Post on 12-Apr-2017
Using Authorization Logic to Capture User Policies in
Mobile EcosystemsJoseph Hallett
J.Hallett@sms.ed.ac.uk
Are people picky about what they’ll install?
no! (mostly)
App stores sell apps• How we distribute software on mobile devices
• Lots of choice of apps
• Partially curated by store owners
• Mainly for malware and quality control
• …but some still slips through
• …especially in the third-party stores
Apps access data
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
…but it’s mostly legitimate
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
google maps
facebook messager
amazon’s app store
anything web based (everything)
…but it’s maybe legitimate?
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
local advertising
marketing
analytics
targeted advertising
…spying?
Does anyone care?
yes!
Privacy preferences
• Fantastic paper from SOUPS 2014
• Modelling Users’ Mobile App Privacy Preferences:Restoring Usability in a Sea of Permission SettingsJialiu Lin, Bin Liu, Norman Sadeh, Jason I. Hong
• Figured out why some apps need certain permissions
• Asked users if they were okay with that
Four kinds of users• From the users’ answers they discovered four different
clusters of users
• Conservatives (12%)
• Advanced (18%)
• Fencesitters (48%)
• Unconcerned (22%)
• Unconcerned users didn’t care
• Happy to disclose data to third parties
• Little bit uncomfortable granting account info to social networks
• Fencesitters seemed ambivalent
• Didn’t actively like or dislike anything
• User fatigue?
• Conservatives really care
• Don’t want anyone to have anything for any reason
• Advanced users are concerned but pragmatic
• Okay giving social networks info
• Okay giving coarse information
Users have privacy preferences
• Do they make app choices on the basis of them?
• Can we help them make that decision?
• Can we warn them when they’re making a bad decision?
AppPAL
an authorization logic for picking apps
AppPAL
• Based on SecPAL
• Used for access control in distributed systems
• Written in Java, runs on Android
• Lets principals (users) make judgements about apps
alice saysapk://com.rovio.angrybirds
isRunnable.
speakersubject
predicate
alice says App isRunnable if App meets(conservativePolicy).
alice says App isRunnable if App meets(conservativePolicy).
variablesconditionals
constant
alice says App isRunnable if App meets(workPolicy)
where currentLocation(work) = true, hasPermission(App, location) = true.
constraint
checked at query time
implicit in the app
alice says App isRunnable if App meets(workPolicy)
where currentLocation(work) = true, hasPermission(App, location) = true.
alice says itdepartment can-say App meets(workPolicy).
alice says itdepartment can-say App meets(workPolicy).
delegationdelegatee
alice says itdepartment can-say inf App meets(workPolicy).
strictly speaking either delegation where
further delegation is allowed or…
alice says itdepartment can-say 0 App meets(workPolicy).
…where it is not
alice says ian can-act-as itdepartment.
alice says ian can-act-as itdepartment.
role assignment
alice says apk://com.rovio.angrybirds.space
can-act-as apk://com.rovio.angrybirds
role assignment not limited to
speakers
So do users follow privacy policies?
Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly install apps which satisfy the policy
Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly install apps which satisfy the policy
this data is hard to get
Carat• Project from UC Berkeley and University of Helsinki
• Measures power usage of the apps on your phone
• Also collects anonymised app installation data for researchers
• Users replaced with an incrementing number
• Apps replaced with hash of package name
Carat
• We identified 4,300 apps out of ~90,000
• Selected 44,000 users for whom we knew at least 20 app installations
• (after taking into account system and common apps like Facebook and Twitter)
Privacy policies in AppPAL
• Approximated the Lin et al. policies as sets of permissions
• If a group of users felt uncomfortable about a permission for any reason we banned it.
• Not as subtle as we’d like but a reasonable approximation.
C A F U
GET_ACCOUNTS ✘ ✘ ✘ ✘
ACCESS_FINE_LOCATION ✘ ✘ ✘
READ_CONTACT ✘ ✘ ✘
READ_PHONE_STATE ✘ ✘
SEND_SMS ✘ ✘
ACCESS_COARSE_LOCATION ✘
Limitations• We’re using an approximation of the policies
• We have only a partial purchase history
• …so we can only test if a sample of a user’s apps meet the policies
• We might not have the same version as the user
• Permissions can increase or decrease; apps change
• …but typically only increase
Results
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFU
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFUAlmost
no one follows a policy all the
time
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFU
…or even some of the
time
C A F U
≥ 50% 179 (0.41%)
206 (0.47%)
696 (1.58%)
2390 (5.43%)
≥ 60% 45 (0.10%)
49 (0.11%)
209 (0.48%)
867 (2.0%)
≥ 70% 18(0.04%)
19 (0.04%)
79 (0.18%)
331 (0.75%)
≥ 80% 15 (0.03%)
16 (0.04%)
49 (0.11%)
151 (0.34%)
≥ 90% 13 (0.03%)
14 (0.03%)
37 (0.08%)
69 (0.16%)
= 100% 13 (0.03%)
14 (0.03%)
37 (0.08%)
67 (0.15%)
C A F U
≥ 50% 179 (0.41%)
206 (0.47%)
696 (1.58%)
2390 (5.43%)
≥ 60% 45 (0.10%)
49 (0.11%)
209 (0.48%)
867 (2.0%)
≥ 70% 18(0.04%)
19 (0.04%)
79 (0.18%)
331 (0.75%)
≥ 80% 15 (0.03%)
16 (0.04%)
49 (0.11%)
151 (0.34%)
≥ 90% 13 (0.03%)
14 (0.03%)
37 (0.08%)
69 (0.16%)
= 100% 13 (0.03%)
14 (0.03%)
37 (0.08%)
67 (0.15%)
but it isn’t zero
What about malware?
0
50
100
150
0.7 0.8 0.9 1.0%age of user’s apps meeting policy
Use
r cou
nt variablenot PUPnot Malware
0
50
100
150
0.7 0.8 0.9 1.0%age of user’s apps meeting policy
Use
r cou
nt variablenot PUPnot Malware
Almost no malware
installed
Do users who follow a policy install less malware?
0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%a
ge
of
ap
ps
me
etin
g ‘N
ot−
PU
P’ p
olic
y
yes!
0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%a
ge
of
ap
ps
me
etin
g ‘N
ot−
PU
P’ p
olic
y
So what did we learn?
• What people say and what people do are two different things
• Being picky seems to stop you installing rubbish
• AppPAL works great for exploring properties of apps
What is next?
• On device policy checking
• check your installed apps against a policy
• Building stores with policies
• searching and building stores with policies
• What is causing this disconnect?
• fatigue? lack of awareness? lack of choice?