Download - Privacy Policies Change Management for Smartphones

Nokia Research Center

Privacy Policies Change

Management for

Smartphones

Debmalya Biswas

Nokia Research Center, Switzerland

MUCS 20121


Smart phones

Sensors

The average smartphone nowadays consists of many sensors:

• GPS

• Accelerometer

• Bluetooth, Wifi

• Proximity

• Rotation

• Magnetometer

• Ambient Light

MUCS 20122


Smart phones

Intelligent and Contextual Apps

• GPS – Real-time precise location

• Accelerometer - Activity, e.g. the speed at which the user is moving his

hand

• Compass – the direction

• Bluetooth – Nearby people

Traditional input devices, e.g. Camera, Microphone

and

sources of information, e.g Messeges, Address book, Pics, Vids (file

system in general)

MUCS 20123


State of the Art

Install-time verification

• Certification: Centrazilized certification by the App Store

• Capabilities based access control model:

• Capabilites here refers to group of phone resources

• Apps have to declare the phone capabilities/resources they need to access

• If allowed by user, the app is installed with tokens to access the requested resources.

• Certification + Capabilities

Many real-life cases of malicious apps bypassing the above safeguards.

MUCS 20124


Missing Aspects

Run-time parameters

• Frequency: An app A is allowed to access a sensor S only with a certain

frequency.

• A weather app does not need to access your location every 5 seconds.

Contextual parameters

• Time, Location:

• An app A is NOT allowed to access the phone’s camera/microphone when the user is in

(location) Offce.

MUCS 20125


Real-time and Contextual Policies

• Sequence of invocation:

• Implicitly includes the list of allowed sensors

• Frequency: of access f.

• Time range: (sT, eT) and r.

• r refers to the recurrence patterns e.g. daily, weekly, yearly

• Location: Set of allowed locations L.

• Can refer to both geogrpahic (e.g. city, country) and semantic locations (e.g. home, office)

MUCS 20126


Policy Language

Metric Temporal Logic

• Only sensors s1, s2 and s3 can be invoked; s2 within 30 mins of s1’s

invocation, folllowed by s3 within the next 40 minutes.

• Logical operators: AND ˄, OR ˅, NOT¬

• Temporal operators: Past ♦, Furture ◊

• Metric: Quantification [sT, eT]

Formalism can be used to express both App profiles AP and User

privacy policies uP.

MUCS 20127


Conflict Detection

App profile aP:

sens(s1,fa, …, {l1,la}) ˄ ◊[5,15] sens(s2,f2, …)

User privacy profile uP:

sens(s1,fu, …, {l1,lu})

• List of sensors:

• Conflict: s2 is not allowed by user

• Frequency:

• Conflict: fa > fu

• Location:

• Conflict: la is not allowed by user

MUCS 20128


Conflict Resolution

App profile aP:




• Reject the app.

• Relax user privacy profile:

• uP: sens(s1,fa, …, {l1,lu,la}) ˄ ◊[5,15]

sens(s2,f2, …)

MUCS 20129


Policy Evolution

App profile aP:




• Relax:

• uP: sens(s1,fa, …, {l1,lu,la}) ˄ ◊[5,15]

sens(s2,f2, …)

• Restrict:

• uP: sens(s1,fa, …, {l1,la}) ˄ ◊[5,15]

sens(s2,f2, …)

MUCS 201210


Policy Evolution

• Policies evolve over time

• Security advisories

• Change in physical characteristics, e.g. location, occupation

• Restrict:

• Re-evaluate already installed apps to see if they are still compliant

• Relax:

• Re-evaluate previously rejected apps to see if they are now compliant

• Maintain log of rejected apps categorized by their conflict types

• Relax + Restrict:

• Policy change can be both relaxing and restricting at the same time

MUCS 201211


Conclusion

• Problem: Regulating access by 3rd party apps to sensors on the phones.

• Expressive install-time privacy policy language

• Run-time and contextual parameters

• Temporal Logics based conflict detect and resolution.

• Policy evolution categorization

• Can lead to installation of previously rejected apps

• Automated validation of installed apps in the event of any policy changes

MUCS 201212


Thank You

&

Questions

MUCS 201213