Lin Yao,Xiangwei Kong,Guowei Wu,Qingna Fan,Chi Lin

DOI: https://doi.org/10.1007/s11767-008-0089-5

2010-01-01

Abstract:In pervasive computing environments, users can get services anytime and anywhere, but the ubiquity and mobility of the environments bring new security challenges. The user and the service provider do not know each other in advance, they should mutually authenticate each other. The service provider prefers to authenticate the user based on his identity while the user tends to stay anonymous. Privacy and security are two important but seemingly contradictory objectives. As a result, a user prefers not to expose any sensitive information to the service provider such as his physical location, ID and so on when being authenticated. In this paper, a highly flexible mutual authentication and key establishment protocol scheme based on biometric encryption and Diffie-Hellman key exchange to secure interactions between a user and a service provider is proposed. Not only can a user’s anonymous authentication be achieved, but also the public key cryptography operations can be reduced by adopting this scheme. Different access control policies for different services are enabled by using biometric encryption technique. The correctness of the proposed authentication and key establishment protocol is formally verified based on SVO logic.

Chao Wu,Yike Guo

DOI: https://doi.org/10.1109/bigdata.2013.6691688

2013-01-01

Abstract:Personal data collection is becoming pervasive these days, these data has the risk of being abused by current application and application marketplace model, because only the price of application is explicitly indicated without clear agreement on usage of data, and the granularity of data access authentication is not enough to protect users privacy. In this short paper, we propose a new model of user data privacy. Data usage of the application is explicitly shown, and controlled by an authentication service, to protect users from the abuse of their data, especially in mobile application.

Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Yajin Zhou,Kapil Singh,Xuxian Jiang

DOI: https://doi.org/10.1007/978-3-319-08593-7_4

2014-01-01

Abstract:Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an user's geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an app's interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including user's banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data. In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owner's policies at strategic exit points. Based on this approach, we design and implement a system, called <Literal>DataChest</Literal>. We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.

Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/tvt.2006.877704

2005-01-01

Abstract:Privacy and security are two important but seemingly contradict objectives in pervasive computing environments (PCEs). On the one hand, service providers want to authenticate service users and make sure they are accessing only authorized services in a legitimate way. On the other hand, users want to maintain necessary privacy without being tracked down for wherever they are and whatever they are doing. In this paper we propose a novel privacy enhanced authentication and access control scheme to secure the interactions between mobile users and services in PCEs. The proposed scheme seamlessly integrates two underlying cryptographic primitives, blind signature and hash chain, into a highly flexible and lightweight authentication and key establishment protocol. It provides explicit mutual authentication between a user and a service, while allowing the user to anonymously interact with the service. Differentiated service access control is also enabled in the proposed scheme by classifying mobile users into different service groups.

Yang Liu,Andrew Simpson

DOI: https://doi.org/10.1002/spe.2403

2016-01-01

Abstract:SummaryWith the continued proliferation of mobile devices, the collection of information associated with such devices and their users—such as location, installed applications and cookies associated with built‐in browsers—has become increasingly straightforward. By analysing such information, organisations are often able to deliver more relevant and better focused advertisements. Of course, such targeted mobile advertising gives rise to a number of concerns, with privacy‐related concerns being prominent. In this paper, we discuss the necessary balance that needs to be struck between privacy and utility in this emerging area and propose privacy‐preserving targeted mobile advertising as a solution that tries to achieve that balance. Our aim is to develop a solution that can be deployed by users but is also palatable to businesses that operate in this space. This paper focuses on the requirements and design of privacy‐preserving targeted mobile advertising and also describes an initial prototype. We also discuss how more detailed technical aspects and a complete evaluation will underpin our future work in this area. Copyright © 2016 John Wiley & Sons, Ltd.

Yao Guo,Li Zhang,Xiangqun Chen

DOI: https://doi.org/10.1145/2646584.2646590

2014-01-01

Abstract:As the development of mobile devices and applications, mobile privacy has become a very important issue. Current researches on mobile privacy mainly focus on potential leakages on a particular device. However, leakage of sensitive data on a mobile device not only violates the privacy of the phone (or data) owner, but also violates the privacy of many other people whose information are contained in the data directly or indirectly (they are called data involvers). To address such problems, we introduce a collaborative privacy management framework, which aims to provide fine-grained data privacy protection for both data owners and data involvers in a distributed manner. Based on individual privacy policies specified by each user, a collaborative privacy policy is generated and enforced on different devices automatically. As a proof-of-concept prototype, we implement the proposed framework on Android and demonstrate its applicability with two case studies.

Shidong Pan,Zhen Tao,Thong Hoang,Dawen Zhang,Tianshi Li,Zhenchang Xing,Sherry Xu,Mark Staples,Thierry Rakotoarivelo,David Lo

2024-02-22

Abstract:Privacy policies have emerged as the predominant approach to conveying privacy notices to mobile application users. In an effort to enhance both readability and user engagement, the concept of contextual privacy policies (CPPs) has been proposed by researchers. The aim of CPPs is to fragment privacy policies into concise snippets, displaying them only within the corresponding contexts within the application's graphical user interfaces (GUIs). In this paper, we first formulate CPP in mobile application scenario, and then present a novel multimodal framework, named SeePrivacy, specifically designed to automatically generate CPPs for mobile applications. This method uniquely integrates vision-based GUI understanding with privacy policy analysis, achieving 0.88 precision and 0.90 recall to detect contexts, as well as 0.98 precision and 0.96 recall in extracting corresponding policy segments. A human evaluation shows that 77% of the extracted privacy policy segments were perceived as well-aligned with the detected contexts. These findings suggest that SeePrivacy could serve as a significant tool for bolstering user interaction with, and understanding of, privacy policies. Furthermore, our solution has the potential to make privacy notices more accessible and inclusive, thus appealing to a broader demographic. A demonstration of our work can be accessed at https://cpp4app.github.io/SeePrivacy/

Software Engineering,Cryptography and Security

Xiuxia Tian,Chaofeng Sha,Xiaoling Wang,Aoying Zhou

DOI: https://doi.org/10.1109/ICWS.2011.46

2011-01-01

Abstract:With the convenient connection to network, more and more individual information including sensitive information, such as contact list in Mobile Phone or PDA, can be delegated to the professional third service provider to manage and maintain. The benefit of this paradigm is, on one hand to avoid the sensitive information leakage when individual devices failed or lost, on the other hand to make only the authorized users access and share the delegated information online anytime and anywhere. However, in this paradigm the critical problems to be resolved are to guarantee both the privacy of delegated individual information and the privacy of authorized users, and what is more important to afford the owners of communication devices to have high level of control and power to create their own particular access control policies. In this paper, we present an approach to implement the personalized access control at third service provider in a privacy preserving way. Our approach implements the critical problems above in this paradigm by using selective encryption, blind signature and the combination of role based access control and discretionary access control.

Jinsong Han,Yunhao Liu

DOI: https://doi.org/10.1109/tpds.2007.70805

IF: 5.3

2008-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Mobile Peer-to-Peer Networks (MOPNETs) have become popular applications due to their ease of communication and resource sharing patterns in unfixed network infrastructures. As privacy and security are coming under increasing attention, many mobile and ad hoc network protocols attempt to provide mutual anonymity for users. Most existing anonymous designs, however, are path based, where the anonymous communications are achieved via a predetermined path. Such a design suffers from unreliable delivery and high processing overheads and is not practical. We propose a scalable secret-sharing-based mutual anonymity protocol, termed PUZZLE, which enables anonymous query issuance and file delivery for MOPNETs in ad hoc environments by employing Shamir's secret sharing scheme. We present the design of PUZZLE, analyze its degree of security and anonymity, and evaluate its performance by comprehensive trace-driven simulations. Experimental results show that compared with previous designs, PUZZLE achieves mutual anonymous communications with a lower cryptography processing overhead and higher degree of anonymity.

Shidong Pan,Zhen Tao,Thong Hoang,Dawen Zhang,Zhenchang Xing,Xiwei Xu,Mark Staples,David Lo

2023-07-09

Abstract:Privacy policies have become the most critical approach to safeguarding individuals' privacy and digital security. To enhance their presentation and readability, researchers propose the concept of contextual privacy policies (CPPs), aiming to fragment policies into shorter snippets and display them only in corresponding contexts. In this paper, we propose a novel multi-modal framework, namely SeePrivacy, designed to automatically generate contextual privacy policies for mobile apps. Our method synergistically combines mobile GUI understanding and privacy policy document analysis, yielding an impressive overall 83.6% coverage rate for privacy-related context detection and an accuracy of 0.92 in extracting corresponding policy segments. Remarkably, 96% of the retrieved policy segments can be correctly matched with their contexts. The user study shows SeePrivacy demonstrates excellent functionality and usability (4.5/5). Specifically, participants exhibit a greater willingness to read CPPs (4.1/5) compared to original privacy policies (2/5). Our solution effectively assists users in comprehending privacy notices, and this research establishes a solid foundation for further advancements and exploration.

Cryptography and Security,Software Engineering

Abdulsalam Yassine

DOI: https://doi.org/10.48550/arXiv.1501.04850

2015-01-20

Software Engineering

Abstract:With the rapid development of applications in open distributed environments such as eCommerce, privacy of information is becoming a critical issue. Today, many online companies are gathering information and have assembled sophisticated databases that know a great deal about many people, generally without the knowledge of those people. Such information changes hands or ownership as a normal part of eCommerce transactions, or through strategic decisions that often includes the sale of users' information to other firms. The key commercial value of users' personal information derives from the ability of firms to identify consumers and charge them personalized prices for goods and services they have previously used or may wish to use in the future. A look at present-day practices reveals that consumers' profile data is now considered as one of the most valuable assets owned by online businesses. In this thesis, we argue the following: if consumers' private data is such a valuable asset, should they not be entitled to commercially benefit from their asset as well? The scope of this thesis is on developing architecture for privacy payoff as a means of rewarding consumers for sharing their personal information with online businesses. The architecture is a multi-agent system in which several agents employ various requirements for personal information valuation and interaction capabilities that most users cannot do on their own. The agents in the system bear the responsibility of working on behalf of consumers to categorize their personal data objects, report to consumers on online businesses' trustworthiness and reputation, determine the value of their compensation using risk-based financial models, and, finally, negotiate for a payoff value in return for the dissemination of users' information.

Jinghua Jiang,Yifeng Zheng,Zhenkui Shi,Xingliang Yuan,Xiaolin Gui,Cong Wang

DOI: https://doi.org/10.1109/TSC.2017.2697385

IF: 11.019

2020-01-01

IEEE Transactions on Services Computing

Abstract:With the prosperity of mobile application markets, mobile advertising is becoming an increasingly important economic force. In order to maximize revenue, ads are recommended to be delivered to potentially interested users, which requires user targeting, i.e., analyzing users profiles and exploring users interests. However, collecting user personal information for targeted mobile advertising services raises critical privacy concerns. Although some solutions like anonymization and obfuscation have been proposed for privacy-aware targeted advertising, they undesirably face the issues of security, efficiency, and/or ad relevance. In this paper, we propose a practical system enabling secure and efficient targeted mobile advertising services. It allows the ad network to perform accurate user targeting, while ensuring strong privacy protection for mobile users. Specifically, we show how to properly leverage a cryptographic primitive called private stream searching to support secure, accurate, and practical targeted mobile ad delivery. Moreover, we propose secure billing schemes to enable the ad network to charge advertisers in a privacy-preserving manner. The security strength of our system is thoroughly analyzed. Through extensive experiments, we show that our system achieves practical efficiency on mobile devices.

David Monschein,Oliver P. Waldhorst

DOI: https://doi.org/10.48550/arXiv.2210.04777

2022-10-07

Abstract:As nowadays most web application requests originate from mobile devices, authentication of mobile users is essential in terms of security considerations. To this end, recent approaches rely on machine learning techniques to analyze various aspects of user behavior as a basis for authentication decisions. These approaches face two challenges: first, examining behavioral data raises significant privacy concerns, and second, approaches must scale to support a large number of users. Existing approaches do not address these challenges sufficiently. We propose mPSAuth, an approach for continuously tracking various data sources reflecting user behavior (e.g., touchscreen interactions, sensor data) and estimating the likelihood of the current user being legitimate based on machine learning techniques. With mPSAuth, both the authentication protocol and the machine learning models operate on homomorphically encrypted data to ensure the users' privacy. Furthermore, the number of machine learning models used by mPSAuth is independent of the number of users, thus providing adequate scalability. In an extensive evaluation based on real-world data from a mobile application, we illustrate that mPSAuth can provide high accuracy with low encryption and communication overhead, while the effort for the inference is increased to a tolerable extent.

Cryptography and Security,Machine Learning

Qingsheng Zhang,Yong Qi,Di Hou,Jizhong Zhao,Huawei Han

DOI: https://doi.org/10.1109/FSKD.2007.598

2007-01-01

Abstract:In pervasive computing environments, context- aware applications provide services for people by using personal information. People also make privacy decision about personal information disclosure as privacy concerns. Privacy decision depends on people's interaction situation. The trust of information collector and personal information sensitivity often enable people to make uncertain privacy decision. Therefore, we construct a fuzzy objective information system that consists of personal interaction situation history. The privacy disclosure policies are extracted from this information system under using rough set theory. The context-aware applications are assigned to an adequate privacy role with the privacy disclosure policies and situation of people's interaction. Finally, we provide a working example and the initial performance evaluation.

HS Cheng,DQ Zhang,JG Tan

DOI: https://doi.org/10.1109/itcc.2005.233

2005-01-01

Abstract:In this paper, we present two techniques. The first technique called Privacy Sensitive Information dilUting Mechanism (PSIUM) is able to prevent the misuse of data by a service provider by using a mixture of true and false sensor data. The second technique protects privacy sensitive information from being revealed to an attacker through traffic analysis by using a combination of frequently changing pseudonyms and dummy traffic.

Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1007/s11036-006-0008-7

2006-01-01

Mobile Networks and Applications

Abstract:In pervasive computing environments (PCEs), privacy and security are two important but contradictory objectives. Users enjoy services provided in PCEs only after their privacy issues being sufficiently addressed. That is, users could not be tracked down for wherever they are and whatever they are doing. However, service providers always want to authenticate the users and make sure they are accessing only authorized services in a legitimate way. In PCEs, such user authentication may include context authentication in addition to the entity authentication. In this paper, we propose a novel privacy enhanced anonymous authentication and access control scheme to secure the interactions between mobile users and services in PCEs with optional context authentication capability. The proposed scheme seamlessly integrates two underlying cryptographic primitives, blind signature and hash chain, into a highly flexible and lightweight authentication and key establishment protocol. It provides explicit mutual authentication and allows multiple current sessions between a user and a service, while allowing the user to anonymously interact with the service. The proposed scheme is also designed to be DoS resilient by requiring the user to prove her legitimacy when initializing a service session.

Ivor D. Addo,Ji-Jiang Yang,Sheikh I. Ahamed

DOI: https://doi.org/10.1109/compsac.2014.82

2014-01-01

Abstract:With the recent proliferation of ubiquitous, mobile and cloud-based systems, security, privacy and trust concerns surrounding the use of emerging technologies in the ensuing wake of the Internet of Things (IoT) continues to mount. In most instances, trust and privacy concerns continuously surface as a key deterrent to the adoption of these emergent technologies. The ensuing literature presents a Secure, Private and Trustworthy protocol (named SPTP) that was prototyped for addressing critical security, privacy and trust concerns surrounding mobile, pervasive and cloud services in Collective Intelligence (CI) scenarios. The efficacy of the protocol and its associated characteristics are evaluated in CI-related scenarios including multimodal monitoring of Elderly people in smart home environments, Online Advertisement targeting in Computational Advertising settings, and affective state monitoring through gameplay as an intervention for Autism among Children. We present our evaluation criteria for the proposed protocol, our initial results and future work.

Vanesa Daza,Matteo Signorini

DOI: https://doi.org/10.1007/978-3-319-09885-2_19

2014-08-22

Abstract:Market analysis predicts that in a few years, companies, universities, government agencies as well as common people in they daily life will increasingly adopt mobile computing systems thus increasingly enjoying the benefits of online, Internet-based services. However, such scenario will also expose user data privacy to severe attacks. This situation has led to the development of authentication approaches aimed at preventing unauthorized access to user data. Many different authentication approaches have been proposed over the last years, starting from basic password to more complex biometric solutions but all of them have proven to suffer from the same weaknesses. This issue drove us to design a solution based upon hardware intrinsic security features and aimed at guaranteeing a high level of data privacy while providing a user friendly authentication process. Our solution shows advanced features of data privacy policies definition making it a good candidate for the construction of future data privacy policies.

Eric Ke Wang,Yunming Ye,S. M. Yiu,L. C. K. Hui

DOI: https://doi.org/10.7763/ijcce.2013.v2.200

2013-01-01

International Journal of Computer and Communication Engineering

Abstract:—The wide use of mobile social networks has made it easier for people to share and exchange information with others anywhere, anytime. However, sharing operations of personal data on mobile social networks has put individual privacy under risk in unprecedented ways. We propose a protocol for privacy-preserving P2P information sharing for mobile social networking; because of the limitation of computation and communication for mobile devices, traditional privacy-preserving information sharing for private data sources cannot be applied in mobile social networks. Therefore, we designed a lightweight obfuscation and encryption model to defend against honest-but-curious behavior attack. The protocol is practical for mobile devices and the simulation performance is encouraging.