EU Science Hub

Dealing with user privacy in mobile apps: issues and mitigation.

Abstract: 
Mobile platforms, such as Android, iOS, and Windows, are gaining more and more relevance within end users’ applications, thanks to their usability, flexibility, and low cost. As a result, mobile Internet traffic is about to overwhelm the landline one. Mobile platforms do not only provide end users with services similar to legacy computers but also extend their experiences exploiting the additional hardware features (e.g., sensors) incorporated in the mobile device, without the need of supplementary devices. Moreover, mobile devices are becoming the sources and repositories of sensitive information, from running performances to positioning data, from travel information to friendship preferences, from personal photos to financial data, and so on. Data loss, modification, or exposure that a mobile device might face, on one hand, could directly impact end users’ safety and privacy, but, on the other hand, they could seriously damage the trust in the raising mobile economy. A typical example of these threats could be the case in which a mobile application that monitors some end user’s body parameters is exploited by an adversary to gain access to sensitive data and infer end user’s health status. The possible damages caused by this data breach can impact both the psychological and physical spheres of an end user. Although these problems and flaws already existed in the traditional information and communication technologies (ICT) systems, their magnitude increased exponentially in the case of mobile devices, due to their stronger link with the owner. Indeed, as already mentioned, mobile devices embed several sensors and functionalities capable of collecting a huge amount of sensitive information. As a consequence, any vulnerability in the host platform can have a high impact on end user’s privacy and security. In this chapter, we analyze the different characteristics of the Android platform that can be manipulated and exploited by a malicious app to gain access to end users’ private data. Android, the dominant operating system (OS) in the mobile world, is indeed taken as a use case to illustrate threats, which, in the reality, affect the majority of mobile OSes. Moreover, by elaborating on these security flaws and misconfigurations, we describe different threat examples that influence end users’ privacy and anonymity in a risk assessment fashion. Furthermore, this chapter reviews the different existing solutions that can be employed to mitigate the described threats and to empower end users in regaining control on their sensitive information and on the behavior of the mobile applications installed in their mobile devices.
JRC wide hidden block