Using Authorization Logic to Capture User Policies in
Mobile EcosystemsJoseph Hallett
Are people picky about what they’ll install?
no! (mostly)
App stores sell apps• How we distribute software on mobile devices
• Lots of choice of apps
• Partially curated by store owners
• Mainly for malware and quality control
• …but some still slips through
• …especially in the third-party stores
Apps access data
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
…but it’s mostly legitimate
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
google maps
facebook messager
amazon’s app store
anything web based (everything)
…but it’s maybe legitimate?
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
local advertising
marketing
analytics
targeted advertising
…spying?
Does anyone care?
yes!
Privacy preferences
• Fantastic paper from SOUPS 2014
• Modelling Users’ Mobile App Privacy Preferences:Restoring Usability in a Sea of Permission SettingsJialiu Lin, Bin Liu, Norman Sadeh, Jason I. Hong
• Figured out why some apps need certain permissions
• Asked users if they were okay with that
Four kinds of users• From the users’ answers they discovered four different
clusters of users
• Conservatives (12%)
• Advanced (18%)
• Fencesitters (48%)
• Unconcerned (22%)
• Unconcerned users didn’t care
• Happy to disclose data to third parties
• Little bit uncomfortable granting account info to social networks
• Fencesitters seemed ambivalent
• Didn’t actively like or dislike anything
• User fatigue?
• Conservatives really care
• Don’t want anyone to have anything for any reason
• Advanced users are concerned but pragmatic
• Okay giving social networks info
• Okay giving coarse information
Users have privacy preferences
• Do they make app choices on the basis of them?
• Can we help them make that decision?
• Can we warn them when they’re making a bad decision?
AppPAL
an authorization logic for picking apps
AppPAL
• Based on SecPAL
• Used for access control in distributed systems
• Written in Java, runs on Android
• Lets principals (users) make judgements about apps
alice saysapk://com.rovio.angrybirds
isRunnable.
speakersubject
predicate
alice says App isRunnable if App meets(conservativePolicy).
alice says App isRunnable if App meets(conservativePolicy).
variablesconditionals
constant
alice says App isRunnable if App meets(workPolicy)
where currentLocation(work) = true, hasPermission(App, location) = true.
constraint
checked at query time
implicit in the app
alice says App isRunnable if App meets(workPolicy)
where currentLocation(work) = true, hasPermission(App, location) = true.
alice says itdepartment can-say App meets(workPolicy).
alice says itdepartment can-say App meets(workPolicy).
delegationdelegatee
alice says itdepartment can-say inf App meets(workPolicy).
strictly speaking either delegation where
further delegation is allowed or…
alice says itdepartment can-say 0 App meets(workPolicy).
…where it is not
alice says ian can-act-as itdepartment.
alice says ian can-act-as itdepartment.
role assignment
alice says apk://com.rovio.angrybirds.space
can-act-as apk://com.rovio.angrybirds
role assignment not limited to
speakers
So do users follow privacy policies?
Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly install apps which satisfy the policy
Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly install apps which satisfy the policy
this data is hard to get
Carat• Project from UC Berkeley and University of Helsinki
• Measures power usage of the apps on your phone
• Also collects anonymised app installation data for researchers
• Users replaced with an incrementing number
• Apps replaced with hash of package name
Carat
• We identified 4,300 apps out of ~90,000
• Selected 44,000 users for whom we knew at least 20 app installations
• (after taking into account system and common apps like Facebook and Twitter)
Privacy policies in AppPAL
• Approximated the Lin et al. policies as sets of permissions
• If a group of users felt uncomfortable about a permission for any reason we banned it.
• Not as subtle as we’d like but a reasonable approximation.
C A F U
GET_ACCOUNTS ✘ ✘ ✘ ✘
ACCESS_FINE_LOCATION ✘ ✘ ✘
READ_CONTACT ✘ ✘ ✘
READ_PHONE_STATE ✘ ✘
SEND_SMS ✘ ✘
ACCESS_COARSE_LOCATION ✘
Limitations• We’re using an approximation of the policies
• We have only a partial purchase history
• …so we can only test if a sample of a user’s apps meet the policies
• We might not have the same version as the user
• Permissions can increase or decrease; apps change
• …but typically only increase
Results
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFU
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFUAlmost
no one follows a policy all the
time
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFU
…or even some of the
time
C A F U
≥ 50% 179 (0.41%)
206 (0.47%)
696 (1.58%)
2390 (5.43%)
≥ 60% 45 (0.10%)
49 (0.11%)
209 (0.48%)
867 (2.0%)
≥ 70% 18(0.04%)
19 (0.04%)
79 (0.18%)
331 (0.75%)
≥ 80% 15 (0.03%)
16 (0.04%)
49 (0.11%)
151 (0.34%)
≥ 90% 13 (0.03%)
14 (0.03%)
37 (0.08%)
69 (0.16%)
= 100% 13 (0.03%)
14 (0.03%)
37 (0.08%)
67 (0.15%)
C A F U
≥ 50% 179 (0.41%)
206 (0.47%)
696 (1.58%)
2390 (5.43%)
≥ 60% 45 (0.10%)
49 (0.11%)
209 (0.48%)
867 (2.0%)
≥ 70% 18(0.04%)
19 (0.04%)
79 (0.18%)
331 (0.75%)
≥ 80% 15 (0.03%)
16 (0.04%)
49 (0.11%)
151 (0.34%)
≥ 90% 13 (0.03%)
14 (0.03%)
37 (0.08%)
69 (0.16%)
= 100% 13 (0.03%)
14 (0.03%)
37 (0.08%)
67 (0.15%)
but it isn’t zero
What about malware?
0
50
100
150
0.7 0.8 0.9 1.0%age of user’s apps meeting policy
Use
r cou
nt variablenot PUPnot Malware
0
50
100
150
0.7 0.8 0.9 1.0%age of user’s apps meeting policy
Use
r cou
nt variablenot PUPnot Malware
Almost no malware
installed
Do users who follow a policy install less malware?
0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%a
ge
of
ap
ps
me
etin
g ‘N
ot−
PU
P’ p
olic
y
yes!
0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%a
ge
of
ap
ps
me
etin
g ‘N
ot−
PU
P’ p
olic
y
So what did we learn?
• What people say and what people do are two different things
• Being picky seems to stop you installing rubbish
• AppPAL works great for exploring properties of apps
What is next?
• On device policy checking
• check your installed apps against a policy
• Building stores with policies
• searching and building stores with policies
• What is causing this disconnect?
• fatigue? lack of awareness? lack of choice?