nach oben

Erschienen in:

2014 | OriginalPaper | Buchkapitel

Assessing Privacy Risks in Android: A User-Centric Approach

verfasst von : Alexios Mylonas, Marianthi Theoharidou, Dimitris Gritzalis

Erschienen in: Risk Assessment and Risk-Driven Testing

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

The increasing presence of privacy violating apps in app marketplaces poses a significant privacy risk for smartphone users. Current approaches assessing privacy risk lack user input, assuming that the value of each smartphone sub-asset (e.g. contact list, usage history) is perceived similarly across users. Thus, per user privacy risk assessment is not achievable. This paper refines our previous work on smartphone risk assessment by proposing an approach for assessing the privacy risk of Android users. Its cornerstone is impact valuation from users, as well as their usage profiles, which enables assessment of per user risk. Threat likelihood is assessed based on the presence of specific permission combinations, which we consider vulnerabilities that enable privacy threat scenarios. These permission combinations correspond to users’ app profiles, i.e. to the app categories of Google Play that each user regularly visits. Finally, the proposed method is demonstrated through a case study.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Dynamic Risk Model of Money Laundering

Nächstes Kapitel Security Risk Analysis by Logic Programming

Nur mit Berechtigung zugänglich

At the time of our analysis it is Jelly bean (v. 4.2.2) [15].

These could also be indicators of the user’s location [25].

User’s location can be retrieved either directly (fine location), or indirectly by using the sensors (e.g. a camera snapshot identifies the user’s location), by retrieving information about the networks the user is connected to (coarse location), or calendar entries.

The 4 levels of vulnerability [2] are dynamically created by periodically clustering (k-means algorithm) the likelihood values for the top combinations of channel and asset permissions (see Table 3). A 4-item scale was selected to match the impact assessments values [2].

Any business data, such as corporate files (e.g. pdf) stored on the external storage, were not included in the case, as they are not considered PII, do not affect privacy, and are under different regulatory requirements. We only examine the effect to a person’s reputation, which falls into the scope of privacy and may affect his working conditions.

Office of the privacy commissioner of Canada privacy impact assessments (2007). http://www.tbs-sct.gc.ca/pol/doc-eng.aspx?id=18308

Methodology for privacy risk management (2012). http://www.cnil.fr/fileadmin/documents/en/CNIL-ManagingPrivacyRisks-Methodology.pdf

Barrera, D., Kayacik, H., van Oorschot, P., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, pp. 73–84. ACM (2010)

Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in Android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications and Services, pp. 239–252. ACM, New York (2011)

Cluley, G.: First iPhone worm discovered - ikee changes wallpaper to Rick Astley photo, November 2009. http://nakedsecurity.sophos.com/2009/11/08/iphone-worm-discovered-wallpaper-rick-astley-photo/

Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association, Berkeley (2010)

Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proceedings of the 20th USENIX Conference on Security, pp. 21–21. USENIX Association, Berkeley (2011)

Felt, A., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)

Felt, A., Egelman, S., Wagner, D.: I’ve got 99 problems, but vibration ain’t one: a survey of smartphone users’ concerns. In: Proceedings of the 2nd ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 33–44. ACM, New York (2012)

10.

Felt, A., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the 8th Symposium on Usable Privacy and Security. ACM (2012)

11.

Felt, A., Hanna, S., Chin, E., Wang, H.J., Moshchuk, E.: Permission redelegation: attacks and defenses. In: 20th Usenix Security Symposium (2011)

12.

Google: Android security overview, July 2013. http://source.android.com/devices/tech/security/index.html

13.

Google: Dashboards - Android developers, July 2013. http://developer.android.com/about/dashboards/index.html

14.

Google: Privacy policies for android apps developed by third parties (2013). https://support.google.com/googleplay/answer/2666094?hl=en

15.

Google: Refs - platform/frameworks/base - git at google (2013). https://android.googlesource.com/platform/frameworks/base/+refs

16.

Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th Network and Distributed System Security Symposium (2012)

17.

Grace, M., Zhou, W., Jiang, X., Sadeghi, A.: Unsafe exposure analysis of mobile in-app advertisements. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 101–112. ACM (2012)

18.

ICO: Privacy impact assessment handbook, v2.0. Information Commissioner’s Office, United Kingdom

19.

Jiang, X.: An evaluation of the application (“app”) verification service in android 4.2, December 2012. http://www.cs.ncsu.edu/faculty/jiang/appverify/

20.

Lin, J., Sadeh, N., Amini, S., Lindqvist, J., Hong, J., Zhang, J.: Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing. In: Proceedings of the 2012 ACM Conference on Ubiquitous Computing, pp. 501–510. ACM (2012)

21.

Marinos, L., Sfakianakis, A.: Enisa threat landscape. Technical report, ENISA (2012)

22.

Mylonas, A., Dritsas, S., Tsoumas, B., Gritzalis, D.: Smartphone security evaluation - the malware attack case. In: Proceedings of International Conference of Security and Cryptography, pp. 25–36 (2011)

23.

Mylonas, A., Gritzalis, D., Tsoumas, B., Apostolopoulos, T.: A qualitative metrics vector for the awareness of smartphone security users. In: 10th International Conference on Trust, Privacy & Security in Digital Business, pp. 173–184 (2013)

24.

Mylonas, A., Kastania, A., Gritzalis, D.: Delegate the smartphone user? Security awareness in smartphone platforms. Comput. Secur. 34, 47–66 (2013)CrossRef

25.

Mylonas, A., Meletiadis, V., Mitrou, L., Gritzalis, D.: Smartphone sensor data as digital evidence. Comput. Secur. 38, 51–75 (2013)CrossRef

26.

Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: Android: privilege separation for applications and advertisers in android. In: Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security, pp. 71–72. ACM (2012)

27.

Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of the 17th ACM Symposium on Access Control Models and Technologies, pp. 13–22. ACM (2012)

28.

Souppaya, M., Scarfone, K.: Guidelines for managing the security of mobile devices in the enterprise. NIST, June 2013, NIST Special Publication 800–124, rev. 1 (2013)

29.

Stevens, R., Gibler, C., Crussell, J., Erickson, J., Chen, H.: Investigating user privacy in android ad libraries. In: Workshop on Mobile Security Technologies (2012)

30.

Theoharidou, M., Mylonas, A., Gritzalis, D.: A risk assessment method for smartphones. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IFIP AICT, vol. 376, pp. 443–456. Springer, Heidelberg (2012)CrossRef

31.

Wang, Y., Zheng, J., Sun, C., Mukkamala, S.: Quantitative security risk assessment of android permissions and applications. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 226–241. Springer, Heidelberg (2013)CrossRef

32.

Warren, A., Bayley, R., Bennett, C., Charlesworth, A., Clarke, R., Oppenheim, C.: Privacy impact assessments: international experience as a basis for UK guidance. Comput. Law Secur. Rev. 24(3), 233–242 (2008)CrossRef

33.

Zhou, Y., Jiang, X.: Dissecting android malware: characterization and evolution. In: Proceedings of the 2012 IEEE Symposium on Security and Privacy, pp. 95–109. IEEE Computer Society (2012)

34.

Gritzalis, D.: Embedding privacy in IT applications development. Inf. Manag. Comput. Secur. 12(1), 8–26 (2004)CrossRef

35.

Gritzalis, D.: Enhancing security and improving interoperability in healthcare information systems. Inform. Health Soc. Care 23(4), 309–324 (1998)CrossRef

36.

Theoharidou, M., Kotzanikolaou, P., Gritzalis, D.: Risk assessment methodology for interde-pendent critical infrastructures. Int. J. Risk Assess. Manag. 15(2–3), 128–148 (2011)CrossRef

37.

Theoharidou, M., Kotzanikolaou, P., Gritzalis, D.: A multi-layer criticality assessment methodology based on interdependencies. Comput. Secur. 29(6), 643–658 (2010)CrossRef

Titel: Assessing Privacy Risks in Android: A User-Centric Approach
verfasst von: Alexios Mylonas
Marianthi Theoharidou
Dimitris Gritzalis
Verlag: Springer International Publishing
Buch: Risk Assessment and Risk-Driven Testing
Print ISBN: 978-3-319-07075-9

Electronic ISBN: 978-3-319-07076-6

Copyright-Jahr: 2014
DOI: https://doi.org/10.1007/978-3-319-07076-6_2

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner