As mobile applications have grown from collecting basic personal information to knowing intimate details of consumer's lives, computer science researchers at Baldwin Wallace University have developed a novel solution to inform mobile device users about the hidden misuse of their personal data.
The research, described in "SPEProxy: Enforcing Fine Grained Security and Privacy Controls on Unmodied Mobile Devices," identifies a way to expose the unauthorized use of personal data and boost the ability of consumers to shield their privacy. It was presented at IEEE UEMCON 2017, the 8th IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference.
The research co-authors, Brian Krupp, BW assistant professor of computer science, and students Dan Jesensky and Amanda Szampias, tested their solution on more than 800 popular smartphone apps, ferreting out more than 40 that exploited personal information without the knowledge or permission of users.
"A smartphone user's personal data is at constant risk of being misused," says Krupp. "While mobile operating systems provide basic security and privacy controls, they are insufficient, leaving consumers unaware of how applications use the permissions they originally granted."
"As an example," Krupp says, "a weather application requests access to your location to give you a forecast, which is a legitimate use. However, behind the scenes and unknown to the user, it will also send that location information to advertiser servers."
The solution the BW researchers developed, SPEProxy, notifies consumers of misuse without requiring a modification to their phone.
"Our approach allows consumers to utilize the solution without requiring a high degree of technical expertise," says Jesensky, a triple major in software engineering, computer information systems, and network security. "SPEProxy can be adapted to different devices and operating systems — both iOS and Android — with a simple network configuration setting."
"SPEProxy gives mobile phone users the ability to understand how applications are using permissions beyond their stated intent and identifies fine-grained policies that can empower the user to protect their data," says Szampias, a software engineering major.
"Allowing access to your location is an example of coarse-grained policy," Krupp says. "A fine-grained policy might only allow app access to an anonymous version of your location, or your location data to be sent only to certain servers, or to limit access to your location during certain times of the day or from certain locations."
The BW research team tested the approach on 817 of the top-ranked applications on Google Play and in the iOS App Store. Their evaluation found SPEProxy to be highly effective across 86.55% of the apps and confirmed 43 cases of misuse including The Weather Channel, LinkedIn, and more.
Following their UEMCON presentation, the researchers will get to work on developing a publicly available version of SPEProxy, which currently lives on a BW server.
The undergraduate student co-authors of SPEProxy are both BW seniors set to graduate in May 2018 with an impressive research feather in their caps.