A central point for collection of information that relates to computer security. Including, but not limited to, security advisories from the major vendors, major data breaches, "phishing" alerts, commentary regarding staffing levels. etc. etc.
Protection of Data on Smartphones
July 6, 2011 at 1:59 pm #134637
A study led by researchers at the University of Washington has revealed that over 50% of popular Android applications (in the sample size of 1100) are packaged with third-party analytics and advertisement libraries (See the supplemental data #1 for details.). On the close examination of the subset of these applications, the study has found that these third-party analytics and advertisement libraries collected sensitive user information, such as location and the unique device ID (IMEI), in 43 of the 110 applications we inspected more closely.
Of those 110 applications, 31 send the IMEI off the device, 14 of which send it to analytics and advertising servers. Moreover, the IMEI number sometimes accompany other sensitive data such as contacts and phone number, making it easy for applications to link the user's information collected across applications running on the same device. The detailed analysis data can be found in our AppFence paper and the supplemental data page.http://appfence.org/data.html
To mitigate the risks of misappropriation of the user's data by today's Android applications, the researchers of the study have developed a system, called AppFence, that implements two privacy controls that (1) convertly substitue shadow data in place of data that the user wants to keep private and (2) block network transmissions that contain data the user made available to the application for on-device use only. We demonstrate that our privacy controls can block unwanted exposure of sensitive data by 66% of the applications that we tested without causing any side effects. For the remaining 34%, we have characterized the types of functionality that require the exposure of sensitive data and the side effects that result if our privacy controls are in place, to provide users with some guidance for making an informed decision. The following picture shows a sketch of the AppFence interface showing how the AppFence system could change the current all-or-nothing permission architecture:
download paper and supplemental data page
July 6, 2011 at 2:01 pm #134640
From Bruce Schneier's Blog
AppFence is a technology -- with a working prototype -- that protects personal information on smart phones. It does this by either substituting innocuous information in place of sensitive information or blocking attempts by the application to send the sensitive information over the network.
The significance of systems like AppFence is that they have the potential to change the balance of power in privacy between mobile application developers and users. Today, application developers get to choose what information an application will have access to, and the user faces a take-it-or-leave-it proposition: users must either grant all the permissions requested by the application developer or abandon installation. Take-it-or-leave it offers may make it easier for applications to obtain access to information that users don't want applications to have. Many applications take advantage of this to gain access to users' device identifiers and location for behavioral tracking and advertising. Systems like AppFence could make it harder for applications to access these types of information without more explicit consent and cooperation from users.
The problem is that the mobile OS providers might not like AppFence. Google probably doesn't care, but Apple is one of the biggest consumers of iPhone personal information. Right now, the prototype only works on Android, because it requires flashing the phone. In theory, the technology can be made to work on any mobile OS, but good luck getting Apple to agree to it.
You must be logged in to reply to this topic.