Nisha Vinayaga-Sureshkanth
ABSTRACT
E-scooter rental services have significantly expanded the micromobility paradigm of short-distance urban and suburban transportation since their inception in 2017. Service providers around the world have followed a common rental model wherein customers (i.e., riders or users) download and install a mobile application for locating (finding) and renting e-scooters. Unlike many other app categories, e-scooter rental apps require a set of privacy-sensitive user data as a functional requirement. Unfortunately, privacy-related questions such as how much user data is being collected by these apps, is user data being safely handled once acquired, and with whom the collected user data is being shared are not readily known to customers. Answering such questions can be critical for users in determining which e-scooter rental services are sufficiently trustworthy per their personal privacy preferences. In this paper, we conduct a comprehensive analysis of e-scooter rental apps to answer these and other research questions related to user data collection, third-party involvement, usefulness of privacy policies, and evolution of user data management by different e-scooter apps/services over time. Our findings will create awareness among consumers vis-à-vis the data they share with service providers in return for the received e-scooter rental service, and it can also evoke more accountability and transparency from service providers towards their efforts and processes on protecting consumer privacy.
- AppCensus. https://search.appcensus.io, 2020. [Online; accessed 20-August-2020].Google Scholar
- Androguard. https://github.com/androguard/androguard, 2021. [Online; accessed 15-June-2021].Google Scholar
- Ghidra Software Reverse Engineering Framework. https://github.com/NationalSecurityAgency/ghidra, 2021. [Online; accessed 10-July-2021].Google Scholar
- Google Play. https://play.google.com/store/apps, 2021. [Online; accessed 22-June-2021].Google Scholar
- Google Play Services Activity Recognition. https://developers.google.com/android/reference/com/google/android/gms/location/ActivityRecognition, 2021. [Online; accessed 18-May-2021].Google Scholar
- Google Translate. https://translate.google.com, 2021. [Online; accessed 24-June-2021].Google Scholar
- Mobile Security Framework (MobSF). https://github.com/MobSF/Mobile-Security-Framework-MobSF, 2021. [Online; accessed 15-June-2021].Google Scholar
- VirtualAPK. https://github.com/didi/VirtualAPK, 2021. [Online; accessed 26-June-2021].Google Scholar
- WhoTracks.me - Bringing Transparency to Online Tracking. https://developer.android.com/studio, 2021. [Online; accessed 20-June-2021].Google Scholar
- Lime 2nd Street. New Parked Or Not Feature Lets Riders Rate Proper Scooter Parking. https://www.li.me/second-street/parked-or-not-feature-riders-rate-scooter-parking, 2018. [Online; accessed 11-June-2021].Google Scholar
- Jagdish Prasad Achara, James-Douglass Lefruit, Vincent Roca, and Claude Castelluccia. Detecting privacy leaks in the ratp app: How we proceeded and what we found. Journal of Computer Virology and Hacking Techniques, 10(4):229--238, 2014.Google ScholarCross Ref
- Suzan Ali, Mounir Elgharabawy, Quentin Duchaussoy, Mohammad Mannan, and Amr Youssef. Betrayed by the guardian: Security and privacy risks of parental control solutions. In Annual Computer Security Applications Conference, pages 69--83, 2020.Google ScholarDigital Library
- Kevin Allix, Tegawendé F Bissyandé, Jacques Klein, and Yves Le Traon. Androzoo: Collecting millions of android apps for the research community. In 2016 IEEE/ACM 13th Working Conference on Mining Software Repositories (MSR), pages 468--471. IEEE, 2016.Google ScholarDigital Library
- Jonathan Anderson. Lix and rix: Variations on a little-known readability index. Journal of Reading, 26(6):490--496, 1983.Google Scholar
- Benjamin Andow, Samin Yaseer Mahmud, Justin Whitaker, William Enck, Bradley Reaves, Kapil Singh, and Serge Egelman. Actions speak louder than words: Entity-sensitive privacy policy and data flow analysis with policheck. In 29th USENIX Security Symposium (USENIX Security 20), pages 985--1002, 2020.Google Scholar
- The Internet Archive. Digital library of Free And Borrowable Books, Movies, Music And Wayback Machine. https://archive.org, 2021. [Online; accessed 25-June-2021].Google Scholar
- Austin Transportation Department (ATD). Shared Mobility Services. https://austintexas.gov/sharedmobility, 2020. [Online; accessed 11-May-2021].Google Scholar
- Mariam Bachiri, Ali Idri, José Luis Fernández-Alemán, and Ambrosio Toval. Evaluating the privacy policies of mobile personal health records for pregnancy monitoring. Journal of medical systems, 42(8):144, 2018.Google Scholar
- Benjamin Baron and Mirco Musolesi. Where you go matters: A study on the privacy implications of continuous location tracking. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, 4(4):1--32, 2020.Google ScholarDigital Library
- Benjamin Bichsel, Veselin Raychev, Petar Tsankov, and Martin Vechev. Statistical deobfuscation of android applications. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 343--355, 2016.Google ScholarDigital Library
- Judith Bogert. In defense of the fog index. The Bulletin of the Association for Business Communication, 48(2):9--12, 1985.Google ScholarCross Ref
- BoxerCycles. Scooter Share Companies in the US. https://boxercycles.com/scooter-share-companies, 2020. [Online; accessed 11-May-2021].Google Scholar
- Dan Boxler and Kristen R Walcott. Static taint analysis tools to detect information flows. In Proceedings of the International Conference on Software Engineering Research and Practice (SERP), pages 46--52. The Steering Committee of The World Congress in Computer Science, 2018.Google Scholar
- Paolo Calciati, Konstantin Kuznetsov, Alessandra Gorla, and Andreas Zeller. Automatically granted permissions in android apps: An empirical study on their prevalence and on the potential threats for privacy. In Proceedings of the 17th International Conference on Mining Software Repositories, pages 114--124, 2020.Google ScholarDigital Library
- John Caylor, Thoman Stict, and J Patrick Ford. The forcast readability formula. Literacy Discussion. International Institute for Adult Literacy: UNESCO, 67:68, 1973.Google Scholar
- Cheng Chang, Huaxin Li, Yichi Zhang, Suguo Du, Hui Cao, and Haojin Zhu. Automated and personalized privacy policy extraction under gdpr consideration. In International Conference on Wireless Algorithms, Systems, and Applications, pages 43--54. Springer, 2019.Google ScholarCross Ref
- Christina Charitou, Dimitrios G Kogias, Spyros E Polykalas, Charalampos Z Patrikakis, and Ioana Cristina Cotoi. Use of apps for crime reporting and the eu general data protection regulation. In Societal implications of community-oriented policing and technology, pages 55--61. Springer, Cham, 2018.Google ScholarCross Ref
- Hai-Hon Chen. How to use readability formulas to access and select english reading materials. Journal of Educational Media & Library Sciences, 50(2), 2012.Google Scholar
- Sen Chen, Ting Su, Lingling Fan, Guozhu Meng, Minhui Xue, Yang Liu, and Lihua Xu. Are mobile banking apps secure? what can be improved? In Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pages 797--802. ACM, 2018.Google ScholarDigital Library
- Hui Na Chua, Anthony Herbland, Siew Fan Wong, and Younghoon Chang. Compliance to personal data protection principles: A study of how organizations frame privacy policy notices. Telematics and Informatics, 34(4):157--170, 2017.Google ScholarDigital Library
- Regina R Clewlow. The Micro-Mobility Revolution: The Introduction and Adoption of Electric Scooters in the United States. https://medium.com/populus-ai/the-micro-mobility-revolution-95e396db3754, 2018. [Online; accessed 11-May-2021].Google Scholar
- Caitlin D Cottrill. Maas surveillance: Privacy considerations in mobility as a service. Transportation Research Part A: Policy and Practice, 131:50--57, 2020.Google ScholarCross Ref
- Hesham Darvish and Mohammad Husain. Security analysis of mobile money applications on android. In 2018 IEEE International Conference on Big Data (Big Data), pages 3072--3078. IEEE, 2018.Google ScholarCross Ref
- Android Developers. Android Studio. https://developer.android.com/studio, 2021. [Online; accessed 16-June-2021].Google Scholar
- William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):1--29, 2014.Google Scholar
- Mojtaba Eskandari, Bruno Kessler, Maqsood Ahmad, Anderson Santana de Oliveira, and Bruno Crispo. Analyzing remote server locations for personal data transfers in mobile apps. Proceedings on Privacy Enhancing Technologies, 2017(1):118--131, 2017.Google ScholarCross Ref
- Exodus-Privacy. Exodus. https://github.com/Exodus-Privacy/exodus, 2021. [Online; accessed 11-June-2021].Google Scholar
- Benjamin Fabian, Tatiana Ermakova, and Tino Lentz. Large-scale readability analysis of privacy policies. In Proceedings of the international conference on web intelligence, pages 18--25, 2017.Google ScholarDigital Library
- Zheran Fang, Weili Han, and Yingjiu Li. Permission based android security: Issues and countermeasures. computers & security, 43:205--218, 2014.Google Scholar
- Kassem Fawaz and Kang G Shin. Location privacy protection for smartphone users. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 239--250, 2014.Google ScholarDigital Library
- Álvaro Feal, Paolo Calciati, Narseo Vallina-Rodriguez, Carmela Troncoso, and Alessandra Gorla. Angel or devil? a privacy study of mobile parental control apps. Proceedings of Privacy Enhancing Technologies (PoPETS), 2020, 2020.Google ScholarCross Ref
- Álvaro Feal Fajardo. Study on privacy of parental control mobile applications. PhD thesis, ETSI Informatica, 2017.Google Scholar
- R Flesch. A new readability yardstick. In Journal of Applied Psychology, 1948.Google ScholarCross Ref
- Geoffrey A Fowler. One of the first contact-tracing apps violates its own privacy policy. https://www.washingtonpost.com/technology/2020/05/21/care19-dakota-privacy-coronavirus/, 2020. [Online; accessed 11-May-2021].Google Scholar
- FSecureLABS. Drozer: The Leading Security Assessment Framework for Android. https://github.com/FSecureLABS/drozer, 2021. [Online; accessed 14-June-2021].Google Scholar
- Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen. Androidleaks: automatically detecting potential privacy leaks in android applications on a large scale. In International Conference on Trust and Trustworthy Computing, pages 291--307. Springer, 2012.Google ScholarDigital Library
- Stefan Gössling. Integrating e-scooters in urban transportation: Problems, policies, and the prospect of system change. Transportation Research Part D: Transport and Environment, 79:102230, 2020.Google ScholarCross Ref
- Jun Han, Emmanuel Owusu, Le T Nguyen, Adrian Perrig, and Joy Zhang. Accomplice: Location inference using accelerometers on smartphones. In 2012 Fourth International Conference on Communication Systems and Networks (COMSNETS 2012), pages 1--9. IEEE, 2012.Google ScholarCross Ref
- Hamza Harkous, Kassem Fawaz, Rémi Lebret, Florian Schaub, Kang G Shin, and Karl Aberer. Polisis: Automated analysis and presentation of privacy policies using deep learning. In 27th USENIX Security Symposium (USENIX Security 18), pages 531--548, 2018.Google Scholar
- Brenda Lynn Hoke. Comparison of recreational reading books levels using the fry readability graph and the flesch-kincaid grade level. 1999.Google Scholar
- Anett Hoppe, Jenny Knackmuß, Maik Morgenstern, and Reiner Creutzburg. Privacy issues in mobile health applications-assessment of current android health apps. Electronic Imaging, 2017(6):76--83, 2017.Google ScholarCross Ref
- Qiwei Jia, Lu Zhou, Huaxin Li, Ruoxu Yang, Suguo Du, and Haojin Zhu. Who leaks my privacy: Towards automatic and association detection with gdpr compliance. In International Conference on Wireless Algorithms, Systems, and Applications, pages 137--148. Springer, 2019.Google ScholarCross Ref
- Kuyju Kim, Taeyun Kim, Seungjin Lee, Soolin Kim, and Hyoungshick Kim. When harry met tinder: Security analysis of dating apps on android. In Nordic Conference on Secure IT Systems, pages 454--467. Springer, 2018.Google ScholarCross Ref
- Jenny Knackmuss, Eric Clausing, and Reiner Creutzburg. Investigation of security relevant aspects of android ehealthapps: permissions, storage properties and data transmission. Electronic Imaging, 2017(6):65--75, 2017.Google ScholarCross Ref
- Lime. Electric Scooter Sharing. https://www.li.me/electric-scooter, 2020. [Online; accessed 19-June-2021].Google Scholar
- Andreas Löcken, Pascal Brunner, and Ronald Kates. Impact of hand signals on safety: Two controlled studies with novice e-scooter riders. In 12th International Conference on Automotive User Interfaces and Interactive Vehicular Applications, pages 132--140, 2020.Google ScholarDigital Library
- Anindya Maiti, Oscar Armbruster, Murtuza Jadliwala, and Jibo He. Smartwatch-based keystroke inference attacks and context-aware protection mechanisms. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, pages 795--806, 2016.Google ScholarDigital Library
- Anindya Maiti, Nisha Vinayaga-Sureshkanth, Murtuza Jadliwala, Raveen Wijewickrama, and Greg P Griffin. Impact of e-scooters on pedestrian safety: A field study using pedestrian crowd-sensing. arXiv preprint arXiv:1908.05846, 2019.Google Scholar
- Peder Lind Mangset. Analysis of mobile application's compliance with the general data protection regulation (gdpr). Master's thesis, NTNU, 2018.Google Scholar
- Nicholas Mata, Nicole Beebe, and Kim-Kwang Raymond Choo. Are your neighbors swingers or kinksters? feeld app forensic analysis. In 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), pages 1433--1439. IEEE, 2018.Google ScholarCross Ref
- Yan Michalevsky, Dan Boneh, and Gabi Nakibly. Gyrophone: Recognizing speech from gyroscope signals. In 23rd USENIX Security Symposium (USENIX Security 14), pages 1053--1067, 2014.Google Scholar
- National Association of City Transportation Officials. Shared Micromobility in the U.S.: 2019. https://nacto.org/shared-micromobility-2019, 2019. [Online; accessed 11-May-2021].Google Scholar
- Achilleas Papageorgiou, Michael Strigkos, Eugenia Politou, Efthimios Alepis, Agusti Solanas, and Constantinos Patsakis. Security and privacy analysis of mobile health applications: the alarming state of practice. IEEE Access, 6:9390--9403, 2018.Google ScholarCross Ref
- Nishant Das Patnaik. AppMon. https://github.com/dpnishant/appmon, 2021. [Online; accessed 23-June-2021].Google Scholar
- Constantinos Patsakis, Athanasios Zigomitros, and Agusti Solanas. Analysis of privacy and security exposure in mobile dating applications. In International Conference on Mobile, Secure and Programmable Networking, pages 151--162. Springer, 2015.Google ScholarDigital Library
- Andrew Boyles Petersen. Scoot over smart devices: The invisible costs of rental scooters. Surveillance & Society, 17(1/2):191--197, 2019.Google ScholarCross Ref
- Carnegie Mellon University PrivacyGrade. Grading The Privacy Of Smartphone Apps. http://privacygrade.org/, 2015. [Online; accessed 11-May-2021].Google Scholar
- Haystack Project. Lumen Privacy Monitor. https://www.icsi.berkeley.edu/icsi/projects/networking/haystack, 2021. [Online; accessed 22-June-2021].Google Scholar
- Lina Qiu, Yingying Wang, and Julia Rubin. Analyzing the analyzers: Flowdroid/iccta, amandroid, and droidsafe. In Proceedings of the 27th ACM SIGSOFT International Symposium on Software Testing and Analysis, pages 176--186, 2018.Google ScholarDigital Library
- Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. Autocog: Measuring the description-to-permission fidelity in android applications. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, pages 1354--1365, 2014.Google ScholarDigital Library
- Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo Vallina-Rodriguez, and Serge Egelman. 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system. In 28th USENIX Security Symposium (USENIX Security 19), pages 603--620, 2019.Google Scholar
- Research and Markets. Micromobility Telematics Market Research Report: By Service Type, Offering, Technology, Sharing Type - Global Industry Trends Analysis and Revenue Forecast to 2030. https://www.researchandmarkets.com/reports/5331633/micromobility-telematics-market-research-report, 2020. [Online; accessed 10-June-2020].Google Scholar
- Irwin Reyes, Primal Wijesekera, Joel Reardon, Amit Elazari Bar On, Abbas Razaghpanah, Narseo Vallina-Rodriguez, and Serge Egelman. "won't somebody think of the children?" examining coppa compliance at scale. Proceedings on Privacy Enhancing Technologies, 2018(3):63--83, 2018.Google ScholarCross Ref
- Julie M Robillard, Tanya L Feng, Arlo B Sporn, Jen-Ai Lai, Cody Lo, Monica Ta, and Roland Nadler. Availability, readability, and content of privacy policies and terms of agreements of mental health apps. Internet Interventions, 17:100243, 2019.Google ScholarCross Ref
- Luc Rocher, Meenatchi Sundaram Muthu, and Yves-Alexandre de Montjoye. The observatory of anonymity: An interactive tool to understand re-identification risks in 89 countries. In Companion Proceedings of the Web Conference 2021, pages 687--689, 2021.Google ScholarDigital Library
- Manuel Rudolph, Denis Feth, and Svenja Polst. Why users ignore privacy policies--a survey and intention model for explaining user privacy behavior. In International Conference on Human-Computer Interaction, pages 587--598. Springer, 2018.Google ScholarDigital Library
- RJ Senter and Edgar A Smith. Automated readability index. Technical report, University of Cincinnati, Ohio, 1967.Google Scholar
- Hossain Shahriar, Md Arabin Talukder, and Md Saiful Islam. An exploratory analysis of mobile security tools. In KSU Proceedings on Cybersecurity Education, Research and Practice. 4, 2019.Google Scholar
- Randi Shedlosky-Shoemaker, Amy Curry Sturm, Muniba Saleem, and Kimberly M. Kelly. Tools for assessing readability and quality of health-related web sites. Journal of Genetic Counseling, 18(1):49--59, 2009.Google ScholarCross Ref
- Ravi Inder Singh, Manasa Sumeeth, and James Miller. Evaluating the readability of privacy policies in mobile environments. International Journal of Mobile Human Computer Interaction (IJMHCI), 3(1):55--78, 2011.Google ScholarDigital Library
- Rocky Slavin, Xiaoyin Wang, Mitra Bokaei Hosseini, James Hester, Ram Krishnan, Jaspreet Bhatia, Travis D Breaux, and Jianwei Niu. Toward a framework for detecting privacy policy violations in android application code. In Proceedings of the 38th International Conference on Software Engineering, pages 25--36, 2016.Google ScholarDigital Library
- Peter Story, Sebastian Zimmeck, and Norman Sadeh. Which apps have privacy policies? In Annual Privacy Forum, pages 3--23. Springer, 2018.Google Scholar
- Xiaoyu Sun, Li Li, Tegawendé F Bissyandé, Jacques Klein, Damien Octeau, and John Grundy. Taming reflection: An essential step toward whole-program analysis of android apps. ACM Transactions on Software Engineering and Methodology (TOSEM), 30(3):1--36, 2021.Google Scholar
- Junwei Tang, Ruixuan Li, Hongmu Han, Heng Zhang, and Xiwu Gu. Detecting permission over-claim of android applications with static and semantic analysis approach. In 2017 IEEE Trustcom/BigDataSE/ICESS, pages 706--713. IEEE, 2017.Google ScholarCross Ref
- Sylvaine Tuncer and Barry Brown. E-scooters on the ground: Lessons for redesigning urban micro-mobility. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems, pages 1--14, 2020.Google ScholarDigital Library
- Narseo Vallina-Rodriguez. Illuminating the third party mobile ecosystem with the lumen privacy monitor. 2017.Google Scholar
- Haoyu Wang, Zhe Liu, Jingyue Liang, Narseo Vallina-Rodriguez, Yao Guo, Li Li, Juan Tapiador, Jingcun Cao, and Guoai Xu. Beyond google play: A large-scale comparative study of chinese android app markets. In Proceedings of the Internet Measurement Conference 2018, pages 293--307, 2018.Google ScholarDigital Library
- Robert T Williams. A table for rapid determination of revised dale-chall readability scores. The Reading Teacher, 26(2):158--165, 1972.Google Scholar
- Hong Yang, Qingyu Ma, Zhenyu Wang, Qing Cai, Kun Xie, and Di Yang. Safety of micro-mobility: analysis of e-scooter crashes by mining news reports. Accident Analysis & Prevention, 143:105608, 2020.Google ScholarCross Ref
- Xueling Zhang, Xiaoyin Wang, Rocky Slavin, Travis Breaux, and Jianwei Niu. How does misconfiguration of analytic services compromise mobile privacy? ICSE '20, page 1572--1583, New York, NY, USA, 2020. Association for Computing Machinery.Google ScholarDigital Library
- Zipeng Zhang and Xinyu Feng. Androidleaker: A hybrid checker for collusive leak in android applications. In International Symposium on Dependable Software Engineering: Theories, Tools, and Applications, pages 164--180. Springer, 2017.Google ScholarCross Ref
- Sebastian Zimmeck, Peter Story, Daniel Smullen, Abhilasha Ravichander, Ziqi Wang, Joel Reidenberg, N Cameron Russell, and Norman Sadeh. Maps: Scaling privacy compliance analysis to a million apps. Proceedings on Privacy Enhancing Technologies, 2019(3):66--86, 2019.Google ScholarCross Ref
Index Terms
- An Investigative Study on the Privacy Implications of Mobile E-scooter Rental Apps
Recommendations
A privacy preserving rental system
ISC'05: Proceedings of the 8th international conference on Information SecurityRental records contain much sensitive information on individuals, so if abused by the rental service providers, user privacy could be jeopardized. To mitigate this concern, we present a privacy preserving rental system where interests of both the users ...
A Study of User Privacy in Android Mobile AR Apps
ASE '22: Proceedings of the 37th IEEE/ACM International Conference on Automated Software EngineeringWith the development of augmented reality (AR) technology, the use of mobile AR applications (MAR apps) is rising rapidly in various aspects of people’s everyday lives, such as games, shopping, and education. When compared to traditional apps, AR apps ...
Serving Mobile Apps: A Slice at a Time
EuroSys '19: Proceedings of the Fourteenth EuroSys Conference 2019End users wanting to do more and more with mobile apps has led to explosive growth in the number of available apps. This has widened the gap between developers making apps available and end users being able to install all the apps they want on their ...
Comments