Skip to main content
SpringerLink
Log in

Rethinking the Limits of Mobile Operating System Permissions

  • Conference paper
  • First Online:
Data Privacy Management, Cryptocurrencies and Blockchain Technology (DPM 2021, CBT 2021)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 13140))

  • 1001 Accesses

Abstract

Since the introduction of the iPhone in 2007, smartphones continue to have a more disruptive role in our society. The average person spends over five hours per day using their device and research has shown intentional addictive design elements in popular applications to maximize user interaction time. While smartphones have provided new capabilities that did not exist previously, it has also allowed the limitless collection of personal data that is both sensed, inferred, and stored on the device. With millions of applications available in both the App Store and Google Play, research has shown mobile applications frequently abuse granted permissions and are not truthful in permission requests. Given a coarse-grained permission model, applications can retrieve and transmit data as frequent as possible without limit, and send data to any service without the user being aware. Only recently did mobile operating system producers start to introduce more fine-grained controls. In this paper, we examine the evolution of these controls since the widespread adoption of smartphones and examine the current trends. We describe research that has provided both an improved awareness of privacy and supplemental controls for users. We also describe the shortcomings of these solutions and provide suggestions to the current permission model to limit the amount of data that can be accessed and transmitted from the device. Given the data that is available from mobile devices, it is imperative that users have more transparency in how mobile applications use their data, and that users are able to place limits on this use.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 64.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 84.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. iPhone app privacy labels are a great idea, except when apple lets them deceive - the Washington post. https://www.washingtonpost.com/technology/2021/01/29/apple-privacy-nutrition-label/

  2. Your Phone Is Designed Like a Slot Machine to Keep You Addicted. * Geek Insider. https://geekinsider.com/your-phone-is-designed-like-a-slot-machine-to-keep-you-addicted/

  3. Several popular apps share data with Facebook without user consent, December 2018. https://www.ft.com/content/62f74704-0abf-11e9-9fe8-acdb36967cfc

  4. 18,000 Android apps track users by violating advertising ID policies, February 2019. https://www.bleepingcomputer.com/news/security/18-000-android-apps-track-users-by-violating-advertising-id-policies/

  5. Permission-greedy apps delayed android 6 upgrade so they could harvest more user data, July 2019. https://zd.net/2Lp3ygE

  6. Popular weather app collects too much user data, security experts say, January 2019. https://on.wsj.com/2XgNDnf

  7. ‘Privacy matters’ in apple’s latest iPhone ad, March 2019. https://www.theverge.com/2019/3/14/18266276/apple-iphone-ad-privacy-facetime-bug

  8. Twelve million phones, one dataset, zero privacy, December 2019. https://www.nytimes.com/interactive/2019/12/19/opinion/location-tracking-cell-phone.html?action=click&module=Opinion&pgtype=Homepage

  9. How much time do Americans spend on their phones in 2020?, April 2020. https://techjury.net/blog/how-much-time-does-the-average-american-spend-on-their-phone/

  10. Agarwal, Y., Hall, M.: ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing. In: Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services, MobiSys 2013, pp. 97–110. ACM, New York (2013). https://doi.org/10.1145/2462456.2464460. http://doi.acm.org/10.1145/2462456.2464460

  11. Assal, H., Hurtado, S., Imran, A., Chiasson, S.: What’s the deal with privacy apps? A comprehensive exploration of user perception and usability. In: Proceedings of the 14th International Conference on Mobile and Ubiquitous Multimedia, MUM 2015, pp. 25–36. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2836041.2836044

  12. Backes, M., Gerling, S., Hammer, C., Maffei, M., von Styp-Rekowsky, P.: AppGuard – enforcing user requirements on android apps. In: Piterman, N., Smolka, S.A. (eds.) TACAS 2013. LNCS, vol. 7795, pp. 543–548. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-36742-7_39

    Chapter  Google Scholar 

  13. Chin, E., Felt, A.P., Sekar, V., Wagner, D.: Measuring user confidence in smartphone security and privacy. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2335356.2335358

  14. Chitkara, S., Gothoskar, N., Harish, S., Hong, J.I., Agarwal, Y.: Does this app really need my location?: context-aware privacy management for smartphones. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 1(3), 42:1–42:22 (2017). https://doi.org/10.1145/3132029. http://doi.acm.org/10.1145/3132029

  15. Enck, W., et al.: TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, OSDI 2010, Berkeley, CA, USA, pp. 393–407. USENIX Association (2010)

    Google Scholar 

  16. Felt, A.P., Ha, E., Egelman, S., Haney, A., Chin, E., Wagner, D.: Android permissions: user attention, comprehension, and behavior. In: Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS 2012. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2335356.2335360

  17. Graham, M.: Facebook launches ad campaign to defend personalized advertising ahead of Apple privacy change, February 2021. https://www.cnbc.com/2021/02/25/facebook-ad-campaign-counters-apple-idfa-privacy-change.html

  18. Harbach, M., Hettig, M., Weber, S., Smith, M.: Using personal examples to improve risk communication for security and privacy decisions. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems, CHI 2014, pp. 2647–2656. Association for Computing Machinery, New York (2014). https://doi.org/10.1145/2556288.2556978

  19. IAB: Internet advertising revenue report. https://www.iab.com/wp-content/uploads/2020/05/FY19-IAB-Internet-Ad-Revenue-Report_Final.pdf

  20. IDC: Smartphone market share. https://www.idc.com/promo/smartphone-market-share

  21. Jeon, J., et al.: Dr. Android and Mr. Hide: fine-grained permissions in Android applications. In: Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2012, pp. 3–14. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2381934.2381938

  22. Jha, A.K., Lee, S., Lee, W.J.: Permission-based security in Android application: from policy expert to end user. In: Proceedings of the 2015 Conference on Research in Adaptive and Convergent Systems, RACS, pp. 319–320. ACM, New York (2015). https://doi.org/10.1145/2811411.2811493. http://doi.acm.org/10.1145/2811411.2811493

  23. Jin, H., et al.: Why are they collecting my data? Inferring the purposes of network traffic in mobile apps. Proc. ACM Interact. Mob. Wearable Ubiquitous Technol. 2(4) (2018). https://doi.org/10.1145/3287051

  24. Krach, S., Paulus, F.M., Bodden, M., Kircher, T.: The rewarding nature of social interactions. Front. Behav. Neurosci. 4 (2010). https://doi.org/10.3389/fnbeh.2010.00022. https://www.ncbi.nlm.nih.gov/pmc/articles/PMC2889690/

  25. Krupp, B., Jesensky, D., Szampias, A.: SPEProxy: enforcing fine grained security and privacy controls on unmodified mobile devices. In: 2017 IEEE 8th Annual Ubiquitous Computing, Electronics and Mobile Communication Conference (UEMCON), pp. 520–526, October 2017. https://doi.org/10.1109/UEMCON.2017.8248985

  26. Krupp, B., Sridhar, N., Zhao, W.: SPE: security and privacy enhancement framework for mobile devices. IEEE Trans. Dependable Secure Comput. 14(4), 433–446 (2017). https://doi.org/10.1109/TDSC.2015.2465965

    Article  Google Scholar 

  27. Krupp, B., Sridhar, N., Zhao, W.: An ontology for enforcing security and privacy policies on mobile devices. In: KEOD (2014)

    Google Scholar 

  28. Krupp, B., Timko, E., Cox, K., Hicks, W., Bursey, M., Banfield, C.: EMPAware: analyzing changes in user perceptions of mobile privacy on iOS with enhanced awareness. In: Proceedings of the 2021 ACM Workshop on Security and Privacy Analytics, IWSPA 2021, pp. 15–24. Association for Computing Machinery, New York (2021). https://doi.org/10.1145/3445970.3451153

  29. Memon, A.M., Anwar, A.: Colluding apps: tomorrow’s mobile malware threat. IEEE Secur. Priv. 13(6), 77–81 (2015). https://doi.org/10.1109/MSP.2015.143

    Article  Google Scholar 

  30. Newman, J.: Apple and Google’s tough new location privacy controls are working, January 2020. https://www.fastcompany.com/90454921/apple-and-googles-tough-new-location-privacy-controls-are-working

  31. Peruma, A., Palmerino, J., Krutz, D.E.: Investigating user perception and comprehension of android permission models. In: Proceedings of the 5th International Conference on Mobile Software Engineering and Systems, MOBILESoft 2018, pp. 56–66. ACM, New York (2018). https://doi.org/10.1145/3197231.3197246. http://doi.acm.org/10.1145/3197231.3197246

  32. Reardon, J., Feal, Á., Wijesekera, P., On, A.E.B., Vallina-Rodriguez, N., Egelman, S.: 50 ways to leak your data: an exploration of apps’ circumvention of the android permissions system. In: 28th USENIX Security Symposium (USENIX Security 19), Santa Clara, CA, pp. 603–620. USENIX Association, August 2019

    Google Scholar 

  33. Song, Y., Hengartner, U.: PrivacyGuard: a VPN-based platform to detect information leakage on android devices. In: Proceedings of the 5th Annual ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices, SPSM 2015, pp. 15–26. ACM, New York (2015). https://doi.org/10.1145/2808117.2808120. http://doi.acm.org/10.1145/2808117.2808120

  34. Wang, H., Hong, J., Guo, Y.: Using text mining to infer the purpose of permission use in mobile apps. In: Proceedings of the 2015 ACM International Joint Conference on Pervasive and Ubiquitous Computing, UbiComp 2015, pp. 1107–1118. Association for Computing Machinery, New York (2015). https://doi.org/10.1145/2750858.2805833

  35. Werthmann, T., Hund, R., Davi, L., Sadeghi, A.R., Holz, T.: PSiOS: bring your own privacy & security to iOS devices. In: Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS 2013, pp. 13–24. ACM, New York (2013). https://doi.org/10.1145/2484313.2484316. http://doi.acm.org/10.1145/2484313.2484316

  36. Westermann, T., Wechsung, I.: Empowering users to make informed permission request choices. In: Proceedings of the 17th International Conference on Human-Computer Interaction with Mobile Devices and Services Adjunct, MobileHCI 2015, pp. 1123–1125. ACM, New York (2015). https://doi.org/10.1145/2786567.2794333. http://doi.acm.org/10.1145/2786567.2794333

  37. Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming information-stealing smartphone applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21599-5_7. http://dl.acm.org/citation.cfm?id=2022245.2022255

Download references

Author information

Authors and Affiliations

  1. Baldwin Wallace University, Berea, OH, 44286, USA

    Brian Krupp

Authors
  1. Brian Krupp
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Brian Krupp .

Editor information

Editors and Affiliations

  1. Institut Polytechnique de Paris, Palaiseau, France

    Joaquin Garcia-Alfaro

  2. Universitat Politècnica de Catalunya, Barcelona, Spain

    Jose Luis Muñoz-Tapia

  3. Universitat Autonoma de Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  4. Universitat Politècnica de Catalunya, Barcelona, Spain

    Miguel Soriano

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Krupp, B. (2022). Rethinking the Limits of Mobile Operating System Permissions. In: Garcia-Alfaro, J., Muñoz-Tapia, J.L., Navarro-Arribas, G., Soriano, M. (eds) Data Privacy Management, Cryptocurrencies and Blockchain Technology. DPM CBT 2021 2021. Lecture Notes in Computer Science(), vol 13140. Springer, Cham. https://doi.org/10.1007/978-3-030-93944-1_4

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-93944-1_4

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-93943-4

  • Online ISBN: 978-3-030-93944-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation