SaTC: TTP: Small: Mobile Dynamic Privacy and Security Analysis at Scale

SaTC：TTP：小型：大规模移动动态隐私和安全分析

• 批准号: 1817248
• 负责人: Serge Egelman
• 金额: $ 50万
• 依托单位: International Computer Science Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2022-02-28
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1817248&HistoricalAwards=false
• 关键词: SaTC; TTP; Small; Mobile; Dynamic

The International Computer Science Institute (ICSI) is developing a framework to automatically detect privacy violations in mobile applications. The project leverages prototype work in augmenting the Android operating system with instrumentation to detect when applications access sensitive user data, what they do with it, and with whom they share it. The project modifies this system to support the analysis of thousands of applications in parallel, through virtualization. This infrastructure enables better understanding of the mobile privacy landscape, as well as making available new techniques for auditing programs at scale. The project offers end-users an online resource (https://www.appcensus.mobi/) to research the privacy behaviors of their applications; regulators can use these tools for enforcement, and developers can use them to detect and fix privacy violations in their mobil applications prior to releasing them.Current program analysis approaches either do not actually observe program execution, and instead only examine program code, or do not scale well. This approach instruments the operating system and then uses simulated user behavior via computer-generated user interface events to passively observe what personal information applications access and exfiltrate. A prototype of the framework was used to detect thousands of potential violations of the Children's Online Privacy Protection Act (COPPA). This project expands that initial infrastructure to enable evaluation of thousands of applications simultaneously with real user input from crowdworkers, as well as to offer a programming interface for both developers and regulators to be able to evaluate new mobile applications on demand.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

国际计算机科学研究所（ICSI）正在开发一个框架，以自动检测移动应用程序中的隐私行为。该项目利用原型在用仪器上增强Android操作系统的功能，以检测应用程序何时访问敏感用户数据，对其以及与之共享的应用程序。该项目修改了该系统，以通过虚拟化并行支持数千个应用程序的分析。该基础架构可以更好地了解移动隐私环境，并为大规模审核计划提供新技术。该项目为最终用户提供了在线资源（https://www.appcensus.mobi/），以研究其应用程序的隐私行为；监管机构可以使用这些工具进行执法，开发人员可以在发布之前在其动员应用程序中检测和修复违反隐私的侵犯。电流程序分析方法实际上没有观察程序执行，而只检查程序代码，或者不太扩展。此方法启动操作系统，然后通过计算机生成的用户界面事件使用模拟用户行为，以被动地观察哪些个人信息应用程序访问和渗透。该框架的原型用于检测成千上万的潜在违反《儿童在线隐私保护法》（COPPA）。该项目扩展了初始基础架构，以便能够与人群工人的实际用户输入同时评估数千个应用程序，并为开发人员和监管机构提供了一个编程界面，以便能够按需评估新的移动应用程序。该奖项反映了NSF的法定任务，并通过评估了基金会的范围，并通过评估了基金会的MERIT和BRODIT构成了基金会的支持。

项目成果

Disaster privacy/privacy disaster

• DOI: 10.1002/asi.24353
• 发表时间: 2020-03
• 期刊: J. Assoc. Inf. Sci. Technol.
• 作者: M. Sanfilippo;Yan Shvartzshnaider;Irwin Reyes;H. Nissenbaum;Serge Egelman

50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System

• 发表时间: 2019-08
• 作者: Joel Reardon;Álvaro Feal;Primal Wijesekera;Amit Elazari Bar On;Narseo Vallina-Rodriguez;Serge Egelman

On The Ridiculousness of Notice and Consent: Contradictions in App Privacy Policies

• 发表时间: 2019-05
• 作者: Ehimare Okoyomon;N. Samarin;Primal Wijesekera;Amit Elazari Bar On;Narseo Vallina-Rodriguez;Irwin Reyes;Álvaro Feal;Serge Egelman

The Price is (Not) Right: Comparing Privacy in Free and Paid Apps

• DOI: 10.2478/popets-2020-0050
• 发表时间: 2020-07-01
• 期刊: Proceedings on Privacy Enhancing Technologies
• 作者: Han, Catherine;Reyes, Irwin;Egelman, Serge
• 通讯作者: Egelman, Serge

Do You Get What You Pay For? Comparing the Privacy Behaviors of Free vs. Paid Apps

• 发表时间: 2019-05
• 作者: K. Bamberger;Catherine Han;Irwin Reyes;A. Elazari;Joel Reardon;Álvaro Feal;Serge Egelman;Narseo Vallina-Rodriguez