Abstract
Since the introduction of the iPhone in 2007, smartphones continue to have a more disruptive role in our society. The average person spends over five hours per day using their device and research has shown intentional addictive design elements in popular applications to maximize user interaction time. While smartphones have provided new capabilities that did not exist previously, it has also allowed the limitless collection of personal data that is both sensed, inferred, and stored on the device. With millions of applications available in both the App Store and Google Play, research has shown mobile applications frequently abuse granted permissions and are not truthful in permission requests. Given a coarse-grained permission model, applications can retrieve and transmit data as frequent as possible without limit, and send data to any service without the user being aware. Only recently did mobile operating system producers start to introduce more fine-grained controls. In this paper, we examine the evolution of these controls since the widespread adoption of smartphones and examine the current trends. We describe research that has provided both an improved awareness of privacy and supplemental controls for users. We also describe the shortcomings of these solutions and provide suggestions to the current permission model to limit the amount of data that can be accessed and transmitted from the device. Given the data that is available from mobile devices, it is imperative that users have more transparency in how mobile applications use their data, and that users are able to place limits on this use.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
iPhone app privacy labels are a great idea, except when apple lets them deceive - the Washington post. https://www.washingtonpost.com/technology/2021/01/29/apple-privacy-nutrition-label/
Your Phone Is Designed Like a Slot Machine to Keep You Addicted. * Geek Insider. https://geekinsider.com/your-phone-is-designed-like-a-slot-machine-to-keep-you-addicted/
Several popular apps share data with Facebook without user consent, December 2018. https://www.ft.com/content/62f74704-0abf-11e9-9fe8-acdb36967cfc
18,000 Android apps track users by violating advertising ID policies, February 2019. https://www.bleepingcomputer.com/news/security/18-000-android-apps-track-users-by-violating-advertising-id-policies/
Permission-greedy apps delayed android 6 upgrade so they could harvest more user data, July 2019. https://zd.net/2Lp3ygE
Popular weather app collects too much user data, security experts say, January 2019. https://on.wsj.com/2XgNDnf
‘Privacy matters’ in apple’s latest iPhone ad, March 2019. https://www.theverge.com/2019/3/14/18266276/apple-iphone-ad-privacy-facetime-bug
Twelve million phones, one dataset, zero privacy, December 2019. https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html?action=click&module=Opinion&pgtype=Homepage
How much time do Americans spend on their phones in 2020?, April 2020. https://techjury.net/blog/how-much-time-does-the-average-american-spend-on-their-phone/
Agarwal, Y., Hall, M.: ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 97–110. ACM, New York (2013). https://doi.org/10.1145/2462456.2464460. http://doi.acm.org/10.1145/2462456.2464460
Assal, H., Hurtado, S., Imran, A., Chiasson, S.: What’s the deal with privacy apps? A comprehensive exploration of user perception and usability. In: Proceedings of the 14th International Conference on Mobile and Ubiquitous Multimedia, MUM 2015, pp. 25–36. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2836041.2836044
Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_39
Chin, E., Felt, A.P., Sekar, V., Wagner, D.: Measuring user confidence in smartphone security and privacy. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2335356.2335358
Chitkara, S., Gothoskar, N., Harish, S., Hong, J.I., Agarwal, Y.: Does this app really need my location?: context-aware privacy management for smartphones. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 1(3), 42:1–42:22 (2017). https://doi.org/10.1145/3132029. http://doi.acm.org/10.1145/3132029
Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, Berkeley, CA, USA, pp. 393–407. USENIX Association (2010)
Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2335356.2335360
Graham, M.: Facebook launches ad campaign to defend personalized advertising ahead of Apple privacy change, February 2021. https://www.cnbc.com/2021/02/25/facebook-ad-campaign-counters-apple-idfa-privacy-change.html
Harbach, M., Hettig, M., Weber, S., Smith, M.: Using personal examples to improve risk communication for security and privacy decisions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2014, pp. 2647–2656. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2556288.2556978
IAB: Internet advertising revenue report. https://www.iab.com/wp-content/uploads/2020/05/FY19-IAB-Internet-Ad-Revenue-Report_Final.pdf
IDC: Smartphone market share. https://www.idc.com/promo/smartphone-market-share
Jeon, J., et al.: Dr. Android and Mr. Hide: fine-grained permissions in Android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 3–14. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2381934.2381938
Jha, A.K., Lee, S., Lee, W.J.: Permission-based security in Android application: from policy expert to end user. In: Proceedings of the 2015 Conference on Research in Adaptive and Convergent Systems, RACS, pp. 319–320. ACM, New York (2015). https://doi.org/10.1145/2811411.2811493. http://doi.acm.org/10.1145/2811411.2811493
Jin, H., et al.: Why are they collecting my data? Inferring the purposes of network traffic in mobile apps. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2(4) (2018). https://doi.org/10.1145/3287051
Krach, S., Paulus, F.M., Bodden, M., Kircher, T.: The rewarding nature of social interactions. Front. Behav. Neurosci. 4 (2010). https://doi.org/10.3389/fnbeh.2010.00022. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2889690/
Krupp, B., Jesensky, D., Szampias, A.: SPEProxy: enforcing fine grained security and privacy controls on unmodified mobile devices. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), pp. 520–526, October 2017. https://doi.org/10.1109/UEMCON.2017.8248985
Krupp, B., Sridhar, N., Zhao, W.: SPE: security and privacy enhancement framework for mobile devices. IEEE Trans. Dependable Secure Comput. 14(4), 433–446 (2017). https://doi.org/10.1109/TDSC.2015.2465965
Krupp, B., Sridhar, N., Zhao, W.: An ontology for enforcing security and privacy policies on mobile devices. In: KEOD (2014)
Krupp, B., Timko, E., Cox, K., Hicks, W., Bursey, M., Banfield, C.: EMPAware: analyzing changes in user perceptions of mobile privacy on iOS with enhanced awareness. In: Proceedings of the 2021 ACM Workshop on Security and Privacy Analytics, IWSPA 2021, pp. 15–24. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3445970.3451153
Memon, A.M., Anwar, A.: Colluding apps: tomorrow’s mobile malware threat. IEEE Secur. Priv. 13(6), 77–81 (2015). https://doi.org/10.1109/MSP.2015.143
Newman, J.: Apple and Google’s tough new location privacy controls are working, January 2020. https://www.fastcompany.com/90454921/apple-and-googles-tough-new-location-privacy-controls-are-working
Peruma, A., Palmerino, J., Krutz, D.E.: Investigating user perception and comprehension of android permission models. In: Proceedings of the 5th International Conference on Mobile Software Engineering and Systems, MOBILESoft 2018, pp. 56–66. ACM, New York (2018). https://doi.org/10.1145/3197231.3197246. http://doi.acm.org/10.1145/3197231.3197246
Reardon, J., Feal, Á., Wijesekera, P., On, A.E.B., Vallina-Rodriguez, N., Egelman, S.: 50 ways to leak your data: an exploration of apps’ circumvention of the android permissions system. In: 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, pp. 603–620. USENIX Association, August 2019
Song, Y., Hengartner, U.: PrivacyGuard: a VPN-based platform to detect information leakage on android devices. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2015, pp. 15–26. ACM, New York (2015). https://doi.org/10.1145/2808117.2808120. http://doi.acm.org/10.1145/2808117.2808120
Wang, H., Hong, J., Guo, Y.: Using text mining to infer the purpose of permission use in mobile apps. In: Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp 2015, pp. 1107–1118. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2750858.2805833
Werthmann, T., Hund, R., Davi, L., Sadeghi, A.R., Holz, T.: PSiOS: bring your own privacy & security to iOS devices. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, pp. 13–24. ACM, New York (2013). https://doi.org/10.1145/2484313.2484316. http://doi.acm.org/10.1145/2484313.2484316
Westermann, T., Wechsung, I.: Empowering users to make informed permission request choices. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services Adjunct, MobileHCI 2015, pp. 1123–1125. ACM, New York (2015). https://doi.org/10.1145/2786567.2794333. http://doi.acm.org/10.1145/2786567.2794333
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21599-5_7. http://dl.acm.org/citation.cfm?id=2022245.2022255
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 Springer Nature Switzerland AG
About this paper
Cite this paper
Krupp, B. (2022). Rethinking the Limits of Mobile Operating System Permissions. In: Garcia-Alfaro, J., Muñoz-Tapia, J.L., Navarro-Arribas, G., Soriano, M. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2021 2021. Lecture Notes in Computer Science(), vol 13140. Springer, Cham. https://doi.org/10.1007/978-3-030-93944-1_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-93944-1_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-93943-4
Online ISBN: 978-3-030-93944-1
eBook Packages: Computer ScienceComputer Science (R0)