Folks here may be interested in knowing that our team has been working with many others on building out a Privacy-Enhanced Android, which seeks to offer new programming models, new isolation mechanisms, and new user interfaces to help improve the entire ecosystem of privacy. This is a DARPA-funded project.
Some of our team's work (past and present) that may be of interest to folks here:
- We analyzed the privacy of Android apps at <a href="http://privacygrade.org">http://privacygrade.org</a>. The basic idea is that we use crowdsourcing to generate a model of what people are concerned about, and then apply that to all the apps we crawled. We're working on an update of PrivacyGrade using network data too, to map out who knows what about us and why.
- Perhaps one of the biggest findings from our team's research is that over 40% of apps that use sensitive data only do so because of third-party libraries (e.g. advertisers or analytics). We've mentioned this in talks to the FTC, Google, Apple, and others, that these third party libraries are the biggest point of leverage here if we want to solve the problem. See this paper: <a href="http://www.cmuchimps.org/publications/does_this_app_really_n... this App Really Need My Location? Context-Aware Privacy Management for Smartphones</a> (PDF).
- <a href="http://www.android.protectmyprivacy.org/">http://www.android.... This requires rooted phones, intercepts calls to sensitive data on your phone, and aims to help you make better decisions by surfacing these calls and showing you how what the majority chose to share
- <a href="https://privacystreams.github.io/">https://privacystreams.gi.... This is a new programming model that aims to make developers' lives easier, and improve privacy as a side effect by making accesses to sensitive data easier to analyze. A key observation is that most apps don't need fine-grained data, but currently apps require all-or-nothing access. For example, raw audio vs "just loudness", or exact GPS vs "what city". We offer stream-like processing that makes it easier for devs to get the granularity they want, which also makes the app much easier to analyze. So we can analyze an app and output "this app uses your microphone to get loudness"
Our DARPA PM has asked us to focus a lot more on tech transfer activities for our final year, so if any of you are interested, send me a mail. (This is tech transfer in terms of getting industry to adopt our ideas, not necessarily commercialization or licensing.)
Some of our team's work (past and present) that may be of interest to folks here: - We analyzed the privacy of Android apps at <a href="http://privacygrade.org">http://privacygrade.org</a>. The basic idea is that we use crowdsourcing to generate a model of what people are concerned about, and then apply that to all the apps we crawled. We're working on an update of PrivacyGrade using network data too, to map out who knows what about us and why.
- Perhaps one of the biggest findings from our team's research is that over 40% of apps that use sensitive data only do so because of third-party libraries (e.g. advertisers or analytics). We've mentioned this in talks to the FTC, Google, Apple, and others, that these third party libraries are the biggest point of leverage here if we want to solve the problem. See this paper: <a href="http://www.cmuchimps.org/publications/does_this_app_really_n... this App Really Need My Location? Context-Aware Privacy Management for Smartphones</a> (PDF).
- <a href="https://privacyproxy.io/">https://privacyproxy.io/</a> (sorry, self-signed certificate is a bit out of date). This is a VPN that scans outgoing traffic for likely personally-identifiable information
- <a href="http://www.android.protectmyprivacy.org/">http://www.android.... This requires rooted phones, intercepts calls to sensitive data on your phone, and aims to help you make better decisions by surfacing these calls and showing you how what the majority chose to share
- <a href="https://privacystreams.github.io/">https://privacystreams.gi.... This is a new programming model that aims to make developers' lives easier, and improve privacy as a side effect by making accesses to sensitive data easier to analyze. A key observation is that most apps don't need fine-grained data, but currently apps require all-or-nothing access. For example, raw audio vs "just loudness", or exact GPS vs "what city". We offer stream-like processing that makes it easier for devs to get the granularity they want, which also makes the app much easier to analyze. So we can analyze an app and output "this app uses your microphone to get loudness"
- <a href="https://www.slideshare.net/jas0nh0ng/fostering-an-ecosystem-... an Ecosystem of Smartphone Privacy</a>, this is a talk I gave last month that summarizes a lot of our team's work on privacy
Our DARPA PM has asked us to focus a lot more on tech transfer activities for our final year, so if any of you are interested, send me a mail. (This is tech transfer in terms of getting industry to adopt our ideas, not necessarily commercialization or licensing.)