UMBC ebiquity
Policy

Taintdroid catches Android apps that leak private user data

September 30th, 2010, by Tim Finin, posted in Mobile Computing, Privacy, Security, Social

Ars Technica has an an article on bad Android apps, Some Android apps caught covertly sending GPS data to advertisers.

“The results of a study conducted by researchers from Duke University, Penn State University, and Intel Labs have revealed that a significant number of popular Android applications transmit private user data to advertising networks without explicitly asking or informing the user. The researchers developed a piece of software called TaintDroid that uses dynamic taint analysis to detect and report when applications are sending potentially sensitive information to remote servers.

They used TaintDroid to test 30 popular free Android applications selected at random from the Android market and found that half were sending private information to advertising servers, including the user’s location and phone number. In some cases, they found that applications were relaying GPS coordinates to remote advertising network servers as frequently as every 30 seconds, even when not displaying advertisements. These findings raise concern about the extent to which mobile platforms can insulate users from unwanted invasions of privacy.”

TaintDroid is an experimental system that “analyses how private information is obtained and released by applications ‘downloaded’ to consumer phones”. A paper on the system will be presented at the 2010 USENIX Symposium on Operating Systems Design and Implementation later this month.

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones, William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth, OSDI, October 2010.

The project, Realtime Privacy Monitoring on Smartphones has a good overview site with a FAQ and demo.

This is just one example of a rich and complex area full of trade-offs. We want our systems and devices to be smarter and to really understand us — our preferences, context, activities, interests, intentions, and pretty much everything short of our hopes and dreams. We then want them to use this knowledge to better serve us — selecting music, turing the ringer on and off, alerting us to relevant news, etc. Developing this technology is neither easy nor cheap and the developers have to profit from creating it. Extracting personal information that can be used or sold is one model — just as Google and others do to provide better ad placement on the Web.

Here’s a quote from the Ars Technical article that resonated with me.

“As Google says in its list of best practices that developers should adopt for data collection, providing users with easy access to a clear and unambiguous privacy policy is really important.”

We, and many others, are trying to prepare for the next step — when users can define their own privacy policies and these will be understood and enforced by their devices.

Our MURI grant gets some press

June 12th, 2008, by Anupam Joshi, posted in Datamining, Mobile Computing, Policy, Privacy, Security, Social media, Technology Policy, UMBC

A UMBC led team recently won a MURI award from DoD to work on “Assured Information Sharing Lifecycle”. It is an interesting mix of work on  new security models, policy driven security systems, context awareness, privacy preserving data mining, and social networking. The award really brings together many different strains of research in eBiquity, as well as some related reserach in our department. We’re just starting off, and excited about it. UMBC’s web page had a story about this, and more recently, GCN covered it.

The UMBC team is lead by Tim Finin, and includes several of us. The other participants are UIUC (led by Jiawei Han), Purdue (led by Elisa Bertino),  UTSA (led by Ravi Sandhu), UTDallas (led by Bhavani Thurasingham), Michigan (Lada Adamic).

PhD proposal: Context and Policies in Declarative Networked Systems

May 19th, 2008, by Tim Finin, posted in Semantic Web

UMBC PhD student Palanivel Kodeswaran will present his dissertation proposal on Use of Context and Policies in Declarative Networked Systems at 3:30 on Tuesday May 20 in ITE 325. Dissertation proposals are public and visitors are welcome. If you are a PhD student and are (or should be!) working on your own proposal, going to these is a good way to prepare. You can see what’s involved, what work and doesn’t and what kind of questions you can expect. See the link above for the full abstract, but here is a teaser.

“In this thesis, we propose to build a declarative framework that can reason over the requirements of applications, the current network context, operator policies, and appropriately configure the network to provide better network support for applications. … In particular, the contributions of this thesis are (i) Developing a framework for using context and policies in declarative networked systems (ii) Runtime adaptation of network configuration based on application requirements and node/operator policy (iii) Formalize cross layer interactions as opposed to ad hoc optimizations (iv) Simulation and test bed implementations to validate and evaluate proposed approach.”