Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Christos Perentis,Michele Vescovi,Chiara Leonardi,Corrado Moiso,Mirco Musolesi,Fabio Pianesi,Bruno Lepri

DOI: https://doi.org/10.1145/3017431

IF: 5.3

2017-05-28

ACM Transactions on Internet Technology

Abstract:The wide adoption of mobile devices and social media platforms have dramatically increased the collection and sharing of personal information. More and more frequently, users are called to make decisions concerning the disclosure of their personal information. In this study, we investigate the factors affecting users’ choices toward the disclosure of their personal data, including not only their demographic and self-reported individual characteristics, but also their social interactions and their mobility patterns inferred from months of mobile phone data activity. We report the findings of a field study conducted with a community of 63 subjects provided with (i) a smart-phone and (ii) a Personal Data Store (PDS) enabling them to control the disclosure of their data. We monitor the sharing behavior of our participants through the PDS and evaluate the contribution of different factors affecting their disclosing choices of location and social interaction data. Our analysis shows that social interaction inferred by mobile phones is an important factor revealing willingness to share, regardless of the data type. In addition, we provide further insights on the individual traits relevant to the prediction of sharing behavior.

computer science, information systems, software engineering

Evita Bakopoulou,Anastasia Shuba,Athina Markopoulou

DOI: https://doi.org/10.48550/arXiv.2008.08973

2020-08-19

Cryptography and Security

Abstract:Mobile devices have access to personal, potentially sensitive data, and there is a large number of mobile applications and third-party libraries that transmit this information over the network to remote servers (including app developer servers and third party servers). In this paper, we are interested in better understanding of not just the extent of personally identifiable information (PII) exposure, but also its context i.e., functionality of the app, destination server, encryption used, etc.) and the risk perceived by mobile users today. To that end we take two steps. First, we perform a measurement study: we collect a new dataset via manual and automatic testing and capture the exposure of 16 PII types from 400 most popular Android apps. We analyze these exposures and provide insights into the extent and patterns of mobile apps sharing PII, which can be later used for prediction and prevention. Second, we perform a user study with 220 participants on Amazon Mechanical Turk: we summarize the results of the measurement study in categories, present them in a realistic context, and assess users' understanding, concern, and willingness to take action. To the best of our knowledge, our user study is the first to collect and analyze user input in such fine granularity and on actual (not just potential or permitted) privacy exposures on mobile devices. Although many users did not initially understand the full implications of their PII being exposed, after being better informed through the study, they became appreciative and interested in better privacy practices.

Vladimir Stanisavljevic,,Bruno Tekić Sauerborn,

DOI: https://doi.org/10.54820/entrenova-2023-0013

2023-12-15

ENTRENOVA - ENTerprise REsearch InNOVAtion

Abstract:The non-certified e-health segment is gaining momentum around the world. The trend was significantly advanced by the introduction of several sports and medical measuring devices in the form of smartwatches. There has also been a resurgence of other medical Internet of Things class devices. Several devices connect to a product or platform-specific online (Cloud) service for storing, exchanging, analysing and monitoring the customer-collected e-health data. The devices and the data collected allow the consumers to continuously track their sports achievements, movement, vital signs, essential health state, etc. while receiving some recommendations and warnings based on the measurements. As some recent examples showed, the data collected can contain sensitive information that could be used creatively and unexpectedly, either positively or negatively. Unlike professional healthcare systems, which should comply with the strict GDPR, there is much less pressure on commercial entities in the consumer technological sector to provide more privacy options for data collection through their devices. In this work, we analyse the data typically collected by consumer e-health devices and assess possible risks that commercial entities present to their customer in unauthorised use of the data for their commercial advances. They use obscure legal language to prevent users from consenting to various data usages while providing primary data storing functionality. Moreover, there is a significant risk of using the data for repression in some contexts. We analyse the sector's current state and provide some recommendations to consumers and legislation to improve consumer rights to privacy while enhancing their health. At the same time, we recommend how the professional health sector should benefit from the collected data to improve their operations.

Kirsten Crager,Anindya Maiti,Murtuza Jadliwala,Jibo He

DOI: https://doi.org/10.14722/eurousec.2017.23013

2017-01-01

Abstract:Smart phones and wearable devices have replaced personal computers and desktops as the primary platform for accessing online applications and services.However, these mobile devices bring forth new and additional forms of security and privacy risks, which were non-existent in traditional personal computers.For instance, several recent research efforts have shown that motion sensors such as accelerometer and gyroscope on-board these mobile and wearable devices can be maliciously used to infer private information from users' keystrokes (e.g., PINs and passwords).The problem is that, unlike traditional security and privacy risks that are typically associated with personal computers, most users may not be aware of these novel risks associated with mobile devices.An adversary may use this lack of user-awareness to target specific user-demographics for successfully carrying out such attacks.There has been some progress in the direction of protection mechanisms against such attacks, however, without user-awareness these protection mechanisms are unlikely to be used effectively (if at all).In order to further understand these issues, we conduct a structured and comprehensive user-study involving users from diverse demographic backgrounds to investigate userawareness and perceptions related to mobile motion sensor based privacy risks, and how these vary across different demographics.By means of our study, we also gain insight on users' expectations from defense mechanisms that can protect against such attacks.Results of our study can be used to increase awareness (about such risks) among the less-aware user demographies, and in designing effective and usable protection mechanisms as per user-expectations.

Keith Davis,Tuukka Ruotsalo

DOI: https://doi.org/10.1109/MC.2024.3404994

2024-05-24

Abstract:Wearable devices that measure and record physiological signals are now becoming widely available to the general public with ever-increasing affordability and signal quality. The data from these devices introduce serious ethical challenges that remain largely unaddressed. Users do not always understand how these data can be leveraged to reveal private information about them and developers of these devices may not fully grasp how physiological data collected today could be used in the future for completely different purposes. We discuss the potential for wearable devices, initially designed to help users improve their well-being or enhance the experience of some digital application, to be appropriated in ways that extend far beyond their original intended purpose. We identify how the currently available technology can be misused, discuss how pairing physiological data with non-physiological data can radically expand the predictive capacity of physiological wearables, and explore the implications of these expanded capacities for a variety of stakeholders.

Computers and Society

Simone Tonti,Brunella Marzolini,Maria Bulgheroni

DOI: https://doi.org/10.2196/preprints.15417

2019-07-10

Abstract:BACKGROUND Smartphone use is widely spreading in society. Their embedded functions and sensors may play an important role in therapy monitoring and planning. However, the use of smartphones for intrapersonal behavioral and physical monitoring is not yet fully supported by adequate studies addressing technical reliability and acceptance. OBJECTIVE The objective of this paper is to identify and discuss technical issues that may impact on the wide use of smartphones as clinical monitoring tools. The focus is on the quality of the data and transparency of the acquisition process. METHODS QuantifyMyPerson is a platform for continuous monitoring of smartphone use and embedded sensors data. The platform consists of an app for data acquisition, a backend cloud server for data storage and processing, and a web-based dashboard for data management and visualization. The data processing aims to extract meaningful features for the description of daily life such as phone status, calls, app use, GPS, and accelerometer data. A total of health subjects installed the app on their smartphones, running it for 7 months. The acquired data were analyzed to assess impact on smartphone performance (ie, battery consumption and anomalies in functioning) and data integrity. Relevance of the selected features in describing changes in daily life was assessed through the computation of a k-nearest neighbors global anomaly score to detect days that differ from others. RESULTS The effectiveness of smartphone-based monitoring depends on the acceptability and interoperability of the system as user retention and data integrity are key aspects. Acceptability was confirmed by the full transparency of the app and the absence of any conflicts with daily smartphone use. The only perceived issue was the battery consumption even though the trend of battery drain with and without the app running was comparable. Regarding interoperability, the app was successfully installed and run on several Android brands. The study shows that some smartphone manufacturers implement power-saving policies not allowing continuous sensor data acquisition and impacting integrity. Data integrity was 96% on smartphones whose power-saving policies do not impact the embedded sensor management and 84% overall. CONCLUSIONS The main technological barriers to continuous behavioral and physical monitoring (ie, battery consumption and power-saving policies of manufacturers) may be overcome. Battery consumption increase is mainly due to GPS triangulation and may be limited, while data missing because of power-saving policies are related only to periods of nonuse of the phone since the embedded sensors are reactivated by any smartphone event. Overall, smartphone-based passive sensing is fully feasible and scalable despite the Android market fragmentation.

Yun Shen,Pierre-Antoine Vervier,Gianluca Stringhini

DOI: https://doi.org/10.48550/arXiv.2102.12869

2021-02-25

Abstract:Mobile phones enable the collection of a wealth of private information, from unique identifiers (e.g., email addresses), to a user's location, to their text messages. This information can be harvested by apps and sent to third parties, which can use it for a variety of purposes. In this paper we perform the largest study of private information collection (PIC) on Android to date. Leveraging an anonymized dataset collected from the customers of a popular mobile security product, we analyze the flows of sensitive information generated by 2.1M unique apps installed by 17.3M users over a period of 21 months between 2018 and 2019. We find that 87.2% of all devices send private information to at least five different domains, and that actors active in different regions (e.g., Asia compared to Europe) are interested in collecting different types of information. The United States (62% of the total) and China (7% of total flows) are the countries that collect most private information. Our findings raise issues regarding data regulation, and would encourage policymakers to further regulate how private information is used by and shared among the companies and how accountability can be truly guaranteed.

Cryptography and Security

Maximilian Zinkus,Tushar M. Jois,Matthew Green

DOI: https://doi.org/10.48550/arXiv.2105.12613

2021-05-26

Abstract:In this work we present definitive evidence, analysis, and (where needed) speculation to answer the questions, (1) Which concrete security measures in mobile devices meaningfully prevent unauthorized access to user data? (2) In what ways are modern mobile devices accessed by unauthorized parties? (3) How can we improve modern mobile devices to prevent unauthorized access? We examine the two major platforms in the mobile space, iOS and Android, and for each we provide a thorough investigation of existing and historical security features, evidence-based discussion of known security bypass techniques, and concrete recommendations for remediation. We then aggregate and analyze public records, documentation, articles, and blog postings to categorize and discuss unauthorized bypass of security features by hackers and law enforcement alike. We provide in-depth analysis of the data potentially accessed via law enforcement methodologies from both mobile devices and associated cloud services. Our fact-gathering and analysis allow us to make a number of recommendations for improving data security on these devices. The mitigations we propose can be largely summarized as increasing coverage of sensitive data via strong encryption, but we detail various challenges and approaches towards this goal and others. It is our hope that this work stimulates mobile device development and research towards security and privacy, provides a unique reference of information, and acts as an evidence-based argument for the importance of reliable encryption to privacy, which we believe is both a human right and integral to a functioning democracy.

Cryptography and Security,Computers and Society

Simone Tonti,Brunella Marzolini,Maria Bulgheroni

DOI: https://doi.org/10.2196/15417

2021-05-11

JMIR Biomedical Engineering

Abstract:Background Smartphone use is widely spreading in society. Their embedded functions and sensors may play an important role in therapy monitoring and planning. However, the use of smartphones for intrapersonal behavioral and physical monitoring is not yet fully supported by adequate studies addressing technical reliability and acceptance. Objective The objective of this paper is to identify and discuss technical issues that may impact on the wide use of smartphones as clinical monitoring tools. The focus is on the quality of the data and transparency of the acquisition process. Methods QuantifyMyPerson is a platform for continuous monitoring of smartphone use and embedded sensors data. The platform consists of an app for data acquisition, a backend cloud server for data storage and processing, and a web-based dashboard for data management and visualization. The data processing aims to extract meaningful features for the description of daily life such as phone status, calls, app use, GPS, and accelerometer data. A total of health subjects installed the app on their smartphones, running it for 7 months. The acquired data were analyzed to assess impact on smartphone performance (ie, battery consumption and anomalies in functioning) and data integrity. Relevance of the selected features in describing changes in daily life was assessed through the computation of a k-nearest neighbors global anomaly score to detect days that differ from others. Results The effectiveness of smartphone-based monitoring depends on the acceptability and interoperability of the system as user retention and data integrity are key aspects. Acceptability was confirmed by the full transparency of the app and the absence of any conflicts with daily smartphone use. The only perceived issue was the battery consumption even though the trend of battery drain with and without the app running was comparable. Regarding interoperability, the app was successfully installed and run on several Android brands. The study shows that some smartphone manufacturers implement power-saving policies not allowing continuous sensor data acquisition and impacting integrity. Data integrity was 96% on smartphones whose power-saving policies do not impact the embedded sensor management and 84% overall. Conclusions The main technological barriers to continuous behavioral and physical monitoring (ie, battery consumption and power-saving policies of manufacturers) may be overcome. Battery consumption increase is mainly due to GPS triangulation and may be limited, while data missing because of power-saving policies are related only to periods of nonuse of the phone since the embedded sensors are reactivated by any smartphone event. Overall, smartphone-based passive sensing is fully feasible and scalable despite the Android market fragmentation.

Mugdha Khedkar,Ambuj Kumar Mondal,Eric Bodden

2024-09-06

Abstract:Many Android applications collect data from users. The European Union's General Data Protection Regulation (GDPR) requires vendors to faithfully disclose which data their apps collect. This task is complicated because many apps use third-party code for which the same information is not readily available. Hence we ask: how accurately do current Android apps fulfill these requirements? In this work, we first expose a multi-layered definition of privacy-related data to correctly report data collection in Android apps. We further create a dataset of privacy-sensitive data classes that may be used as input by an Android app. This dataset takes into account data collected both through the user interface and system APIs. We manually examine the data safety sections of 70 Android apps to observe how data collection is reported, identifying instances of over- and under-reporting. Additionally, we develop a prototype to statically extract and label privacy-related data collected via app source code, user interfaces, and permissions. Comparing the prototype's results with the data safety sections of 20 apps reveals reporting discrepancies. Using the results from two Messaging and Social Media apps (Signal and Instagram), we discuss how app developers under-report and over-report data collection, respectively, and identify inaccurately reported data categories. Our results show that app developers struggle to accurately report data collection, either due to Google's abstract definition of collected data or insufficient existing tool support.

Cryptography and Security

Gioacchino Tangari,Muhammad Ikram,Kiran Ijaz,Mohamed Ali Kaafar,Shlomo Berkovsky

DOI: https://doi.org/10.1136/bmj.n1248

2021-06-16

BMJ

Abstract:Abstract Objectives To investigate whether and what user data are collected by health related mobile applications (mHealth apps), to characterise the privacy conduct of all the available mHealth apps on Google Play, and to gauge the associated risks to privacy. Design Cross sectional study Setting Health related apps developed for the Android mobile platform, available in the Google Play store in Australia and belonging to the medical and health and fitness categories. Participants Users of 20 991 mHealth apps (8074 medical and 12 917 health and fitness found in the Google Play store: in-depth analysis was done on 15 838 apps that did not require a download or subscription fee compared with 8468 baseline non-mHealth apps. Main outcome measures Primary outcomes were characterisation of the data collection operations in the apps code and of the data transmissions in the apps traffic; analysis of the primary recipients for each type of user data; presence of adverts and trackers in the app traffic; audit of the app privacy policy and compliance of the privacy conduct with the policy; and analysis of complaints in negative app reviews. Results 88.0% (n=18 472) of mHealth apps included code that could potentially collect user data. 3.9% (n=616) of apps transmitted user information in their traffic. Most data collection operations in apps code and data transmissions in apps traffic involved external service providers (third parties). The top 50 third parties were responsible for most of the data collection operations in app code and data transmissions in app traffic (68.0% (2140), collectively). 23.0% (724) of user data transmissions occurred on insecure communication protocols. 28.1% (5903) of apps provided no privacy policies, whereas 47.0% (1479) of user data transmissions complied with the privacy policy. 1.3% (3609) of user reviews raised concerns about privacy. Conclusions This analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps. Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps.

Alan Ferrari,Silvia Giordano

DOI: https://doi.org/10.48550/arXiv.1809.00392

2018-09-02

Computers and Society

Abstract:Nowadays, privacy has become a very serious issue with smart and mobile platforms. Users tend to allow intrusive apps access much sensible information without really knowing the potential threats. To solve this issue several solutions (e.g. GDPR) have been provided. Our claim is that the users currently are not sufficiently involved in this process for being able to use such solutions. To do this we developed an application that provides a form of awareness to the users and we asked them to reply a set of questions. Our conclusions are that users must be better informed of the risks and value of their personal information.

Haoyu Liu,Paul Patras,Douglas J Leith

DOI: https://doi.org/10.1371/journal.pone.0279942

IF: 3.7

2023-01-18

PLoS ONE

Abstract:In this paper we present the first in-depth measurement study looking at the data privacy practices of the proprietary variants of the Android OS produced by Samsung, Xiaomi, Huawei and Realme. We address two questions: how are identifiers used in network connections and what types of data are transmitted. To answer these, we decrypt and decode the network traffic transmitted by a range of Android handsets. We find that all of the OEMs make undue use of long-lived hardware identifiers such as the hardware serial number, handset IMEI and so fail to follow best privacy practice. Hardware identifiers are also linked to the handset user's real identity when they sign in to an OEM account on the handset. All of the OEMs collect the list of apps installed in a handset. This is a privacy concern since the list of installed apps can be used to profile user traits and preferences. All of the OEMs collect analytics/telemetry data, raising obvious privacy concerns.

Roberto González,Siugmin Lay,Jonathan Huck,John Dixon

DOI: https://doi.org/10.1037/amp0001194

IF: 16.358

2024-01-19

American Psychologist

Abstract:The advent of mobile smartphones and similar technology has opened new opportunities for studying human mobility within psychology and companion disciplines such as human geography, demography, and sociology. This article examines how such research raises novel ethical concerns. To do so, we outline two research projects: one based in Northern Ireland (The Belfast Mobility Project) and the other in Chile (The Norm-Contact Mobility Project), drawing concrete examples of the ethical challenges encountered throughout both projects, which used global navigational satellite systems as a tool for data collection. We discuss new threats to participant confidentiality and anonymity, problems of "unanticipated" data collection and exploitation, emerging difficulties in achieving properly informed consent, and concerns regarding the representation of vulnerable populations with limited access to smartphones and a legitimate fear of surveillance. We also reflect on the different measures we took to tackle these challenges and discuss the importance of implementing wider changes in the protocols associated with basic ethical research principles. (PsycInfo Database Record (c) 2024 APA, all rights reserved)

psychology, multidisciplinary

Heng Zhang,Ahmed Ibrahim,Bijan Parsia,Ellen Poliakoff,Simon Harper

DOI: https://doi.org/10.2196/preprints.20539

2020-05-21

Abstract:BACKGROUND Smartphones are widely used and have become hubs of personal communication. Combined with multiple sensors, they are capable of monitoring social interaction passively. OBJECTIVE To review the published empirical English literature of social sensing with smartphones passively. METHODS Following the PRISMA guidelines, we constructed a search string considering variations of the term smartphone. The search was conducted in ACM Digitial Library, IEEE Xplore and Web of Science. Snowballing method was also applied following Wohlin guidelines after the initial search. Papers were included if they were empirical, only used sensors on smartphones to collect data, measuring social interaction or social activity level, required minimum user interaction and described as passive. RESULTS The search produced 688 results, of which 15 eligible articles were identified, two more articles were added from the snowballing. Participants of included studies range from 5 to 163, and described experiments length range from two weeks to two years. The aim of all studies is to understand human social behaviours, especially, some of them correlate social interaction levels with health-related topics. Android is the most popular operating system for capturing calls, messages and Bluetooth data, which are the three most frequently used sensors. Various data analysis methods, including simple as correlation, complex as machine learning, have been utilized. Benefits such as ubiquitousness, unobtrusiveness, powerfulness, and continuity and challenges such as privacy, accuracy and methodology were reported and summarized from reviewed studies. CONCLUSIONS Although the reviewed studies confirmed the feasibility and validity of passive smartphone social sensing, they suffered from issues of sensing strategy, privacy concerns, sample sizes, the significance of experiments and data integrity. The recommendation is to conduct more research on a theoretical basis, build personalized models and implement state-of-art technologies. The smartphone social sensing technology provides innovative opportunities to measure human social behaviour objectively. It has a promising future with concerns including methodology, privacy and evolvement addressed by interdisciplinary collaborations between technology experts, computer scientists and psychologists.

Nada Farag,Alycia Noë,Dimitri Patrinos,Ma'n H Zawati

DOI: https://doi.org/10.1007/s41649-024-00296-3

2024-06-18

Abstract:More than 5 billion people in the world own a smartphone. More than half of these have been used to collect and process health-related data. As such, the existing volume of potentially exploitable health data is unprecedentedly large and growing rapidly. Mobile health applications (apps) on smartphones are some of the worst offenders and are increasingly being used for gathering and exchanging significant amounts of personal health data from the public. This data is often utilized for health research purposes and for algorithm training. While there are advantages to utilizing this data for expanding health knowledge, there are associated risks for the users of these apps, such as privacy concerns and the protection of their data. Consequently, gaining a deeper comprehension of how apps collect and crowdsource data is crucial. To explore how apps are crowdsourcing data and to identify potential ethical, legal, and social issues (ELSI), we conducted an examination of the Apple App Store and the Google Play Store in North America and Europe to identify apps that could potentially gather health data through crowdsourcing. Subsequently, we analyzed their privacy policies, terms of use, and other related documentation to gain insights into the utilization of users' data and the possibility of repurposing it for research or algorithm training purposes. More specifically, we reviewed privacy policies to identify clauses pertaining to the following key categories: research, data sharing, privacy/confidentiality, commercialization, and return of findings. Based on the results of these app search, we developed an App Atlas that presents apps which crowdsource data for research or algorithm training. We identified 46 apps available in the European and Canadian markets that either openly crowdsource health data for research or algorithm training or retain the legal or technical capability to do so. This app search showed an overall lack of consistency and transparency in privacy policies that poses challenges to user comprehensibility, trust, and informed consent. A significant proportion of applications presented contradictions or exhibited considerable ambiguity. For instance, the vast majority of privacy policies in the App Atlas contain ambiguous or contradictory language regarding the sharing of users' data with third parties. This raises a number of ethico-legal concerns which will require further academic and policy attention to ensure a balance between protecting individual interests and maximizing the scientific utility of crowdsourced data. This article represents a key first step in better understanding these concerns and bringing attention to this important issue. Supplementary information: The online version contains supplementary material available at 10.1007/s41649-024-00296-3.

Michalis Diamantaris,Francesco Marcantoni,Sotiris Ioannidis,Jason Polakis

DOI: https://doi.org/10.1145/3403947

IF: 2.717

2020-08-28

ACM Transactions on Privacy and Security

Abstract:Modern smartphone sensors can be leveraged for providing novel functionality and greatly improving the user experience. However, sensor data can be misused by privacy-invasive or malicious entities. Additionally, a wide range of other attacks that use mobile sensor data have been demonstrated; while those attacks have typically relied on users installing malicious apps, browsers have eliminated that constraint with the deployment of HTML5 WebAPI. In this article, we conduct a comprehensive evaluation of the multifaceted threat that mobile web browsing poses to users by conducting a large-scale study of mobile-specific HTML5 WebAPI calls across more than 183K of the most popular websites. We build a novel testing infrastructure consisting of actual smartphones on top of a dynamic Android app analysis framework, allowing us to conduct an end-to-end exploration. In detail, our system intercepts and tracks data access in real time, from the WebAPI JavaScript calls down to the Android system calls. Our study reveals the extent to which websites are actively leveraging the WebAPI for collecting sensor data, with 2.89% of websites accessing at least one sensor. To provide a comprehensive assessment of the risks of this emerging practice, we create a taxonomy of sensor-based attacks from prior studies and present an in-depth analysis by framing our collected data within that taxonomy. We find that 1.63% of websites can carry out at least one attack and emphasize the need for a standardized policy across all browsers and the ability for users to control what sensor data each website can access.

computer science, information systems

Yuhong Nan,Xueqiang Wang,Luyi Xing,Xiaojing Liao,Ruoyu Wu,Jianliang Wu,Yifan Zhang,XiaoFeng Wang

2023-01-01

Abstract:Recent research has highlighted privacy as a primary concern for IoT device users. However, due to the challenges in conducting a large-scale study to analyze thousands of devices, there has been less study on how pervasive unauthorized data exposure has actually become on today's IoT devices and the privacy implications of such exposure. To fill this gap, we leverage the observation that most IoT devices on the market today use their companion mobile apps as an intermediary to process, label and transmit the data they collect. As a result, the semantic information carried by these apps can be recovered and analyzed automatically to track the collection and sharing of IoT data. In this paper, we report the first of such a study, based upon a new framework IoTProfiler, which statically analyzes a large number of companion apps to infer and track the data collected by their IoT devices. Our approach utilizes machine learning to detect the code snippet in a companion app that handles IoT data and further recovers the semantics of the data from the snippet to evaluate whether their exposure has been properly communicated to the user. By running IoTPro-filer on 6,208 companion apps, our research has led to the discovery of 1,973 apps that expose user data without proper disclosure, covering IoT devices from at least 1,559 unique vendors. Our findings include highly sensitive information, such as health status and home address, and the pervasiveness of unauthorized sharing of the data to third parties, including those in different countries. Our findings highlight the urgent need to regulate today's IoT industry to protect user privacy.

S. Manimaran,D. Uma Priya

DOI: https://doi.org/10.1504/ijsnet.2024.142718

2024-11-27

International Journal of Sensor Networks

Abstract:Smartphone sensors act as vital sensing organs, enabling various mobile applications and activities. However, protecting the privacy of sensor data presents significant challenges that affect smartphone users and artificial intelligence (AI) applications. Unauthorised access to sensitive sensor information poses a major privacy concern. This paper focuses on addressing these issues by introducing a novel scheme that utilises homomorphic encryption (HE) to secure smartphone sensor data and protect user privacy. The method converts decimal values generated by sensors into integers, applying homomorphic encryption to ensure confidentiality and prevent personal information leakage. The proposed scheme employs the ElGamal cryptosystem, particularly suited for multiplication operations, allowing users to securely operate on encrypted data outside the smartphones. Experimental results demonstrate that this approach is highly effective, achieving elevated levels of security, privacy, and data confidentiality while guarding against information leaks.

computer science, information systems,telecommunications