Visible to the public Scalable Privacy Analysis - July 2022Conflict Detection Enabled

Submitted by Serge Egelman on Wed, 09/14/2022 - 6:54pm

PI(s), Co-PI(s), Researchers:

  • Serge Egelman (ICSI)
  • Narseo Vallina-Rodriguez (IMDEA)
  • Primal Wijesekera (ICSI)

HARD PROBLEM(S) ADDRESSED
Scalability and Composability, Policy-Governed Secure Collaboration, Metrics

PUBLICATIONS

  • Under review:
    C. Gilsenan, F. Shakir, N. Alomar, and S. Egelman. Security and Privacy Failures in Popular 2FA Apps. Proceedings of the 2023 USENIX Security Symposium. Under review.
  • Accepted for publication:
    Noura Alomar and Serge Egelman. Developers Say the Darnedest Things: Privacy Compliance Processes Followed by Developers of Child-Directed Apps. In Proceedings on Privacy Enhancing Technologies (PoPETS), 2022(4).
  • Presented:
    Alisa Frik, Juliann Kim, Joshua Rafael Sanchez, and Joanne Ma. Users' Expectations About and Use of Smartphone Privacy and Security Settings. In Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems (CHI 2022), April 29-May 5, 2022, New Orleans, LA, USA. ACM, New York, NY, USA, 24 pages.

KEY HIGHLIGHTS

  • Root detection study:
    We have finished analyzing our testing data from ~10k apps, and expect to submit to a top tier conference in the next quarter. (We're still in the process of writing up our results.)

  • Our PETS paper on developers was accepted! We are revising it based on reviewer feedback and preparing the presentation. Abstract:

    • We investigate the privacy compliance processes followed by developers of child-directed mobile apps. While children's online privacy laws have existed for decades in the US, prior research found relatively low rates of compliance. Yet, little is known about how compliance issues come to exist and how compliance processes can be improved to address them. Our results, based on surveys (n=127) and interviews (n=27), suggest that most developers rely on app markets to identify privacy issues, they lack complete understandings of the third-party SDKs they integrate, and they find it challenging to ensure that these SDKs are kept up-to-date and privacy-related options are configured correctly. As a result, we find that well-resourced app developers outsource most compliance decisions to auditing services, and that smaller developers follow "best-effort" models, by assuming that their apps are compliant so long as they have not been rejected by app markets. We highlight the need for usable tools that help developers identify and fix mobile app privacy issues.

  • Log study:
    We are still analyzing the collected data and working with vendors to remediate issues. We've observed various types of sensitive data getting logged to the system logs by various system components (including device drivers), in violation of Google's policies. We have also discovered that various user-installed apps are also logging data inappropriately, including some SDKs that are logging incoming and outgoing network traffic.

  • We presented our CHI paper on users and smartphone security settings. Abstract:
    With the growing smartphone penetration rate, smartphone settings remain one of the main models for information privacy and security controls. Yet, their usability is largely understudied, especially with respect to the usability impact on underrepresented socio-economic and low-tech groups. In an online survey with 178 users, we find that many people are not aware of smartphone privacy and security settings, their defaults, and have not configured them in the past, but are willing to do it in the future. Some participants perceive low self-efficacy and expect difficulties and usability issues with configuring those settings. Finally, we find that certain socio-demographic groups are more vulnerable to risks and feel less prepared to use smartphone settings to protect their online privacy and security.

  • Finally, we performed a study of third-party 2FA TOTP authenticator apps: we used our dynamic analysis tools to examine the security of network backups, as well as reverse-engineered their security protocols. We uncovered numberous vulnerabilities, all involving TOTP secrets being stored insecurely, or apps leaking information about their users (e.g., what online accounts they have). We have responsibly disclosed our results, and the paper is now under submission to USENIX Security (2023).

COMMUNITY ENGAGEMENTS

  • PI Egelman has been interviewed by several reporters about online privacy issues.
  • CHI paper was presented.
  • Colleagues accepted the CNIL-INRIA Privacy Award at CPDP, for prior paper on automatically detecting permissions abuses in Android.

EDUCATIONAL ADVANCES:

  • Several graduate and undergraduate students are participating in this research.
Groups: