More Like this

1. Devils in Your Apps: Vulnerabilities and User Privacy Exposure in Mobile Notification Systems

   Jiadong Lou, Xiaohan Zhang ( June 2023 , Proceedings of 53rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN 2023))

   Witnessing the blooming adoption of push notifications on mobile devices, this new message delivery paradigm has become pervasive in diverse applications. Accompanying with its broad adoption, the potential security risks and privacy exposure issues raise public concerns regarding its great social impacts. This paper conducts the first attempt to exploit the mobile notification ecosystem. By dissecting its structural elements and implementation process, a comprehensive vulnerability analysis is conducted towards the complete flow of mobile notification from platform enrollment to messaging. Meanwhile, for privacy exposure, we first examine the implementation of privacy policy compliance by proposing a three-level inspection approach to guide our analysis. Then, our top-down methods from documentation analysis, application network traffic study, to static analysis expose the illicit data collection behaviors in released applications. In addition, we uncover the potential privacy inference resulted from the notification monitoring. To support our analysis, we conduct empirical studies on 12 most popular notification platforms and perform static analysis over 30,000+ applications. We discover: 1) six platforms either provide ambiguous KEY naming rules or offer vulnerable messaging APIs; 2) privacy policy compliance implementations are either stagnated at the documentation stages (8 of 12 platforms) or never implemented in apps, resulting in billions of users suffering from privacy exposure; and 3) some apps can stealthily monitor notification messages delivering to other apps, potentially incurring user privacy inference risks. Our study raises the urgent demand for better regulations of mobile notification deployment. 

   more » « less
2. Americans’ willingness to adopt a COVID-19 tracking app

   https://doi.org/10.5210/fm.v25i11.11095  

   Hargittai, Eszter ; Redmiles, Elissa M. ; Vitak, Jessica ; Zimmer, Michael ( October 2020 , First Monday)

   null (Ed.)

   The COVID-19 global pandemic led governments, health agencies, and technology companies to work on solutions to minimize the spread of the disease. One such solution concerns contact-tracing apps whose utility is tied to widespread adoption. Using survey data collected a few weeks into lockdown measures in the United States, we explore Americans’ willingness to install a COVID-19 tracking app. Specifically, we evaluate how the distributor of such an app (e.g., government, health-protection agency, technology company) affects people’s willingness to adopt the tool. While we find that 67 percent of respondents are willing to install an app from at least one of the eight providers included, the factors that predict one’s willingness to adopt differ. Using Nissenbaum’s theory of privacy as contextual integrity, we explore differences in responses across distributors and discuss why some distributors may be viewed as less appropriate than others in the context of providing health-related apps during a global pandemic. We conclude the paper by providing policy recommendations for wide-scale data collection that minimizes the likelihood that such tools violate the norms of appropriate information flows. 

   more » « less
3. More Than Just Privacy: Using Contextual Integrity to Evaluate the Long-Term Risks from COVID-19 Surveillance Technologies

   https://doi.org/10.1177/2056305120948250  

   Vitak, Jessica ; Zimmer, Michael ( July 2020 , Social Media + Society)

   null (Ed.)

   The global coronavirus pandemic has raised important questions regarding how to balance public health concerns with privacy protections for individual citizens. In this essay, we evaluate contact tracing apps, which have been offered as a technological solution to minimize the spread of COVID-19. We argue that apps such as those built on Google and Apple’s “exposure notification system” should be evaluated in terms of the contextual integrity of information flows; in other words, the appropriateness of sharing health and location data will be contextually dependent on factors such as who will have access to data, as well as the transmission principles underlying data transfer. We also consider the role of prevailing social and political values in this assessment, including the large-scale social benefits that can be obtained through such information sharing. However, caution should be taken in violating contextual integrity, even in the case of a pandemic, because it risks a long-term loss of autonomy and growing function creep for surveillance and monitoring technologies. 

   more » « less
4. Contact Tracing Apps: Lessons Learned on Privacy, Autonomy, and the Need for Detailed and Thoughtful Implementation

   https://doi.org/10.2196/27449  

   Hogan, Katie ; Macedo, Briana ; Macha, Venkata ; Barman, Arko ; Jiang, Xiaoqian ( January 2021 , JMIR Medical Informatics)

   The global and national response to the COVID-19 pandemic has been inadequate due to a collective lack of preparation and a shortage of available tools for responding to a large-scale pandemic. By applying lessons learned to create better preventative methods and speedier interventions, the harm of a future pandemic may be dramatically reduced. One potential measure is the widespread use of contact tracing apps. While such apps were designed to combat the COVID-19 pandemic, the time scale in which these apps were deployed proved a significant barrier to efficacy. Many companies and governments sprinted to deploy contact tracing apps that were not properly vetted for performance, privacy, or security issues. The hasty development of incomplete contact tracing apps undermined public trust and negatively influenced perceptions of app efficacy. As a result, many of these apps had poor voluntary public uptake, which greatly decreased the apps’ efficacy. Now, with lessons learned from this pandemic, groups can better design and test apps in preparation for the future. In this viewpoint, we outline common strategies employed for contact tracing apps, detail the successes and shortcomings of several prominent apps, and describe lessons learned that may be used to shape effective contact tracing apps for the present and future. Future app designers can keep these lessons in mind to create a version that is suitable for their local culture, especially with regard to local attitudes toward privacy-utility tradeoffs during public health crises. 

   more » « less
5. Evaluating the Impact of Community Oversight for Managing Mobile Privacy and Security

   Akter, M. ( August 2023 , USENIX)

   Mobile privacy and security can be a collaborative process where individuals seek advice and help from their trusted communities. To support such collective privacy and security management, we developed a mobile app for Community Oversight of Privacy and Security ("CO-oPS") that allows community members to review one another’s apps installed and permissions granted to provide feedback. We conducted a four-week-long field study with 22 communities (101 participants) of friends, families, or co-workers who installed the CO-oPS app on their phones. Measures of transparency, trust, and awareness of one another’s mobile privacy and security behaviors, along with individual and community participation in mobile privacy and security co-management, increased from pre- to post-study. Interview findings confirmed that the app features supported collective considerations of apps and permissions. However, participants expressed a range of concerns regarding having community members with different levels of technical expertise and knowledge regarding mobile privacy and security that can impact motivation to participate and perform oversight. Our study demonstrates the potential and challenges of community oversight mechanisms to support communities to co-manage mobile privacy and security. 

   more » « less