Inferring sensitive information from seemingly innocuous smartphone data
AffiliationComputing and Information Systems
Document TypePhD thesis
Access StatusOpen Access
© 2016 Dr Anthony Quattrone
Smartphones have become ubiquitous and provide considerable benefits for users. Personal data considered both sensitive and non-sensitive is commonly stored on smartphones. It has been established that the use of smartphones can lead to users enjoying less privacy when a data leak occurs. In this thesis, we aim to determine if smartphone stored non-sensitive data can be analyzed to derive sensitive information. We also aim to develop methods for protecting smartphone users from privacy attacks. While privacy research is an active area, more work is needed to determine the types of inferences that can be made about a person and how accurate a profile is derivable from smartphone data. We demonstrate how straightforward it is for third party app developers to embed code in inconspicuous apps to capture and mine data. Our studies show that there are a large number of apps found in popular app stores commonly requesting special app permissions in order to gain access to sensitive data. In most cases, we could not find any functional benefits in exchange for accessing the sensitive data. Additional data not local to the device but rather stored on a social networking service can also be extracted and unnoticed via mobile apps provided the user has social networking apps installed. Current research shows that users do not easily comprehend the implications of granting apps access to sensitive permissions. Apps can transfer captured data to cloud services easily via high-speed wireless networks. This is difficult for users to detect since mobile platforms do not provide alerts for when this occurs.With access to sensitive mobile data, we developed and performed a number of case studies to learn details about an individual. Modern smartphones are capable of sending continuous location updates to services providing a near real-time proxy of where a user is located.We were able to determine where a user was traveling simply by analyzing the point of interest results from continuous location queries sent to a location-based service without referencing user location data. With continuous location data, we were able to determine the personal encounters between individuals and relationships in realtime. We also found that even diagnostic data commonly used to debug apps that appears to be anonymous is useful in identifying an individual. Mobile devices disclose the indoor location information of the user indirectly via the wireless signals emitted by the device. We were able to locate users indoors by analyzing Bluetooth beacons within a 1m accuracy by using a localization scheme we developed.With the understanding that mobile data is sometimes needed by apps to provide functionality, we developed a system called PrivacyPalisade designed to protect users from revealing sensitive information. The system detects when apps are requesting uncharacteristic app permissions based on the app’s category. Overall we found that mobile smartphones store seemingly non-sensitive data that can reveal sensitive information upon further inspection and that this information is easily accessible. In turn, an analyst can use this data to build a detailed individual profile of private and sensitive information. With the growing number of users expressing privacy concerns, techniques to better protect privacy are needed to allow manufacturers to meet their users’ privacy requirements. Our proposed protection methods demonstrated in PrivacyPalisade can be adopted to make smartphone platforms more privacy aware. Thesis Contributions: In this thesis, we show how sensitive information can be inferred from seemingly innocuous data and propose a protection system by performing the following: * Provide a comprehensive literature review of the current state of privacy research and how it relates to the use of smartphones. * Demonstrate an inference attack on trajectory privacy by reconstructing a route using only query results. * Develop an algorithm that combines range-based and range-free localization schemes to perform indoor localization using Bluetooth with accuracies of up to 1m. * Analyze diagnostic data commonly sent by smartphones and used it to identify users in a dataset with accuracies of up to 97%. * Develop an algorithm to infer potential encounters of smartphone users in realtime by proposing the use of a constraint nearest neighbor (c-NN) spatial query. * Develop and demonstrate PrivacyPalisade, a system developed for Android with the aim of protecting against privacy attacks.
KeywordsSmartphones; Smartphone Privacy; Smartphone Analytics; Inference Attacks; Location Privacy; Spatial Databases; Data Mining; Localization; Predictive Modeling; Private Smartphones
- Click on "Export Reference in RIS Format" and choose "open with... Endnote".
- Click on "Export Reference in RIS Format". Login to Refworks, go to References => Import References