Elsevier

Pervasive and Mobile Computing

Volume 42, December 2017, Pages 58-76
Pervasive and Mobile Computing

Review
A survey on the evolution of privacy enforcement on smartphones and the road ahead

https://doi.org/10.1016/j.pmcj.2017.09.005Get rights and content

Abstract

With the increasing proliferation of smartphones, enforcing privacy of smartphone users becomes evermore important. Nowadays, one of the major privacy challenges is the tremendous amount of permissions requested by applications, which can significantly invade users’ privacy, often without their knowledge. In this paper, we provide a comprehensive review of approaches that can be used to report on applications’ permission usage, tune permission access, contain sensitive information, and nudge users towards more privacy-conscious behavior. We discuss key shortcomings of privacy enforcement on smartphones so far and identify suitable actions for the future.

Introduction

Recent years have shown a tremendous increase in the worldwide adoption of smartphones [1]. According to the market analyst International Data Corporation, more than 340 million new smartphones are sold every quarter [1]. In contrast to traditional mobile phones, smartphones can provide users with more features, as they are equipped with various sensors and usually provide a continuous Internet connection [2], [3]. Still, the limited resources of smartphones, especially with respect to computational power, storage space, and energy, call for an outsourcing of computation and storage extensive tasks, most notably to cloud services [3], [4]. As a result, smartphones are frequently used in combination with cloud services nowadays to have data available everywhere and at all times [5].

At the same time, the mobile operating system market is virtually completely shared between Android, iOS, and Windows Phone [1]. While the Android system is mostly open-source and as of 2017 has the largest market share of shipped units (85%), iOS and Windows Phone as proprietary systems achieve a market share of 14.7% respectively 0.1% [1]. All these mobile operating systems have in common that they allow users to install third-party applications, i.e., software that is not necessarily tested in any kind by the smartphone manufacturer or network operator. Usually, this software is obtained through an official store, such as the Play Store in Android or the App Store in iOS [6]. These stores allow a user to simply install an application on her device to extend its functionality. While third-party applications offer enormous benefits to the user, they can also be the cause of severe privacy problems, as the user does not know how they behave. As these applications typically have permission to access the Internet, they can upload all accessible private information of a user to remote servers, often located in the cloud. For example, when first launching the application, WhatsApp transfers the phone’s contact list to its cloud servers [7].

Notably, protecting privacy is a more complex and delicate challenge on smartphones compared to traditional computers. First, smartphones possess a large variety of different sensors that can be used to monitor and track users in detail [8]. For example, a GPS sensor can accurately report the position of a user. Second, the usage frequency has increased in comparison to traditional computers. Nowadays, a user interacts with her smartphone throughout the day [8]. Hence, protection of privacy and leakage of private data are points that address everybody. Modern computing power allows to process a large amount of information in real-time, i.e., various data sources can be combined to generate a complex user profile [5]. For example, a messenger might track from where and with whom a user is communicating. As more and more tasks, such as shopping, maintaining the calendar, or tracking individual health, are performed with smartphones [5], private data becomes more valuable and worth protecting. On smartphones, the gathered information is more detailed and extensive than ever before and this data reveals an alarming amount of private information on the respective user.

This valuable information is one important reason why applications disrespect the user’s privacy [9], as companies are willing to invest more money into personalized advertisement than presenting the same ad on every device, thus reaching their target audience with a higher probability [9]. Due to a large amount of competition, developers of smartphone applications often offer their applications for free and instead present advertisements to users during usage [10]. A recent example is Amazon Underground, an application store for Android, which offers all applications for free.1 In this setting, the developer is paid for the duration her application is being in use. At the same time, Amazon is utilizing the user’s usage data, i.e., in other words, her privacy, to improve recommendations for the user [12].

Hence, it is of utmost importance to consider the protection of this private information to safeguard it against third-parties. However, companies aim to utilize this information to increase their revenue. Mobile operating systems try to protect their users by restricting data access and by applying various concepts of information security, such as access control, the principle of least privilege, and sandboxing [13]. However, these measures mostly target malicious applications. Privacy invading applications are not (yet) classified as malicious, and hence, the user’s privacy is not significantly protected by today’s mobile operating systems [6], [14]. This leads to a situation where the user essentially is surveilled by applications running on her own smartphone [5]. As discontinuing the usage of smartphone applications is neither a feasible nor a realistic solution, the most reasonable approach is to restrict access of applications to sensitive information on the mobile system [8]. Ideally, such functionality should be provided by the mobile operating system itself. Indeed, current mobile operating systems already offer this functionality through a permission management system [6]. However, the user’s capability to protect her privacy with such a system is severely limited. We observe that the available options are either not fine-grained enough for reasonable privacy enforcement or do not allow for repeated adjustment, e.g., when a user’s perception of privacy evolves [15]. Therefore, researchers and developers propose several implementations and concepts to extend existing embedded permission management systems and to overcome their shortcomings (e.g., [5], [16]). Furthermore, due to the fact that users tend to be lazy, nudging [17], [18] employs different mechanisms to trigger user interaction with the goal of a more privacy-friendly system configuration.

In this paper, we review the evolution of privacy enforcing on smartphones and provide an insight into expected future developments. Through explicitly taking past development in privacy enforcing on smartphones into considerations, we do not only derive a solid reasoning why current mobile operating systems implement privacy enforcement the way they do but also can extrapolate which of the proposed more advanced privacy enforcement systems are most likely to actually be integrated into mobile operating systems. More specifically, our contributions in this paper are as follows:

  • 1.

    We rigorously analyze the development of privacy enforcing solutions on smartphones, group them based on different levels of privacy enforcement, and extensively compare their strengths and weaknesses. We show that no solution is suitable for properly enforcing privacy and at the same time offering reasonable usability to users.

  • 2.

    Additionally, we extract key findings of recent studies related to nudging privacy on smartphones, an approach that has the goal to inform and remind inexperienced users about their privacy.

  • 3.

    Based on this, we identify shortcomings and challenges of privacy enforcement on smartphones which can be categorized into the solution’s usability, users’ ignorance, and conceptual problems.

The remainder of this paper is structured as follows. We present the concept of permission management and its implementations in mobile operating systems in Section 2. In Section 3, we introduce more advanced solutions to enforce privacy on smartphones. Subsequently, we present a wide range of approaches to nudge privacy on smartphones in Section 4. We identify shortcomings and open challenges of privacy enforcement on smartphones in Section 5 before we conclude this paper in Section 6.

Section snippets

Permission management on smartphones

Most functionality, i.e., resources, of a smartphone is protected by APIs for security purposes. Hence, access to this functionality is only granted with the corresponding permission. For example, the user’s location or the user’s contact list are protected and can only be read by applications that have the appropriate permissions. This mechanism protects against misuse of any kind. During development of an application, the developer has to declare all required permissions, which allows the

Privacy enforcement on smartphones

Privacy is an important challenge in the context of smartphones [5], as a large amount of sensitive data can leak from the device. Hence, users interested in privacy enforcing want to use the best method available to enforce their privacy. For this reason, we deliberately refrain from presenting static analysis approaches in this paper. These approaches are well known from the analysis of malware [27] as well as privacy-related behavior of applications [28], [29] and existing tools support

Nudging privacy on smartphones

A wide range of different approaches to enforce privacy on smartphones are implemented in mobile operating systems (cf. Section 3). Most of these approaches have in common that they require extensive user interaction, e.g., to repeatedly react to (presented) privacy leaks and adjust the granted permissions accordingly [5], [17], [44]. These approaches to privacy enforcement are hence only successful if users are actively and continuously using them to review and configure their privacy

Discussion and outlook to the future

So far, we focused on various concepts to enforce privacy on smartphones. Additionally, we had a look at nudging which attempts to solve the problem of users’ ignorance or laziness in context of privacy enforcement. Overall, no ideal solution exists today, as all solutions typically involve a trade-off between the level of user manipulation and usability. Furthermore, privacy and, thus, privacy enforcement is a highly subjective topic, i.e., not a single solution is likely to work for all users 

Conclusion

Privacy enforcement is a tremendous challenge for smartphone users as of today. The reasons for this are diverse: On the one hand, users are not experienced enough to understand the correlation between granted permissions to applications and privacy leaks (cf. Section 4). On the other hand, solutions to deal with these problems are not ideal, i.e., they often offer a bad usability or an insufficient level of user manipulation (cf. Section 3). In this paper, we compared existing solutions and

Acknowledgments

This work has in parts been funded by the German Federal Ministry of Education and Research (BMBF) under project funding reference number 16KIS0351 (TRINICS). The responsibility for the content of this publication lies with the authors.

References (97)

  • HenzeM. et al.

    A comprehensive approach to privacy in the cloud-based internet of things

    Future Gener. Comput. Syst.

    (2016)
  • IDC Research Inc., Smartphone OS Market Share, 2017 Q1, 2017. URL...
  • RoesnerF. et al.

    User-driven access control: Rethinking permission granting in modern operating systems

  • FerreiraD. et al.

    Securacy: An empirical investigation of android applications’ network usage, privacy and security

  • EnckW. et al.

    TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones

  • AsokanN. et al.
  • WhatsApp Inc., Why does WhatsApp use my phone number and my address book? 2016. URL...
  • GiblerC. et al.

    AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale

  • PearceP. et al.

    AdDroid: Privilege separation for applications and advertisers in android

  • ShekharS. et al.

    AdSplit: Separating smartphone advertising from applications

  • B. Young, Announcement: Amazon Underground Actually Free Program, 2017. URL...
  • Amazon.com Inc., Amazon Underground, 2016. URL https://developer.amazon.com/public/solutions/underground (accessed...
  • ElenkovN.

    Android Security Internals: An In-depth Guide to Android’s Security Architecture

    (2014)
  • SpenskyC. et al.

    SoK: Privacy on mobile devices –it’s complicated

  • HenzeM. et al.

    User-driven privacy enforcement for cloud-based services in the internet of things

  • NaumanM. et al.

    Apex: Extending android permission model and enforcement with user-defined runtime constraints

  • AlmuhimediH. et al.

    Your location has been shared 5,398 times!: A field study on mobile app privacy nudging

  • BalebakoR. et al.

    “Little brothers watching you”: Raising awareness of data leaks on smartphones

  • FeltA.P. et al.

    How to ask for permission

  • Google Inc., Android Developers, 2016. URL https://developer.android.com/ (accessed...
  • Google Inc., Android Developers - Permissions, 2016. URL...
  • FratantonioY. et al.

    ARTist: The android runtime instrumentation and security toolkit

  • Apple Inc., iOS Developer Library - Supported Capabilities, 2016. URL...
  • Microsoft, Windows Dev Center - App capabilities, 2016. URL...
  • SellwoodJ. et al.

    Sleeping android: The danger of dormant permissions

  • XingL. et al.

    Upgrading your android, elevating my malware: Privilege escalation through mobile os updating

  • XuW. et al.

    Permlyzer: Analyzing permission usage in Android applications

  • RosenS. et al.

    AppProfiler: A flexible method of exposing privacy-related behavior in android applications to end users

  • RenJ. et al.

    ReCon: Revealing and controlling PII leaks in mobile network traffic

  • ReshetovaE. et al.

    SELint: An SEAndroid policy analysis tool

  • TiwariP.K. et al.

    Android users security via permission based analysis

  • HenzeM. et al.

    Towards transparent information on individual cloud service usage

  • HarkousH. et al.

    The curious case of the pdf converter that likes mozart: Dissecting and mitigating the privacy risk of personal cloud apps

  • HenzeM. et al.

    Veiled in clouds? Assessing the prevalence of cloud computing in the email landscape

  • LeA. et al.

    AntMonitor: A system for monitoring from mobile devices

  • RahulamathavanY. et al.

    An analysis of tracking settings in blackberry 10 and windows phone 8 smartphones

  • F-Secure Corporation, Play Store - F-Secure App Permissions, 2015. URL...
  • QianC. et al.

    On tracking information flows through JNI in android applications

  • SunM. et al.

    TaintART: A practical multi-level information-flow tracking system for android runtime

  • A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich, P. Gill, M. Allman, V. Paxson, Haystack: In Situ...
  • RastogiV. et al.

    Uranine: Real-time privacy leakage monitoring without system modification for android

  • RashidiB. et al.

    Android fine-grained permission control system with real-time expert recommendations

  • Lamian, Play Store - LBE (Root), 2015. URL https://play.google.com/store/apps/details?id=com.lbe.security (accessed...
  • BackesM. et al.

    AppGuard: Enforcing user requirements on android apps

  • BackesM. et al.

    ARTist: The android runtime instrumentation and security toolkit

  • ZhangM. et al.

    Efficient, context-aware privacy leakage confinement for android applications without firmware modding

  • BiswasS. et al.

    Android permissions management at app installing

    Int. J. Secur. Appl.

    (2016)
  • RoesnerF. et al.

    Securing embedded user interfaces: Android and beyond

  • Cited by (6)

    View full text