Skip to main content
SpringerLink
Log in
Book cover

International Conference on Information Systems Security and Privacy

ICISSP 2018: Information Systems Security and Privacy pp 1–25Cite as

Fine-Grained Privacy Control for Fitness and Health Applications Using the Privacy Management Platform

  • Conference paper
  • First Online:

  • 772 Accesses

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 977))

Abstract

Due to the Internet of Things, novel types of sensors are integrated into everyday objects. A domain that benefits most is the fitness and health domain. With the advent of the so-called Smartbands—i. e., bracelets or watches with built-in sensors such as heart rate sensors, location sensors, or even glucose meters—novel fitness and health application are made possible. That way a quantified self can be created. Despite all the advantages that such applications entail, new privacy concerns arise.

These applications collect and process sensitive health data. Users are concerned by reports about privacy violations. These violations are enabled by inherent security vulnerabilities and deficiencies in the privacy systems of mobile platforms. As none of the existing privacy approaches is designed for the novel challenges arising from Smartband applications, we discuss, how the Privacy Policy Model (PPM), a fine-grained and modular expandable permission model, can be applied to this application area. This model is implemented in the Privacy Management Platform (PMP). Thus the outcomes of this work can be leveraged directly. Evaluation results underline the benefits of our work for Smartband applications.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    See https://developer.android.com/reference/android/os/Binder.html.

  2. 2.

    The data type Location is not supported by AIDL. Additional type definitions are required to compile this interface definition.

References

  1. Albaghli, R., Anderson, K.M.: A vision for heart rate health through wearables. In: Proceedings of the 2016 ACM International Joint Conference on Pervasive and Ubiquitous Computing: Adjunct, UbiComp 2016, pp. 1101–1105 (2016)

    Google Scholar 

  2. Alpers, S., Pieper, M., Wagner, M.: Herausforderungen bei der Entwicklung von Anwendungen zum Selbstdatenschutz. In: Informatik 2017: Digitale Kulturen, Tagungsband der 47. Jahrestagung der Gesellschaft für Informatik e.V. (GI), 25.9-29.9.2017, Chemnitz. LNI, vol. 275, pp. 1061–1072 (2017). (in German)

    Google Scholar 

  3. Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on Android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_39

    Chapter  Google Scholar 

  4. Banuri, H., et al.: An Android runtime security policy enforcement framework. Pers. Ubiquit. Comput. 16(6), 631–641 (2012)

    Article  Google Scholar 

  5. Barrera, D., Kayacik, H.G., van Oorschot, P.C., Somayaji, A.: A methodology for empirical analysis of permission-based security models and its application to Android. In: Proceedings of the 17th ACM Conference on Computer and Communications Security, CCS 2010, pp. 73–84 (2010)

    Google Scholar 

  6. Barrera, D., Van Oorschot, P.: Secure software installation on Smartphones. IEEE Secur. Priv. 9(3), 42–48 (2011)

    Article  Google Scholar 

  7. Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: MockDroid: trading privacy for application functionality on Smartphones. In: Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, HotMobile 2011, pp. 49–54 (2011)

    Google Scholar 

  8. Bitsaki, M.: An integrated mHealth solution for enhancing patients’ health online. In: Lacković, I., Vasic, D. (eds.) 6th European Conference of the International Federation for Medical and Biological Engineering. IP, vol. 45, pp. 695–698. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-11128-5_173

    Chapter  Google Scholar 

  9. Böhme, R., Grossklags, J.: The security cost of cheap user interaction. In: Proceedings of the 2011 New Security Paradigms Workshop, NSPW 2011, pp. 67–82 (2011)

    Google Scholar 

  10. Chan, M., Estève, D., Fourniols, J.Y., Escriba, C., Campo, E.: Smart wearable systems: current status and future challenges. Artif. Intell. Med. 56(3), 137–156 (2012)

    Article  Google Scholar 

  11. Conti, M., Nguyen, V.T.N., Crispo, B.: CRePE: context-related policy enforcement for Android. In: Burmester, M., Tsudik, G., Magliveras, S., Ilić, I. (eds.) ISC 2010. LNCS, vol. 6531, pp. 331–345. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-18178-8_29

    Chapter  Google Scholar 

  12. Conti, M., Zachia-Zlatea, I., Crispo, B.: Mind how you answer me!: transparently authenticating the user of a Smartphone when answering or placing a call. In: Proceedings of the 6\(^{\rm th}\) ACM Symposium on Information, Computer and Communications Security, ASIACCS 2011, pp. 249–259 (2011)

    Google Scholar 

  13. Davis, B., Chen, H.: RetroSkeleton: retrofitting Android apps. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 181–192 (2013)

    Google Scholar 

  14. Davis, B., Sanders, B., Khodaverdian, A., Chen, H.: I-ARM-Droid: a rewriting framework for in-app reference monitors for Android applications. In: Proceedings of the 2012 IEEE Conference on Mobile Security Technologies, MoST 2012, pp. 28:1–28:9 (2012)

    Google Scholar 

  15. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on Smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, pp. 393–407 (2010)

    Google Scholar 

  16. Felt, A.P., Egelman, S., Finifter, M., Akhawe, D., Wagner, D.: How to ask for permission. In: Proceedings of the 7th USENIX Conference on Hot Topics in Security, HotSec 2012, pp. 1–6 (2012)

    Google Scholar 

  17. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012, pp. 3:1–3:14 (2012)

    Google Scholar 

  18. Fragkaki, E., Bauer, L., Jia, L., Swasey, D.: Modeling and enhancing Android’s permission system. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 1–18. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-33167-1_1

    Chapter  Google Scholar 

  19. Funk, C.: IoT Research - Smartbands. Technical report, Kaspersky Lab, March 2015. https://securelist.com/analysis/publications/69412/iot-research-smartbands/

  20. Giebler, C., Stach, C.: Datenschutzmechanismen für Gesundheitsspiele am Beispiel von Secure Candy Castle. In: Tagungsband der 15. GI-Fachtagung Datenbanksysteme für Business, Technologie und Web, BTW 2017, pp. 311–320 (2017). (in German)

    Google Scholar 

  21. Google Inc.: Permissions Overview, May 2018. https://developer.android.com/guide/topics/permissions

  22. Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic detection of capability leaks in stock Android Smartphones. In: Proceedings of the 2012 Network and Distributed System Security Symposium, NDSS 2012, pp. 7/5:1–7/5:15 (2012)

    Google Scholar 

  23. Guo, H.: Privacy Protector (No root), February 2012. https://play.google.com/store/apps/details?id=net.houzuo.android.privacyprotector

  24. Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, CCS 2011, pp. 639–652 (2011)

    Google Scholar 

  25. Hsu, H.H., Peng, W.J., Shih, T.K., Pai, T.W., Man, K.L.: Smartphone indoor localization with accelerometer and gyroscope. In: Proceedings of the 2014 17th International Conference on Network-Based Information Systems, NBiS 2014, pp. 465–469 (2014)

    Google Scholar 

  26. Jeon, J., et al.: Dr. Android and Mr. Hide: fine-grained permissions in Android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 3–14 (2012)

    Google Scholar 

  27. Jiang, W., Yin, Z.: Human activity recognition using wearable sensors by deep convolutional neural networks. In: Proceedings of the 23rd ACM International Conference on Multimedia, MM 2015, pp. 1307–1310 (2015)

    Google Scholar 

  28. Kang, J., Kim, D., Kim, H., Huh, J.H.: Analyzing unnecessary permissions requested by Android apps based on users’ opinions. In: Rhee, K.-H., Yi, J.H. (eds.) WISA 2014. LNCS, vol. 8909, pp. 68–79. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-15087-1_6

    Chapter  Google Scholar 

  29. Khatoon, A., Corcoran, P.: Android permission system and user privacy – a review of concept and approaches. In: Proceedings of the 2017 IEEE 7th International Conference on Consumer Electronics - Berlin, ICCE-Berlin 2017, pp. 153–158 (2017)

    Google Scholar 

  30. Khorakhun, C., Bhatti, S.N.: mHealth through quantified-self: a user study. In: Proceedings of the 2015 17th International Conference on E-health Networking, Application & Services, HealthCom 2015, pp. 329–335 (2015)

    Google Scholar 

  31. Kitagawa, M., et al.: Market share: final PCs, ultramobiles and mobile phones, all countries, 1Q18 update. Gartner, Inc., Technical report (2018)

    Google Scholar 

  32. Knighten, J., McMillan, S., Chambers, T., Payton, J.: Recognizing social gestures with a wrist-worn Smartband. In: Proceedings of the 2015 IEEE International Conference on Pervasive Computing and Communication Workshops, WristSense 2015, pp. 544–549 (2015)

    Google Scholar 

  33. Knöll, M.: “On the top of high towers ...” discussing locations in a mobile health game for diabetics. In: Proceedings of the 2010 IADIS International Conference Game and Entertainment Technologies, MCCSIS 2010, pp. 61–68 (2010)

    Google Scholar 

  34. Knöll, M., Moar, M.: On the importance of locations in therapeutic serious games: review on current health games and how they make use of the urban landscape. In: Proceedings of the 2011 5th International Conference on Pervasive Computing Technologies for Healthcare and Workshops, PervasiveHealth 2011, pp. 538–545 (2011)

    Google Scholar 

  35. Lee, M., Lee, K., Shim, J., Cho, S.j., Choi, J.: Security threat on wearable services: empirical study using a commercial Smartband. In: Proceedings of the IEEE International Conference on Consumer Electronics-Asia, ICCE-Asia 2016, pp. 1–5 (2016)

    Google Scholar 

  36. Leontiadis, I., Efstratiou, C., Picone, M., Mascolo, C.: Don’t kill my ads!: balancing privacy in an ad-supported mobile application market. In: Proceedings of the Twelfth Workshop on Mobile Computing Systems & Applications, HotMobile 2012, pp. 2:1–2:6 (2012)

    Google Scholar 

  37. Martin, D., Vicente, O., Vicente, S., Ballesteros, J., Maynar, M.: I will prescribe you an app. In: Proceedings of the 2014 Summer Simulation Multiconference, SummerSim 2014, pp. 58:1–58:8 (2014)

    Google Scholar 

  38. Mayfield, J., Jagielski, K.: FTC report on Internet of Things urges companies to adopt best practices to address consumer privacy and security risks. Technical report, Federal Trade Commission, January 2015. https://www.ftc.gov/news-events/press-releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

  39. Mazzoleni, P., Crispo, B., Sivasubramanian, S., Bertino, E.: XACML policy integration algorithms. ACM Trans. Inform. Syst. Secur. 11(1), 4:1–4:29 (2008)

    Article  Google Scholar 

  40. Mohamed, I., Patel, D.: Android vs iOS security: a comparative study. In: Proceedings of the 2015 12th International Conference on Information Technology - New Generations, ITNG 2015, pp. 725–730 (2015)

    Google Scholar 

  41. Nauman, M., Khan, S., Zhang, X.: Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2010, pp. 328–332 (2010)

    Google Scholar 

  42. Patel, M.: The security and privacy of wearable health and fitness devices. Technical report, IBM Security Intelligence, September 2015. https://securityintelligence.com/the-security-and-privacy-of-wearable-health-and-fitness-devices/

  43. Pombo, N., Garcia, N.M.: ubiSleep: an ubiquitous sensor system for sleep monitoring. In: Proceedings of the 2016 IEEE 12th International Conference on Wireless and Mobile Computing, Networking and Communications, WiMob 2016, pp. 1–4 (2016)

    Google Scholar 

  44. Reeder, B., David, A.: Health at hand: a systematic review of smart watch uses for health and wellness. J. Biomed. Inform. 63, 269–276 (2016)

    Article  Google Scholar 

  45. Ringer, T., Grossman, D., Roesner, F.: AUDACIOUS: user-driven access control with unmodified operating systems. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS 2016, pp. 204–216 (2016)

    Google Scholar 

  46. Russello, G., Crispo, B., Fernandes, E., Zhauniarovich, Y.: YAASE: yet another Android security extension. In: Proceedings of the 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, PASSAT 2011, pp. 1033–1040 (2011)

    Google Scholar 

  47. Saracino, A., Martinelli, F., Alboreto, G., Dini, G.: Data-Sluice: fine-grained traffic control for Android application. In: Proceedings of the 2016 IEEE Symposium on Computers and Communication, ISCC 2016, pp. 702–709 (2016)

    Google Scholar 

  48. Sbîrlea, D., Burke, M.G., Guarnieri, S., Pistoia, M., Sarkar, V.: Automatic detection of inter-application permission leaks in Android applications. IBM J. Res. Dev. 57(6), 10:1–10:12 (2013)

    Article  Google Scholar 

  49. Shahmohammadi, F., Hosseini, A., King, C.E., Sarrafzadeh, M.: Smartwatch based activity recognition using active learning. In: Proceedings of the Second IEEE/ACM International Conference on Connected Health: Applications, Systems and Engineering Technologies, CHASE 2017, pp. 321–329 (2017)

    Google Scholar 

  50. Siewiorek, D.: Generation Smartphone. IEEE Spectr. 49(9), 54–58 (2012)

    Article  Google Scholar 

  51. Stach, C.: How to assure privacy on Android phones and devices? In: Proceedings of the 2013 IEEE 14\(^{\rm th}\) International Conference on Mobile Data Management, MDM 2013, pp. 350–352 (2013)

    Google Scholar 

  52. Stach, C.: Wie funktioniert Datenschutz auf Mobilplattformen? In: Informatik 2013: Informatik angepasst an Mensch, Organisation und Umwelt, Tagungsband der 43. Jahrestagung der Gesellschaft für Informatik e.V. (GI), 16.9-20.9.2013, Koblenz. LNI, vol. 220, pp. 2072–2086 (2013). (in German)

    Google Scholar 

  53. Stach, C.: How to deal with third party apps in a privacy system – the PMP Gatekeeper. In: Proceedings of the 2015 IEEE 16th International Conference on Mobile Data Management, MDM 2015, pp. 167–172 (2015)

    Google Scholar 

  54. Stach, C.: Secure Candy Castle – a prototype for privacy-aware mHealth apps. In: Proceedings of the 2016 IEEE 17th International Conference on Mobile Data Management, MDM 2016, pp. 361–364 (2016)

    Google Scholar 

  55. Stach, C.: Big brother is smart watching you: privacy concerns about health and fitness applications. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, pp. 13–23 (2018)

    Google Scholar 

  56. Stach, C., et al.: PATRON – Datenschutz in Datenstromverarbeitungssystemen. In: Informatik 2017: Digitale Kulturen, Tagungsband der 47. Jahrestagung der Gesellschaft für Informatik e.V. (GI), 25.9-29.9.2017, Chemnitz. LNI, vol. 275, pp. 1085–1096 (2017). (in German)

    Google Scholar 

  57. Stach, C., Dürr, F., Mindermann, K., Palanisamy, S.M., Wagner, S.: How a pattern-based privacy system contributes to improve context recognition. In: Proceedings of the 2018 IEEE International Conference on Pervasive Computing and Communications Workshops, CoMoRea 2018, pp. 238–243 (2018)

    Google Scholar 

  58. Stach, C., Mitschang, B.: Privacy management for mobile platforms - a review of concepts and approaches. In: Proceedings of the 2013 IEEE 14th International Conference on Mobile Data Management, MDM 2013, pp. 305–313 (2013)

    Google Scholar 

  59. Stach, C., Mitschang, B.: Design and implementation of the Privacy Management Platform. In: Proceedings of the 2014 IEEE 15th International Conference on Mobile Data Management, MDM 2014, pp. 69–72 (2014)

    Google Scholar 

  60. Stach, C., Mitschang, B.: ACCESSORS: a data-centric permission model for the Internet of Things. In: Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, pp. 30–40 (2018)

    Google Scholar 

  61. Stach, C., Schlindwein, L.F.M.: Candy Castle – a prototype for pervasive health games. In: Proceedings of the 2012 IEEE International Conference on Pervasive Computing and Communications Workshops, PerCom 2012, pp. 501–503 (2012)

    Google Scholar 

  62. Stach, C., Steimle, F., Mitschang, B.: The Privacy Management Platform: an enabler for device interoperability and information security in mHealth applications. In: Proceedings of the 11th International Conference on Health Informatics, HEALTHINF 2018, pp. 27–38 (2018)

    Google Scholar 

  63. Stach, C., Steimle, F., Franco da Silva, A.C.: TIROL: the extensible interconnectivity layer for mHealth applications. In: Damaševičius, R., Mikašytė, V. (eds.) ICIST 2017. CCIS, vol. 756, pp. 190–202. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-67642-5_16

    Chapter  Google Scholar 

  64. Steimle, F., Wieland, M., Mitschang, B., Wagner, S., Leymann, F.: Extended provisioning, security and analysis techniques for the ECHO health data management system. Computing 99(2), 183–201 (2017)

    Article  MathSciNet  Google Scholar 

  65. Wakabayashi, D.: Freed from the iPhone, the Apple watch finds a medical purpose. The New York Times 12(27), B1 (2017)

    Google Scholar 

  66. Weiser, M.: The computer for the 21st century. Sci. Am. 265(3), 94–105 (1991)

    Article  Google Scholar 

  67. Wijaya, R., Setijadi, A., Mengko, T.L., Mengko, R.K.L.: Heart rate data collecting using smart watch. In: Proceedings of the 2014 IEEE 4th International Conference on System Engineering and Technology, ICSET 2014, pp. 1–3 (2014)

    Google Scholar 

  68. Xie, H., Gu, T., Tao, X., Lu, J.: A reliability-augmented particle filter for magnetic fingerprinting based indoor localization on Smartphone. IEEE Trans. Mob. Comput. 15(8), 1877–1892 (2016)

    Article  Google Scholar 

  69. Xu, R., Saïdi, H., Anderson, R.: Aurasium: practical policy enforcement for Android applications. In: Proceedings of the 21st USENIX Security Symposium, pp. 539–552 (2012)

    Google Scholar 

  70. Ye, H., Gu, T., Tao, X., Lu, J.: Scalable floor localization using barometer on Smartphone. Wirel. Commun. Mob. Comput. 16(16), 2557–2571 (2016)

    Article  Google Scholar 

  71. Zhang, D., Wang, R., Lin, Z., Guo, D., Cao, X.: IacDroid: preventing inter-app communication capability leaks in Android. In: Proceedings of the 2016 IEEE Symposium on Computers and Communication, ISCC 2016, pp. 443–449 (2016)

    Google Scholar 

Download references

Acknowledgments

This paper is part of the PATRON research project which is commissioned by the Baden-Württemberg Stiftung gGmbH. The authors would like to thank the BW-Stiftung for the funding of this research.

Author information

Authors and Affiliations

  1. Institute for Parallel and Distributed Systems, University of Stuttgart, Universitätsstraße 38, 70569, Stuttgart, Germany

    Christoph Stach

Authors
  1. Christoph Stach
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christoph Stach .

Editor information

Editors and Affiliations

  1. IIT-CNR, Pisa, Italy

    Paolo Mori

  2. Plymouth University, Plymouth, UK

    Steven Furnell

  3. MODESTE/ESEO, Angers Cedex 02, France

    Olivier Camp

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Stach, C. (2019). Fine-Grained Privacy Control for Fitness and Health Applications Using the Privacy Management Platform. In: Mori, P., Furnell, S., Camp, O. (eds) Information Systems Security and Privacy. ICISSP 2018. Communications in Computer and Information Science, vol 977. Springer, Cham. https://doi.org/10.1007/978-3-030-25109-3_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-25109-3_1

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-25108-6

  • Online ISBN: 978-3-030-25109-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation