu halted our surveys for ~2 months. We've since resumed: we're surveying app developers about their privacy compliance processes. To date, we've collected >50 survey responses, and have now moved on to followup interviews. The main finding is that developers aren't aware of their compliance obligations and look to platforms for guidance; at the same time, they don't believe that the platforms are providing adequate guidance. We're in the process of finishing up our interviews, and then plan to analyze the data and submit a paper in the coming months.

COMMUNITY ENGAGEMENTS

  • PI Egelman has been interviewed by several reporters about online privacy issues.

EDUCATIONAL ADVANCES:

  • Several additional undergraduates are now participating in this research.
Groups: