前言
时间顷逝,岁月不待。所谓“南风知我意,吹梦到西洲”。
今日阅读 NDSS 2018 :Bug Fixes, Improvements, … and Privacy Leaks A Longitudinal Study of PII Leaks Across Android App Versions
1 基本信息
Ren J, Lindorfer M, Dubois D J, et al. Bug fixes, improvements,… and privacy leaks[J]. 2018.
一作:Jingjing Ren
单位:Northeastern University
主页:
导师:David Choffnes
应该是专门研究网络,移动设备,网络流量,用户隐私相关的学者,很厉害。
2 文章内容
开篇比较别致,少见的以问开篇:
Is mobile privacy getting better or worse over time? In this paper, we address this question by studying privacy leaks from historical and current versions of 512 popular Android apps, covering 7,665 app releases over 8 years of app version history. Through automated and scripted interaction with apps and analysis of the network traffic they generate on real mobile devices, we identify how privacy changes over time for individual apps and in aggregate.
我们的发现:
We find several trends that include increased collection of personally identifiable information (PII) across app versions, slow adoption of HTTPS to secure the information sent to other parties, and a large number of third parties being able to link user activity and locations across apps.
进一步解释:
Interestingly, while privacy is getting worse in aggregate, we find that the privacy risk of individual apps varies greatly over time, and a substantial fraction of apps see little change or even improvement in privacy. Given these trends, we propose metrics for quantifying privacy risk and for providing this risk assessment proactively to help users balance the risks and benefits of installing new versions of apps.
大意是:
如今,移动隐私是更好了还是更坏了呢?为此,本文从(覆盖了8年,7665个app版本)512个Android app的历史和当今版本中研究了隐私泄露(privacy leaks)的问题。通过对app自动的,脚本的交互,以及对他们产生在真实移动设备上产生的网络流量的分析,我们确认了对个人app上随着时间的总计隐私变化。
我们发现几个趋势,包括:多个app版本(across app versions)对个人可识别的信息(PII)日渐增加的收集;对发给其他团体(parties)的hhtps也一直是缓慢推进;且大量的第三方能够链接用户的活动和地点(across apps)。
有趣的是,尽管隐私方面的情况总体上越来越坏,我们发现个人apps的隐私风险随着时间也是多种多样,且有大部分app根本没有改进对隐私的保护!!针对这些趋势,我们提出了量化隐私风险的metric(度量),并且提供了主动提供风险评估来帮助用户权衡安装app新版本的风险和好处。
3 几个QAs
3.1 QA1:很想知道为什么要做这个研究?privacy risk(leak)是不是早有研究呢?还是新兴领域?
本文是第一个做全面、纵向研究的,研究的是:使用多版本流行移动app对用户隐私可能产生的影响(across each app’s lifetime)。
In this paper, we are the first to conduct a comprehensive, longitudinal study of the privacy implications of using multiple versions of popular mobile apps across each app’s lifetime.
这篇文章主要解决了三个挑战:
1)怎么监控app? 为此提出了半自动方法来和app进行交互。
we use a semi-automated approach that incorporates random interactions [33] and manually generated scripts for logging into apps.
2)怎么对每个app识别隐私风险? 为此来对app的网络流量进行分析并提取。
3)怎么比较app之间(或者版本间)的风险? 为此提出风险评估的metric(度量)。
结论:
On average, privacy has worsened over time.
可以预想到,也可以感受到。确实是隐私越来越差。
贡献:写的真的挺好的,顶会就是顶会
In summary, our key contributions are: (1) a large-scale privacy analysis across multiple apps and app versions, (2) a dataset of network traffic generated by running apps, along with labels describing the PII contained in them, and (3) an analysis of the origins and privacy implications of these information leaks. Our data and analysis are available at https://recon. meddle.mobi/appversions/.
分析隐私的相关工作:
A large body of related work has investigated the privacy of mobile apps and their generated network traffic. Most related studies focus on identifying personal information that is (or might be) exposed to other parties over the Internet, using one or more of the following complementary approaches
感觉还有挺多的。
3.2 QA2:大致的评估风险流程?以及作者提出的度量?
15页文章,很厉害。
大概方法:
A. App Selection
B. APK Collection
C. Interaction and Traffic Collection
D. Privacy Attributes
- PII Leaks
- Transport Security
- Communication with First and Third Parties
E. Assumptions and Limitations
F. Validation
提出的metric:
4 总结
任重道远。