Witnessing the blooming adoption of push notifications
on mobile devices, this new message delivery paradigm has
become pervasive in diverse applications. Accompanying with its
broad adoption, the potential security risks and privacy exposure
issues raise public concerns regarding its great social impacts.
This paper conducts the first attempt to exploit the mobile
notification ecosystem. By dissecting its structural elements and
implementation process, a comprehensive vulnerability analysis
is conducted towards the complete flow of mobile notification
from platform enrollment to messaging. Meanwhile, for privacy
exposure, we first examine the implementation of privacy policy
compliance by proposing a three-level inspection approach to
guide our analysis. Then, our top-down methods from documentation
analysis, application network traffic study, to static analysis
expose the illicit data collection behaviors in released applications.
In addition, we uncover the potential privacy inference resulted
from the notification monitoring. To support our analysis, we
conduct empirical studies on 12 most popular notification platforms
and perform static analysis over 30,000+ applications.
We discover: 1) six platforms either provide ambiguous KEY
naming rules or offer vulnerable messaging APIs; 2) privacy
policy compliance implementations are either stagnated at the
documentation stages (8 of 12 platforms) or never implemented
in apps, resulting in billions of users suffering from privacy
exposure; and 3) some apps can stealthily monitor notification
messages delivering to other apps, potentially incurring user
privacy inference risks. Our study raises the urgent demand for
better regulations of mobile notification deployment.
more »
« less
This content will become publicly available on July 8, 2025
PACIFIC
To be useful and widely accepted, automated contact tracing schemes (also called exposure notification) need to solve two seemingly contradictory problems at the same time: they need to protect the anonymity of honest users while also preventing malicious users from creating false alarms. In this paper, we provide, for the first time, an exposure notification construction that guarantees the same levels of privacy and integrity as existing schemes but with a fully malicious database (notably similar to Auerbach et al. CT-RSA 2021) without special restrictions on the adversary. We construct a new definition so that we can formally prove our construction secure. Our definition ensures the following integrity guarantees: no malicious user can cause exposure warnings in two locations at the same time and that any uploaded exposure notifications must be recent and not previously uploaded. Our construction is efficient, requiring only a single message to be broadcast at contact time no matter how many recipients are nearby. To notify contacts of potential infection, an infected user uploads data with size linear in the number of notifications, similar to other schemes. Linear upload complexity is not trivial with our assumptions and guarantees (a naive scheme would be quadratic). This linear complexity is achieved with a new primitive: zero knowledge subset proofs over commitments which is used by our no cloning proof protocol. We also introduce another new primitive: set commitments on equivalence classes, which makes each step of our construction more efficient. Both of these new primitives are of independent interest.
more » « less- PAR ID:
- 10523869
- Publisher / Repository:
- IACR
- Date Published:
- Journal Name:
- IACR Communications in Cryptology
- ISSN:
- 3006-5496
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Moreno, Yamir (Ed.)Testing, contact tracing, and isolation (TTI) is an epidemic management and control approach that is difficult to implement at scale because it relies on manual tracing of contacts. Exposure notification apps have been developed to digitally scale up TTI by harnessing contact data obtained from mobile devices; however, exposure notification apps provide users only with limited binary information when they have been directly exposed to a known infection source. Here we demonstrate a scalable improvement to TTI and exposure notification apps that uses data assimilation (DA) on a contact network. Network DA exploits diverse sources of health data together with the proximity data from mobile devices that exposure notification apps rely upon. It provides users with continuously assessed individual risks of exposure and infection, which can form the basis for targeting individual contact interventions. Simulations of the early COVID-19 epidemic in New York City are used to establish proof-of-concept. In the simulations, network DA identifies up to a factor 2 more infections than contact tracing when both harness the same contact data and diagnostic test data. This remains true even when only a relatively small fraction of the population uses network DA. When a sufficiently large fraction of the population (≳ 75%) uses network DA and complies with individual contact interventions, targeting contact interventions with network DA reduces deaths by up to a factor 4 relative to TTI. Network DA can be implemented by expanding the computational backend of existing exposure notification apps, thus greatly enhancing their capabilities. Implemented at scale, it has the potential to precisely and effectively control future epidemics while minimizing economic disruption.more » « less
-
As we develop computing platforms for augmented reality (AR) head-mounted display (HMDs) technologies for social or workplace environments, understanding how users interact with notifications in immersive environments has become crucial. We researched effectiveness and user preferences of different interaction modalities for notifications, along with two types of notification display methods. In our study, participants were immersed in a simulated cooking environment using an AR-HMD, where they had to fulfill customer orders. During the cooking process, participants received notifications related to customer orders and ingredient updates. They were given three interaction modes for those notifications: voice commands, eye gaze and dwell, and hand gestures. To manage multiple notifications at once, we also researched two different notification list displays, one attached to the user’s hand and one in the world. Results indicate that participants preferred using their hands to interact with notifications and having the list of notifications attached to their hands. Voice and gaze interaction was perceived as having lower usability than touchmore » « less
-
Digital contact tracing offers significant promise to help reduce the spread of SARS-CoV-2 and other viruses. Google and Apple joined together in 2020 to create the Google/Apple Exposure Notification (GAEN) framework to determine encounters with anonymous users later diagnosed COVID-19 positive. However, as GAEN lacks geospatial awareness, it is susceptible to geographically distributed replay attacks. Anonymous, low-cost, crowd-sourced replay attack networks deployed by malicious actors (or far away nation-state attackers) who utilize malicious (or innocent) users’ smartphones to capture and replay GAEN advertisements can drastically increase false-positive rates even in areas that otherwise exhibit low positivity rates. In response to this powerful replay attack, we introduce GAEN+ , a solution that enhances GAEN with geospatial awareness while maintaining user privacy, and demonstrate its ability to effectively prevent geographically distributed replay attacks.more » « less
-
If a web service is so secure that it does not even know---and does not want to know---the identity and contact info of its users, can it still offer account recovery if a user forgets their password? This paper is the culmination of the authors' work to design a cryptographic protocol for account recovery for use by a prominent secure matching system: a web-based service that allows survivors of sexual misconduct to become aware of other survivors harmed by the same perpetrator. In such a system, the list of account-holders must be safeguarded, even against the service provider itself. In this work, we design an account recovery system that, on the surface, appears to follow the typical workflow: the user types in their email address, receives an email containing a one-time link, and answers some security questions. Behind the scenes, the defining feature of our recovery system is that the service provider can perform email-based account validation without knowing, or being able to learn, a list of users' email addresses. Our construction uses standardized cryptography for most components, and it has been deployed in production at the secure matching system. As a building block toward our main construction, we design a new cryptographic primitive that may be of independent interest: an oblivious pseudorandom function that can either have a fully-private input or a partially-public input, and that reaches the same output either way. This primitive allows us to perform online rate limiting for account recovery attempts, without imposing a bound on the creation of new accounts. We provide an open-source implementation of this primitive and provide evaluation results showing that the end-to-end interaction time takes 8.4-60.4 ms in fully-private input mode and 3.1-41.2 ms in partially-public input mode.more » « less
