The continuing shift to mobile computing and the proliferation of smartphones has raised a slew of privacy and security concerns around the way that mobile devices and applications handle users’ data and personal information. A group of researchers from North Carolina State University has developed a method for addressing the problem on Android devices by giving users granular control of how apps can behave on their devices.
The researchers’ work centers on an application that users could install on Android phones that would act as a kind of intermediary between apps and the phone itself. The tool would enable users to grant and revoke specific privacy-related permissions to individual apps and also give them the option of providing sanitized or fake location and other data.
In their paper, “Taming Information-Stealing Smartphone Applications (on Android)“, the researchers say that the tool is meant to help prevent information leakage by mobile apps and give users better control of the way that their information is used by those apps. The tool developed by the researchers is a proof-of-concept at this point and isn’t available in the Android Market.
“It’s a very coarse-grained model that Google provided on Android. They needed to get something that worked rather than something that was perfected,” said Vincent Freeh, an associate professor at NC State, who co-authored the paper with Yajin Zhou and Xuxian Jiang of NCSU and Xinwen Zhang of Huawei America Research Center. “The first model has many good things. They established a model and at least didn’t ignore it. But it doesn’t support enough use cases. It’s either allow the app to do everything or don’t install it.”
The way that the TISSA tool works is that it enables the user to go in and decide precisely which kind of data he wants to supply to the app. For example, an application may request permission to access the phone’s identifier, its fine-grained location, the user’s contacts and its call log. The user can then go into the TISSA interface and decide, for each of those permission requests, whether to supply the app with real data, fake data, no data or anonymized data.
The researchers tested the TISSA privacy system on a Nexus One Android handset and used a number of apps that have been reported as leaking data, as well as some that aren’t publicly known to leak user information. They found that the tool was effective at preventing the apps from accessing any data that the user didn’t want them to access.
A user might want to give a weather app the real location of the phone in order to get an accurate forecast, but would rather supply fake or anonymized phone identity data. The user can adjust the settings at any time.
“We got a workable solution that allows you to adjust for granularity per app and tweak each component you’re authorizing,” Freeh said. “You can do it temporally and allow it at certain times. I’m excited by what’s happening with mobile apps, but I want to know what’s going on in terms of the data they can access. You now have a full computer in your pocket all the time that knows everything about you.”