research-article

Securacy: an empirical investigation of Android applications' network usage, privacy and security

Authors:

Denzil Ferreira,

Vassilis Kostakos,

Alastair R. Beresford,

Janne Lindqvist,

Anind K. DeyAuthors Info & Claims

WiSec '15: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks

Article No.: 11, Pages 1 - 11

https://doi.org/10.1145/2766498.2766506

Published: 22 June 2015 Publication History

Abstract

Smartphone users do not fully know what their apps do. For example, an applications' network usage and underlying security configuration is invisible to users. In this paper we introduce Securacy, a mobile app that explores users' privacy and security concerns with Android apps. Securacy takes a reactive, personalized approach, highlighting app permission settings that the user has previously stated are concerning, and provides feedback on the use of secure and insecure network communication for each app. We began our design of Securacy by conducting a literature review and in-depth interviews with 30 participants to understand their concerns. We used this knowledge to build Securacy and evaluated its use by another set of 218 anonymous participants who installed the application from the Google Play store. Our results show that access to address book information is by far the biggest privacy concern. Over half (56.4%) of the connections made by apps are insecure, and the destination of the majority of network traffic is North America, regardless of the location of the user. Our app provides unprecedented insight into Android applications' communications behavior globally, indicating that the majority of apps currently use insecure network connections.

References

[1]

Agarwal, Y. and Hall, M. ProtectMyPrivacy: Detecting and Mitigating Privacy Leaks on iOS Devices Using Crowdsourcing. In Proceeding of the 11^th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 2013, 97--110.

Digital Library

[2]

Andrus, J., Dall, C., Hof, A., Laadan, O. and Nieh, J. Cells: A Virtual Mobile Smartphone Architecture. In Proceedings of the 23^rd ACM Symposium on Operating Systems Principles. ACM, 2011, 173--187.

Digital Library

[3]

Backes, M., Gerling, S., Hammer, C., Maffei, M. and Styp-Rekowsky, P. V. AppGuard -- Enforcing User Requirements on Android Apps. In Tools and Algorithms for the Construction and Analysis of Systems. Springer Berlin Heidelberg, 2013, 543--548.

Digital Library

[4]

Balebako, R., Jung, J., Lu, W., Cranor, L. F. and Nguyen, C. "Little Brothers Watching You": Raising Awareness of Data Leaks on Smartphones. In Proceedings of the 9^th Symposium on Usable Privacy and Security. ACM, 2013, 12:1--12:11.

Digital Library

[5]

BBC News - Can Europe go its own way on data privacy?. http://www.bbc.com/news/technology-26228176, retrieved 23/01/2015.

[6]

Becher, M., Freiling, F. C., Hoffmann, J., Holz, T., et al. Mobile Security Catching Up? Revealing the Nuts and Bolts of the Security of Mobile Devices. In Symposium on Security and Privacy. IEEE, 2011, 96--111.

Digital Library

[7]

Benenson, Z., Gassmann, F. and Reinfelder, L. Android and iOS Users' Differences Concerning Security and Privacy. In CHI '13 Extended Abstracts on Human Factors in Computing Systems. ACM, 2013, 817--822.

Digital Library

[8]

Benton, K., Camp, L. J. and Garg, V. Studying the effectiveness of android application permissions requests. In 5^th Int. Workshop on Security and Social Networking. IEEE, 2013, 291--296.

[9]

Beresford, A. R., Rice, A., Skehin, N. and Sohan, R. MockDroid: Trading Privacy for Application Functionality on Smartphones. In Proceedings of the 12^th Workshop on Mobile Computing Systems and Applications. ACM, 2011, 49--54.

Digital Library

[10]

Burguera, I., Zurutuza, U. and Nadjm-Tehrani, S. Crowdroid: Behavior-based Malware Detection System for Android. In Proceedings of the 1^st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 2011, 15--26.

Digital Library

[11]

Chan, H. and Perrig, A. Security and privacy in sensor networks. Computer 36, 10, 2003, 103--105.

Digital Library

[12]

Cisco Visual Networking Index Forecast Projects 18-Fold Growth in Global Mobile Internet Data Traffic From 2011 to 2016. http://newsroom.cisco.com/release/668380/Cisco-Visual-Networking-Index-Forecast-Projects-18-Fold-Growth-in-Global-Mobile-Internet-Data-Traffic-From-2011-to-2016, retrieved 05/09/2014.

[13]

Consolvo, S. and Walker, M. Using the experience sampling method to evaluate ubicomp applications. IEEE Pervasive Computing 2, 2, 2003, 24--31.

Digital Library

[14]

Dashboards for Android Developers. https://developer.android.com/about/dashboards/index.html, retrieved 1/05/2015.

[15]

Edward Snowden urges professionals to encrypt client communications. http://www.theguardian.com/world/2014/jul/17/edward-snowden-professionals-encrypt-client-communications-nsa-spy, retrieved 17/09/2014.

[16]

El-Khatib, K., Korba, L., Xu, Y. and Yee, G. Privacy and Security in E-Learning. International Journal of Distance Education Technologies (IJDET) 1, 4, 2003, 1--19.

[17]

Enck, W., Gilbert, P., Chun, B.-G., Cox, L. P., et al. TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. USENIX Association, 2010, 1--6.

Digital Library

[18]

Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., et al. Why Eve and Mallory Love Android: An Analysis of Android SSL (in)Security. In Proceedings of the 2012 ACM Conference on Computer and Communications Security. ACM, 2012, 50--61.

Digital Library

[19]

Fahl, S., Harbach, M., Perl, H., Koetter, M. and Smith, M. Rethinking SSL Development in an Appified World. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM, 2013, 49--60.

Digital Library

[20]

Felt, A. P., Egelman, S. and Wagner, D. I've Got 99 Problems, but Vibration Ain'T One: A Survey of Smartphone Users' Concerns. In Proceedings of the Second ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 2012, 33--44.

Digital Library

[21]

Felt, A. P., Finifter, M., Chin, E., Hanna, S. and Wagner, D. A Survey of Mobile Malware in the Wild. In Proceedings of the 1st ACM Workshop on Security and Privacy in Smartphones and Mobile Devices. ACM, 2011, 3--14.

Digital Library

[22]

Ferreira, D., Ferreira, E., Goncalves, J., Kostakos, V. and Dey, A. K. Revisiting Human-Battery Interaction with an Interactive Battery Interface. In Ubicomp. ACM, 2013, 563--572.

Digital Library

[23]

Ferreira, D., Kostakos, V. and Dey, A. K. AWARE: mobile context instrumentation framework. Frontiers in ICT 2:6, (2015)

[24]

Ferreira, D., Kostakos, V. and Dey, A. K. Lessons Learned from Large-Scale User Studies: Using Android Market as a Source of Data. International Journal of Mobile Human Computer Interaction 4, 3, 2012, 28--43.

Digital Library

[25]

Fu, B., Lin, J., Li, L., Faloutsos, C., et al. Why People Hate Your App: Making Sense of User Feedback in a Mobile App Store. In Proceedings of the 19th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. ACM, 2013, 1276--1284.

Digital Library

[26]

Fu, H., Yang, Y., Shingte, N., Lindqvist, J. and Gruteser, M. A Field Study of Run-Time Location Access Disclosures on Android Smartphones. In USEC'14. 2014.

[27]

Hill, R., Hansen, M. and Singh, V. Quantifying and Classifying Covert Communications on Android. Mobile Networks and Applications 19, 1, 2014, 79--87.

Digital Library

[28]

Hornyack, P., Han, S., Jung, J., Schechter, S. and Wetherall, D. These Aren'T the Droids You'Re Looking for: Retrofitting Android to Protect Data from Imperious Applications. In Proceedings of the 18th ACM Conference on Computer and Communications Security. ACM, 2011, 639--652.

Digital Library

[29]

Hubaux, J.-P., Capkun, S. and Luo, J. The security and privacy of smart vehicles. IEEE Security & Privacy Magazine 2, LCA-ARTICLE-2004-007, 2004, 49--55.

Digital Library

[30]

IANA TCP/IP port specifications. http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=126, retrieved 14/03/2014.

[31]

Jing, Y., Ahn, G.-J., Zhao, Z. and Hu, H. RiskMon: Continuous and Automated Risk Assessment of Mobile Applications. In Proceedings of the 4^th ACM Conference on Data and Application Security and Privacy. ACM, 2014, 99--110.

Digital Library

[32]

Kelley, P. G., Consolvo, S., Cranor, L. F., Jung, J., et al. A Conundrum of Permissions: Installing Applications on an Android Smartphone. In Financial Cryptography and Data Security. Springer Berlin Heidelberg, 2012, 68--79.

Digital Library

[33]

Kelley, P. G., Cranor, L. F. and Sadeh, N. Privacy As Part of the App Decision-making Process. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM, 2013, 3393--3402.

Digital Library

[34]

Kostakos, V., Venkatanathan, J., Reynolds, B., Sadeh, N., et al. Who's your best friend?: targeted privacy attacks in location-sharing social networks. In Ubicomp. ACM, 2011, 177--186.

Digital Library

[35]

Lin, J., Amini, S., Hong, J. I., Sadeh, N., et al. Expectation and Purpose: Understanding Users' Mental Models of Mobile App Privacy Through Crowdsourcing. In Proceedings of the 2012 ACM Conference on Ubiquitous Computing. ACM, 2012, 501--510.

Digital Library

[36]

Manifest permissions for Android Developers. http://developer.android.com/reference/android/Manifest.permission.html, retrieved 11/03/2014.

[37]

Moto X: the Google phone that's always listening. http://www.telegraph.co.uk/technology/google/10217856/Moto-X-the-Google-phone-thats-always-listening.html, retrieved 05/09/2014.

[38]

Nauman, M., Khan, S., Othman, A. T. and Musa, S. Realization of a user-centric, privacy preserving permission framework for Android. Security Comm. Networks 8, 3, 2014, 368--382.

[39]

Nauman, M., Khan, S. and Zhang, X. Apex: Extending Android Permission Model and Enforcement with User-defined Runtime Constraints. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security. ACM, 2010, 328--332.

Digital Library

[40]

The new Moto X is 'always listening' - and so is the NSA!. http://www.techradar.com/us/news/phone-and-communications/mobile-phones/the-new-moto-x-is-always-listening-and-so-is-the-nsa-1170553, retrieved 17/09/2014.

[41]

Orthacker, C., Teufl, P., Kraxberger, S., Lackner, G., et al. Android Security Permissions -- Can We Trust Them? In Security and Privacy in Mobile Information and Communication Systems. Springer Berlin Heidelberg, 2012, 40--51.

[42]

Rastogi, V., Chen, Y. and Enck, W. AppsPlayground: Automatic Security Analysis of Smartphone Applications. In Proceedings of the Third ACM Conference on Data and Application Security and Privacy. ACM, 2013, 209--220.

Digital Library

[43]

Report: 97% Of Mobile Malware Is On Android. This Is The Easy Way You Stay Safe. http://www.forbes.com/sites/gordonkelly/2014/03/24/report-97-of-mobile-malware-is-on-android-this-is-the-easy-way-you-stay-safe/, retrieved 22/09/2014.

[44]

Report: NSA among worst offenders of mass surveillance, Snowden says. http://edition.cnn.com/2013/11/03/world/europe/edward-snowden-manifesto/, retrieved 08/03/2014.

[45]

Review app permissions. https://support.google.com/googleplay/answer/6014972?p=app_permissions&rd=1, retrieved 11/09/2014.

[46]

Sadeh, N., Hong, J., Cranor, L., Fette, I., et al. Understanding and Capturing People's Privacy Policies in a Mobile Social Networking Application. Personal Ubiquitous Comput 13, 6, 2009, 401--412.

Digital Library

[47]

Sellwood, J. and Crampton, J. Sleeping Android: The Danger of Dormant Permissions. In Proceedings of the Third ACM Workshop on Security and Privacy in Smartphones & Mobile Devices. ACM, 2013, 55--66.

Digital Library

[48]

Shin, W., Kwak, S., Kiyomoto, S., Fukushima, K. and Tanaka, T. A Small But Non-negligible Flaw in the Android Permission Scheme. In International Symposium on Policies for Distributed Systems and Networks. IEEE, 2010, 107--110.

Digital Library

[49]

Truong, H. T. T., Lagerspetz, E., Nurmi, P., Oliner, A. J., et al. The Company You Keep: Mobile Malware Infection Rates and Inexpensive Risk Indicators. In Proceedings of the 23rd International Conference on World Wide Web. International World Wide Web Conferences Steering Committee, 2014, 39--50.

Digital Library

[50]

Tu, G.-H., Peng, C., Li, C.-Y., Ma, X., et al. Accounting for Roaming Users on Mobile Data Access: Issues and Root Causes. In Proceeding of the 11th Annual International Conference on Mobile Systems, Applications, and Services. ACM, 2013, 305--318.

Digital Library

[51]

Verizon's offer: Let us track you, get free stuff. http://money.cnn.com/2014/07/22/technology/mobile/verizon-tracking/index.html?hpt=hp_t2, retrieved 22/07/2014.

[52]

Wahlberg, T., Paakkola, P., Wieser, C., Laakso, M. and Roning, J. Kepler - Raising Browser Security Awareness. In IEEE 6^th Int. Software Testing, Verification and Validation Workshops (ICSTW), 2013, 435--440.

Digital Library

[53]

Yan, B. and Chen, G. AppJoy: personalized mobile application discovery. In MobiSys. New York, New York, USA, 2011, 113--126.

Digital Library

[54]

Yang, Z., Yang, M., Zhang, Y., Gu, G., et al. AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM, 2013, 1043--1054.

Digital Library

[55]

Zhang, C., Sun, J., Zhu, X. and Fang, Y. Privacy and security for online social networks: challenges and opportunities. Network, IEEE 24, 4, 2010, 13--18.

Digital Library

[56]

Zhang, Y., Yang, M., Xu, B., Yang, Z., et al. Vetting Undesirable Behaviors in Android Apps with Permission Use Analysis. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. ACM, 2013, 611--622.

Digital Library

Cited By

Saeed S(2024)Usable Privacy and Security in Mobile Applications: Perception of Mobile End Users in Saudi ArabiaBig Data and Cognitive Computing10.3390/bdcc81101628:11(162)Online publication date: 18-Nov-2024
https://doi.org/10.3390/bdcc8110162
Yang YLi TJin H(2024)On the Feasibility of Predicting Users' Privacy Concerns using Contextual Labels and Personal PreferencesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642500(1-20)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642500
Roussos GNicopolitidis P(2024)A Project Overview: The Implementation of a Native Android App for Mobile Signal Detection and a PHP Laravel Web-Based Platform for Real-Time Monitoring and Analysis of Wireless Communication Networks for Educational PurposesSmart Mobile Communication & Artificial Intelligence10.1007/978-3-031-56075-0_11(114-125)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56075-0_11
Show More Cited By

Index Terms

Securacy: an empirical investigation of Android applications' network usage, privacy and security
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

No surprises: measuring intrusiveness of smartphone applications by detecting objective context deviations
WPES '13: Proceedings of the 12th ACM workshop on Workshop on privacy in the electronic society

We address the challenge of improving transparency for smartphone applications by creating tools that assesses privacy risk. Specifically, we invented a framework for qualitatively assessing and quantitatively measuring the intrusiveness of smartphone ...
A conundrum of permissions: installing applications on an android smartphone
FC'12: Proceedings of the 16th international conference on Financial Cryptography and Data Security

Each time a user installs an application on their Android phone they are presented with a full screen of information describing what access they will be granting that application. This information is intended to help them make two choices: whether or ...
Android application security: detecting Android malware and evaluating anti-malware software

Mobile devices have become widespread computing technology, people prefer to use than desktop devices. These connected devices and their features like an exchange of data, video calling etc. have made our lives simple but, this has also increased data ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '15: Proceedings of the 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks

June 2015

256 pages

ISBN:9781450336239

DOI:10.1145/2766498

Copyright © 2015 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
US Army Research Office: US Army Research Office
NSF: National Science Foundation

In-Cooperation

SIGMOBILE: ACM Special Interest Group on Mobility of Systems, Users, Data and Computing

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 June 2015

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

WiSec'15

Sponsor:

SIGSAC
US Army Research Office
NSF

WiSec'15: 8th ACM Conference on Security & Privacy in Wireless and Mobile Networks

June 22 - 26, 2015

New York, New York

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

43
Total Citations
View Citations
721
Total Downloads

Downloads (Last 12 months)29
Downloads (Last 6 weeks)6

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Saeed S(2024)Usable Privacy and Security in Mobile Applications: Perception of Mobile End Users in Saudi ArabiaBig Data and Cognitive Computing10.3390/bdcc81101628:11(162)Online publication date: 18-Nov-2024
https://doi.org/10.3390/bdcc8110162
Yang YLi TJin H(2024)On the Feasibility of Predicting Users' Privacy Concerns using Contextual Labels and Personal PreferencesProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642500(1-20)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642500
Roussos GNicopolitidis P(2024)A Project Overview: The Implementation of a Native Android App for Mobile Signal Detection and a PHP Laravel Web-Based Platform for Real-Time Monitoring and Analysis of Wireless Communication Networks for Educational PurposesSmart Mobile Communication & Artificial Intelligence10.1007/978-3-031-56075-0_11(114-125)Online publication date: 20-Mar-2024
https://doi.org/10.1007/978-3-031-56075-0_11
Koch SAltpeter BJohns MCalandrino JTroncoso C(2023)The OK is not enoughProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620543(5467-5484)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620543
Akter MAlghamdi LKropczynski JLipford HWisniewski P(2023)It Takes a Village: A Case for Including Extended Family Members in the Joint Oversight of Family-based Privacy and Security for Mobile SmartphonesExtended Abstracts of the 2023 CHI Conference on Human Factors in Computing Systems10.1145/3544549.3585904(1-7)Online publication date: 19-Apr-2023
https://dl.acm.org/doi/10.1145/3544549.3585904
Okebule TAdeyemo OOlatunji KAwe A(2022)Review of Works Content Analyzer for Information Leakage Detection and Prevention in Android Smart DevicesABUAD International Journal of Natural and Applied Sciences10.53982/aijnas.2022.0201.02-j2:1(12-28)Online publication date: 30-Mar-2022
https://doi.org/10.53982/aijnas.2022.0201.02-j
Kishnani UNoah NDas SDewri RHong YWang L(2022)Privacy and Security Evaluation of Mobile Payment Applications Through User-Generated ReviewsProceedings of the 21st Workshop on Privacy in the Electronic Society10.1145/3559613.3563196(159-173)Online publication date: 7-Nov-2022
https://dl.acm.org/doi/10.1145/3559613.3563196
Lee HPark JLee U(2022)A Systematic Survey on Android API Usage for Data-driven Analytics with SmartphonesACM Computing Surveys10.1145/353081455:5(1-38)Online publication date: 3-Dec-2022
https://dl.acm.org/doi/10.1145/3530814
Akter MAlghamdi LGillespie DMiazi NKropczynski JLipford HWisniewski P(2022)CO-oPS: A Mobile App for Community Oversight of Privacy and SecurityCompanion Publication of the 2022 Conference on Computer Supported Cooperative Work and Social Computing10.1145/3500868.3559706(179-183)Online publication date: 8-Nov-2022
https://dl.acm.org/doi/10.1145/3500868.3559706
Giovanini LCeschin FSilva MChen AKulkarni RBanda SLysaght MQiao HSapountzis NSun RMatthews BWu DGregio AOliveira D(2022)Online Binary Models are Promising for Distinguishing Temporally Consistent Computer Usage ProfilesIEEE Transactions on Biometrics, Behavior, and Identity Science10.1109/TBIOM.2022.31792064:3(412-423)Online publication date: Jul-2022
https://doi.org/10.1109/TBIOM.2022.3179206
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten