To improve smartphone privacy, control access to third-party libraries
Smartphone apps that share users’ locations, contacts and other sensitive information with third parties often do so through a relative handful of services called third-party libraries, suggesting a new strategy for protecting privacy, Carnegie Mellon University researchers say.
Controlling access to these third-party libraries, which help app developers make money by targeting people with ads or compiling marketing profiles, promises to be an effective way of limiting the unwanted release of
“Each of these libraries may be used by multiple apps on your smartphone,” said Yuvraj Agarwal, an assistant professor of computer science in the Institute for Software Research. “Making decisions about what information to share with each library, rather than just what each app should share, dramatically reduces the number of decisions a user has to make to protect privacy.
“It’s also more effective because if a user allows even one app on their device to provide a particular library with access to their sensitive information, that’s really all the library needs,”
In a new study, the CMU team analyzed how 1,300 people used 11,000 popular Android apps and found that the top 100 third-party libraries account for more than 70
The researchers presented their findings and their latest privacy management app at Ubicomp 2017, the ACM International Joint Conference on Pervasive and Ubiquitous Computing, Sept. 13-15 in Maui, Hawaii.
Third-party libraries are used by app developers to add functionality to apps, such as using Facebook libraries for authentication. They also enable developers of free apps to make money by linking their app to them; the Google AdMob library, for instance, might access a user’s location to target the user with ads, while the Flurry analytics library might gather user information for a marketing profile.
Recent versions of Android and Apple’s iOS require users to make individual decisions on whether an app can access sensitive information. But users do not know why the app needs that access or whether it is related to functionality or simply for advertising.
“Users are often overwhelmed by the number of decisions they need to make,” said Agarwal, who is affiliated with ISR’s Societal Computing program.
The Protect My Privacy (
The
“If I tell the library that I’m in Pittsburgh, it can still send me relevant ads, the developer can still make money, but I don’t have to give my home address or my detailed whereabouts,” Agarwal said.
The
“We’re hoping our work will influence Google and Apple,” Agarwal said. Google, in fact, provided some of the support for this study, as did the Air Force Research Laboratory and the National Science Foundation.
In addition to Agarwal, the research team included Jason Hong, associate professor in the Human-Computer Interaction Institute, Saksham Chitkara and Suhas Harish, both master’s degree students in the Information Networking Institute, and Nishad Gothoskar, a senior majoring in computer science and mathematical sciences.
Story originally published here.