Open Collections

UBC Theses and Dissertations

UBC Theses Logo

UBC Theses and Dissertations

Contextual permission models for better privacy protection Wijesekera, Primal 2018

Your browser doesn't seem to have a PDF viewer, please download the PDF to view this item.

Item Metadata


24-ubc_2018_september_wijesekera_primal.pdf [ 2.64MB ]
JSON: 24-1.0368657.json
JSON-LD: 24-1.0368657-ld.json
RDF/XML (Pretty): 24-1.0368657-rdf.xml
RDF/JSON: 24-1.0368657-rdf.json
Turtle: 24-1.0368657-turtle.txt
N-Triples: 24-1.0368657-rdf-ntriples.txt
Original Record: 24-1.0368657-source.json
Full Text

Full Text

Contextual Permission Models forBetter Privacy ProtectionbyPrimal WijesekeraB.Sc in Computer Science, University of Colombo (Sri Lanka), 2008M.Sc in Computer Science, The University of British Columbia (Canada), 2012A THESIS SUBMITTED IN PARTIAL FULFILLMENTOF THE REQUIREMENTS FOR THE DEGREE OFDoctor of PhilosophyinTHE FACULTY OF GRADUATE AND POSTDOCTORALSTUDIES(Electrical and Computer Engineering)The University of British Columbia(Vancouver)June 2018© Primal Wijesekera, 2018The following individuals certify that they have read, and recommend to the Fac-ulty of Graduate and Postdoctoral Studies for acceptance, the thesis entitled:Contextual Permission Models forBetter Privacy Protectionsubmitted by Primal Wijesekera in partial fulfillment of the requirements for thedegree of Doctor of Philosophy in Electrical and Computer Engineering.Examining Committee:Konstantin Beznosov, Electrical and Computer EngineeringCo-supervisorSerge Egelman, Computer Science, UC Berkeley/ICSICo-supervisorSathish Gopalakrishnan, Electrical and Computer EngineeringSupervisory Committee MemberPhilippe Kruchten, Electrical and Computer EngineeringUniversity ExaminerJoanna McGrenere, Computer ScienceUniversity ExaminerAdditional Supervisory Committee Members:Karthik Pattabiraman, Electrical and Computer EngineeringSupervisory Committee MemberiiAbstractDespite corporate cyber intrusions attracting all the attention, privacy breachesthat we, as ordinary users, should be worried about occur every day without anyscrutiny. Smartphones, a household item, have inadvertently become a major en-abler of privacy breaches. Smartphone platforms use permission systems to reg-ulate access to sensitive resources. These permission systems, however, lack theability to understand users’ privacy expectations leaving a significant gap betweenhow permission models behave and how users would want the platform to protecttheir sensitive data. This dissertation provides an in-depth analysis of how usersmake privacy decisions in the context of Smartphones and how platforms can ac-commodate user’s privacy requirements systematically.We first performed a 36-person field study to quantify how often applicationsaccess protected resources when users are not expecting it. We found that whenthe application requesting the permission is running invisibly to the user, they aremore likely to deny applications access to protected resources. At least 80% ofour participants would have preferred to prevent at least one permission request.To explore the feasibility of predicting user’s privacy decisions based on theirpast decisions, we performed a longitudinal 131-person field study. Based onthe data, we built a classifier to make privacy decisions on the user’s behalf bydetecting when the context has changed and inferring privacy preferences basedon the user’s past decisions. We showed that our approach can accurately predictusers’ privacy decisions 96.8% of the time, which is an 80% reduction in errorrate compared to current systems.iiiBased on these findings, we developed a custom Android version with a con-textually aware permission model. The new model guards resources based onuser’s past decisions under similar contextual circumstances. We performed a38-person field study to measure the efficiency and usability of the new permis-sion model. Based on exit interviews and 5M data points, we found that the newsystem is effective in reducing the potential violations by 75%. Despite beingsignificantly more restrictive over the default permission systems, participants didnot find the new model to cause any usability issues in terms of application func-tionality.ivLay SummaryCurrent smartphone operating systems employ permission systems to regulatehow apps access sensitive resources. These systems are not well-aligned withusers’ privacy expectations: users often have no idea how often and under whatcircumstances their personal data is accessed. The thesis devises ways to system-atically reduce this disconnect between expectations and reality. We found thata significant portion of participants make contextual privacy decisions: when de-termining whether access to sensitive data is appropriate, they consider what theyare doing on their phones at the time, including whether they are actively usingthe applications requesting their data. We show that current privacy mechanismsdo not do a good job of accounting for these contextual factors, but that by apply-ing machine learning to account for context, we can reduce privacy violations by80%, while also minimizing user involvement.vPrefaceThis research was the product of a fruitful collaboration between the author ofthe dissertation and the following people: Konstantin Beznosov (co-advisor) fromthe University of British Columbia, Arjun Baokar, Serge Egelman (co-advisor),Ashkan Hosseini, Joel Reardon, Lynn Tsai, David Wagner from the Universityof California, Berkeley and Irwin Reyes from International Computer ScienceInstitute, Berkeley and Jung-Wei Chen, Nathan Good from Good Research, Inc.It is worth mentioning that the work presented herein consists of research stud-ies that have been published or under review in peer-reviewed international con-ferences. In particular, the field study presented in Chapter 2, and partly discussedin Chapter 5, are based on the following publication:• Primal Wijesekera, Arjun Baokar, Ashkan Hosseini, Serge Egelman, DavidWagner, and Konstantin Beznosov. "Android Permissions Remystified: AField Study on Contextual Integrity." In USENIX Security Symposium, pp.499-514. 2015.The prediction model on privacy decisions presented in Chapter 3 and partlydiscussed in Chapter 5, is based on the following publication:• Primal Wijesekera, Arjun Baokar, Lynn Tsai, Joel Reardon, Serge Egelman,David Wagner, and Konstantin Beznosov. 2017. The Feasibility of Dynami-cally Granted Permissions: Aligning Mobile Privacy with User Preferences.In 2017 IEEE Symposium on Security and Privacy (SP). 1077–1093.viThe implementation field study presented in Chapter 4 and partly discussed inChapter 5, is based on following publications:• Primal Wijesekera, Joel Reardon, Irwin Reyes, Lynn Tsai, Jung-Wei Chen,Nathan Good, David Wagner, Konstantin Beznosov, and Serge Egelman."Contextualizing Privacy Decisions for Better Prediction (and Protection)".Proceedings of the SIGCHI Conference on Human Factors in ComputingSystems (CHI ’18), 2018. * Honorable Mention Award.• Lynn Tsai, Primal Wijesekera, Joel Reardon, Irwin Reyes, Serge Egelman,David Wagner, Nathan Good, and Jung-Wei Chen. "Turtle Guard: Help-ing Android Users Apply Contextual Privacy Preferences." In ThirteenthSymposium on Usable Privacy and Security (SOUPS 2017), pp. 145-162.USENIX Association, 2017.As the author of the thesis, I have involved in implementing more than 95%of the systems presented in this thesis: the instrumentation framework used in thefirst study, the instrumentation and behavioral interception in the second study andthe implementing ML model and instrumentation in the third study. I have alsoconducted more than 90% of all the analysis presented in the thesis.All of the field studies carried out throughout the thesis received institutionalreview board (IRB) approval prior to the respective study – approved by the UCBerkeley IRB under protocol #2013-02-4992 and by UBC BREB under protocol#H18-00856 for secondary use of data.viiTable of ContentsAbstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iiiLay Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vPreface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viTable of Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . viiiList of Tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xiiList of Figures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xivAcknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . 31.1.1 Challenges . . . . . . . . . . . . . . . . . . . . . . . . . 41.1.2 Adversary Model . . . . . . . . . . . . . . . . . . . . . . 51.1.3 Research Methodology . . . . . . . . . . . . . . . . . . . 61.2 Research Summary . . . . . . . . . . . . . . . . . . . . . . . . . 61.2.1 Resource Usage and User Expectations in the Wild . . . . 71.2.2 The Impact of the Surrounding Context . . . . . . . . . . 81.2.3 Impact of a Real World Contextual Permission Model . . . 91.3 Main Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 10viii1.3.1 Understanding How Applications Access Data . . . . . . . 111.3.2 How Users Perceive the Context . . . . . . . . . . . . . . 111.3.3 Ability to Predict Future Contextual Preferences . . . . . . 121.3.4 Contextually Aware Permission Model . . . . . . . . . . . 131.4 Minor Contributions . . . . . . . . . . . . . . . . . . . . . . . . . 142 Resource Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192.2.1 Tracking Access to Sensitive Data . . . . . . . . . . . . . 202.2.2 Recruitment . . . . . . . . . . . . . . . . . . . . . . . . . 242.2.3 Exit Survey . . . . . . . . . . . . . . . . . . . . . . . . . 272.3 Application Behaviors . . . . . . . . . . . . . . . . . . . . . . . . 292.3.1 Invisible Permission Requests . . . . . . . . . . . . . . . 292.3.2 High Frequency Requests . . . . . . . . . . . . . . . . . . 342.3.3 Frequency of Data Exposure . . . . . . . . . . . . . . . . 352.4 User Expectations and Reactions . . . . . . . . . . . . . . . . . . 382.4.1 Reasons for Blocking . . . . . . . . . . . . . . . . . . . . 382.4.2 Influential Factors . . . . . . . . . . . . . . . . . . . . . . 402.4.3 User Inactivity and Resource Access . . . . . . . . . . . . 422.5 Feasibility of Runtime Requests . . . . . . . . . . . . . . . . . . 422.5.1 Modeling Users’ Decisions . . . . . . . . . . . . . . . . . 442.6 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473 Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553.2.1 Instrumentation . . . . . . . . . . . . . . . . . . . . . . . 583.2.2 Exit Survey . . . . . . . . . . . . . . . . . . . . . . . . . 603.2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . 613.3 Types of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62ix3.4 Ask-On-First-Use Permissions . . . . . . . . . . . . . . . . . . . 643.5 Learning Privacy Preferences . . . . . . . . . . . . . . . . . . . . 683.5.1 Feature Selection . . . . . . . . . . . . . . . . . . . . . . 683.5.2 Inference Based on Behavior . . . . . . . . . . . . . . . . 713.5.3 Inference Based on Contextual Cues . . . . . . . . . . . . 723.6 Learning Strategy . . . . . . . . . . . . . . . . . . . . . . . . . . 763.6.1 Bootstrapping . . . . . . . . . . . . . . . . . . . . . . . . 763.6.2 Decision Confidence . . . . . . . . . . . . . . . . . . . . 803.6.3 Online Model . . . . . . . . . . . . . . . . . . . . . . . . 823.7 Contextual Integrity . . . . . . . . . . . . . . . . . . . . . . . . . 833.8 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 863.8.1 Limitations of Permission Models . . . . . . . . . . . . . 873.8.2 Our ML-Based Model . . . . . . . . . . . . . . . . . . . 873.8.3 Reducing the User Burden . . . . . . . . . . . . . . . . . 883.8.4 User- and Permission-Tailored Models . . . . . . . . . . . 893.8.5 Attacking the ML Model . . . . . . . . . . . . . . . . . . 893.8.6 Experimental Caveat . . . . . . . . . . . . . . . . . . . . 903.8.7 Types of Users . . . . . . . . . . . . . . . . . . . . . . . 913.8.8 User Interface Panel . . . . . . . . . . . . . . . . . . . . . 913.8.9 The Cost of Greater Control . . . . . . . . . . . . . . . . 923.8.10 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 924 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 934.1 Related Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . 944.2 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . 974.2.1 A Local SVM Classifier . . . . . . . . . . . . . . . . . . 974.2.2 Sensitive Resources . . . . . . . . . . . . . . . . . . . . . 1004.2.3 Permission Denial . . . . . . . . . . . . . . . . . . . . . . 1004.2.4 Contextually Aware Permission Manager . . . . . . . . . 1014.3 Validation Methodology . . . . . . . . . . . . . . . . . . . . . . . 1054.3.1 Participant’s Privacy Preferences . . . . . . . . . . . . . . 105x4.3.2 Recruitment . . . . . . . . . . . . . . . . . . . . . . . . . 1064.3.3 Exit Interview . . . . . . . . . . . . . . . . . . . . . . . . 1074.4 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1094.4.1 Status Quo Problems . . . . . . . . . . . . . . . . . . . . 1094.4.2 Classifier Accuracy . . . . . . . . . . . . . . . . . . . . . 1124.4.3 Impact on App Functionality (and Stability) . . . . . . . . 1154.4.4 User Reactions to Prompts . . . . . . . . . . . . . . . . . 1164.4.5 User Reactions to Controls . . . . . . . . . . . . . . . . . 1174.5 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1195 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1235.1 Mismatched Personas . . . . . . . . . . . . . . . . . . . . . . . . 1245.2 Arms Race . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1265.3 Purpose Matters . . . . . . . . . . . . . . . . . . . . . . . . . . . 1285.4 User driven Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 1295.5 Contextualization . . . . . . . . . . . . . . . . . . . . . . . . . . 1305.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133A Resource Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151A.1 Invisible requests . . . . . . . . . . . . . . . . . . . . . . . . . . 151A.2 Distribution of Requests . . . . . . . . . . . . . . . . . . . . . . . 153A.3 Permission Type Breakdown . . . . . . . . . . . . . . . . . . . . 154A.4 User Application Breakdown . . . . . . . . . . . . . . . . . . . . 155B Decision Prediction . . . . . . . . . . . . . . . . . . . . . . . . . . . 156B.1 Information Gain of Contextual Features . . . . . . . . . . . . . . 156B.2 Information Gain of Behavioral Features . . . . . . . . . . . . . . 157xiList of TablesTable 2.1 The 12 permissions that Felt et al. recommend be granted viaruntime dialogs [47]. We randomly took screenshots whenthese permissions were requested by applications, and we askedabout them in our exit survey. . . . . . . . . . . . . . . . . . . 24Table 2.2 Corresponding log entry . . . . . . . . . . . . . . . . . . . . . 26Table 2.3 The most frequently requested permissions by applications withzero visibility to the user. . . . . . . . . . . . . . . . . . . . . 32Table 2.4 The applications making the most permission requests whilerunning invisibly to the user. . . . . . . . . . . . . . . . . . . . 32Table 2.5 The application/permission combinations that needed to be ratelimited during the study. The last two columns show the fastestinterval recorded and the average of all the intervals recordedbefore rate-limiting. . . . . . . . . . . . . . . . . . . . . . . . 35Table 2.6 The sensitive permission requests (per user/day) when request-ing applications were visible/invisible to users. “Data exposed”reflects the subset of permission-protected requests that resultedin sensitive data being accessed. . . . . . . . . . . . . . . . . . 36Table 2.7 Goodness-of-fit metrics for various mixed effects logistic re-gression models on the exit survey data. . . . . . . . . . . . . . 46xiiTable 3.1 Felt et al. proposed granting a select set of 12 permissions atruntime so that users have contextual information to infer whythe data might be needed [47]. Our instrumentation omits thelast two permission types (INTERNET & WRITE_SYNC_SETTINGS)and records information about the other 10. . . . . . . . . . . . 56Table 3.2 Instrumented events that form our feature set . . . . . . . . . . 59Table 3.3 The accuracy and number of different possible ask-on-first-usecombinations. A: Application requesting the permission, P:Permission type requested, V: Visibility of the application re-questing the permission, AF : Application running in the fore-ground when the request is made. AOFU-AP is the policy usedin Android Marshmallow i.e., asking (prompting) the user foreach unique application, permission combination. The tablealso differentiates policy numbers based on the subpopulationof Contextuals, Defaulters, and across all users. . . . . . . . . 64Table 3.4 The complete list of features used in the ML model evaluation.All the numerical values in the behavioral group are normalizedper day. We use one-hot encoding for categorical variables. Wenormalized numerical variables by making each one a z-scorerelative to its own average. . . . . . . . . . . . . . . . . . . . . 69Table 3.5 The median accuracy of the machine learning model for differ-ent feature groups across different sub populations. . . . . . . . 71Table B.1 Feature Importance of Contextual Features . . . . . . . . . . . 156Table B.2 Feature Importance of Behavioral Features . . . . . . . . . . . 157xiiiList of FiguresFigure 2.1 Screenshot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25Figure 2.2 On the first screen, participants answered questions to estab-lish awareness of the permission request based on the screenshot. 29Figure 2.3 On the second screen, they saw the resource accessed, statedwhether it was expected, and whether it should have beenblocked. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30Figure 3.1 A screenshot of an ESM prompt. . . . . . . . . . . . . . . . . 57Figure 3.2 Histogram of users based on their denial rate. Defaulters tendedto allow or deny almost all requests without regard for contex-tual cues, whereas Contextuals considered the visibility of therequesting application. . . . . . . . . . . . . . . . . . . . . . 63Figure 3.3 How the median accuracy varies with the number of seen prompts 78Figure 4.1 A screenshot of a permission request prompt. . . . . . . . . . 99Figure 4.2 The recent-allowed app activity . . . . . . . . . . . . . . . . . 102Figure 4.3 A list of installed apps and their associated permissions . . . 103Figure 4.4 Permissions can be always granted, granted only when in use,or never granted (bottom). . . . . . . . . . . . . . . . . . . . 104xivAcknowledgmentsFirst and foremost, I would like to thank the God Almighty for all the blessings Ireceived in my life so far, for giving me the opportunity to work with a wonderfulset of people during the course of my PhD.I am grateful to my research supervisors Konstantin Beznosov (UBC) andSerge Egelman (UC Berkeley/ICSI) for all the necessary guidance and supportgiven throughout the PhD and for everything they are continuing to do for me.I must specially thank Kosta for letting me do my research in UC Berkeley andSerge for taking me in to UC Berkeley. I am also very grateful for the valuableguidance I received from David Wagner in UC Berkeley and for all the fruitfuldiscussions I had regarding my thesis research and in general about research.Any journey in life is hard without good companionship, let alone the PhD.I have met amazing set of people from all around the world during the course ofmy PhD. Specially, my close Sri Lankan friends in UBC, friends from LERSSEand also friends/research collaborators in UC Berkeley and ICSI. The list is justtoo many to name, but I appreciate everything you have done for me and I hope Iget a chance one day to return the favor.Everything in life boils down to the family, I thank my parents, sister, and otherclose family members who have stood next to me in all of my endeavors speciallyduring the difficult times and it was the encouragement and prayers from themthat helped me to be who I am today.xvTo my parents and sister who are always there for me and neverstopped believing in mexviChapter 1IntroductionThe explosive growth of smartphone usage can be attributed to both rapidly in-creasing hardware capabilities and the diverse set of available mobile applicationsproviding a variety of services to end users. Among the two most popular smart-phone platforms (Android and iOS), there are over one million third party mo-bile applications 1 available to download which have seen more than 100 billiondownloads collectively. While providing valuable and useful services, mobile ap-plications have come under intense criticism for it’s use of user’s personal data inways not expected by the end users [4, 43, 71, 79, 88, 109].Mobile platform permission models regulate how applications access certainresources, such as users’ personal information or sensor data (e.g., camera, GPS,etc.). Earlier versions of Android (5.1 and below) asked users to make privacydecisions during application installation as an all-or-nothing ultimatum, ask-on-install (AOI),: either all requested permissions are approved or the application isnot installed. Previous work has shown issues with the AOI permission model: a)few people read the requested permissions at install-time and even fewer correctlyunderstood them [49, 65], b) install-time permissions do not present users withthe context in which that permission will be exercised [47], which may cause1All the applications which are not part of the platform and can be removed by the user arereferred as the third party applications and will be referred as simply applications in the future forbrevity.1users to make suboptimal decisions not aligned with their actual preferences. Forexample, Egelman et al. observed that when an application requests access tolocation data without providing context, users are just as likely to see this as asignal for desirable location-based features as they are an invasion of privacy [42].These issues have kept the users in the dark about how these applications exercisetheir permissions to access sensitive resources [14, 50, 69, 87, 101]. Asking usersto make permission decisions at runtime—at the moment when the permissionwill actually be used by the application—provides more context (i.e., what theywere doing at the time that data was requested) [16, 47, 62].In iOS and Android M (6.0 and above), the user is now prompted at runtimethe first time an application attempts to access one of a set of “dangerous” per-mission types (e.g., location, contacts, etc.). This ask-on-first-use (AOFU) modelis an improvement over ask-on-install (AOI). Prompting users the first time anapplication uses one of the designated permissions gives users a better sense ofcontext: their knowledge of what they were doing when the application first triedto access the data should help them determine whether the request is appropriate.The biggest caveat in AOFU is its reuse of the user consent for the first prompt,in all subsequent instances not accounting for the surrounding context. For exam-ple, a user may grant an application access to location data because she is usinglocation-based features, but by doing this, the application can subsequently accesslocation data for behavioral advertising, which may violate the user’s preferences.Previous work has already shown that applications access sensitive data for a va-riety of reasons other than the core app functionality [4, 31, 43, 79]Nissenbaum’s Privacy as Contextual Integrity explains why context mattersin Privacy. She posits that user privacy expectations are governed by their expec-tations on potential information flows that could occur in a given context. Thus,privacy violations occur if their expectations are defied. The notion implies thatany permission system in place should account for user expectations in the con-text of the permission request. Despite that, none of the permission systems inAndroid account for the context and iOS started to support some form of the con-2text (based on the foreground/background) for location requests which has beenlargely focused on location leaving other sensitive data unprotected.Barth et al. formalized the notion of Contextual Integrity providing a concreteconceptual framework on privacy as contextual integrity. The work is, largely, fol-lowed by a long line of work formalizing the privacy policy and access controlsfocusing more towards theoretical aspects of privacy [26, 35]. A more closely re-lated work on understanding users expectations found that context does influencetheir expectations on sensitive data usage [71]. Despite these useful observations,very little had been done to systematize the notion of Contextual Integrity so thatplatforms can better learn user’s privacy expectations and protect their data in realtime.In this dissertation, we2 operationalize the notion of Contextual Integrity. Weshow how the platforms can use the notion of Contextual Integrity (CI) and betterprotect sensitive user data aligning with their privacy expectations.1.1 Problem StatementApplications in mobile platforms provide a spectrum of functionality to the endusers; while doing so, these applications access a variety of data. While end usersare aware of the intended functionality provided by these applications, users aremostly unaware of how applications are accessing their data [50, 69, 87, 108, 117].Users trust these applications with the functionality provided by the applicationsbut the question remains do they trust these applications with their private data.The core research question of this thesis is to investigate an effective approachto better help users to protect their sensitive, private data from unexpected accessesoriginated by the third party applications in the smartphone. The thesis presents anew permission model where users are better empowered and informed to makeoptimal privacy decisions and with a better-aligned protection.2Use of the plural pronoun is customary even in solely authored research work.31.1.1 ChallengesPrivacy is a hard socio-technological problem where substantial technical con-tribution is needed to understand and involve humans to make sure everyone’sexpectations are met. Here we present three of the critical challenges found.Users already have an overwhelming set of choices to make in day to day lifein the digital world, yet they do not seem to have the control of making correct pri-vacy decisions in the context of smartphones, these overwhelming set of choicesare the source of the security fatigue which leads them to risky behavior compro-mising their privacy or security [86, 93, 105]. The important question remains asto how can smartphone platforms give more control to the user without puttingmore burden on the user? When is the correct time to ask the question (of ac-quiring their preferences for allowing or denying a access request)? What is theright question to ask? In the current technical setup, users will continue to makesub-optimal privacy choices or worse, current systems could further reduce theirability to make better privacy decisions [1, 2]. Thus the platform should reducethe user involvement and should only try to get the attention of the user when it isabsolutely necessary because attention is a finite resource which should be usedcarefully[24].Finite attention is not the only problem, privacy is usually not the user’s mainpriority [101, 122], but the functionality of the application is. Platforms shouldnever force the user to choose between the usability of the phone and their pri-vacy expectations. Therefore, a finer grained permission model should be ableto accommodate access requests to the guarded resources when it is expected bythe user so that applications can deliver the expected functionality to the user. Ifapplications start to crash due to unavailability of resources, it will increase userfrustration and annoyance and make them go back and change their privacy deci-sions trading privacy for functionality [6, 32]. Thus, the platform should be ableto preserve both user privacy and usability of the smartphone.Restricted with finite attention and lack of motivation, the involvement of theusers should be comprehensible to the end users. Previous work has shown that4only a small portion of participants could understand the privacy prompt properlyhindering the protection significantly [49, 65]. Previous attempts on fixing privacycontrols have already come up with complicated controls to match with the userexpectations [29, 33, 81, 98]. These systems fail due their complexity barringan average user from properly configuring the permission controls. Thus, inde-pendent of user’s complicated privacy expectations, interfaces should be easilycomprehensible so that users can make an informed, optimal decision.1.1.2 Adversary ModelThe proposed new permission model will protect the user from applications al-ready installed by the user, from using sensitive resources in unexpected waysviolating the privacy of the user. The application can be either a benign or amalicious application. The application, however, does not exploit the Androidoperating system itself; it operates within the permission privileges it has beengranted to request data. The integrity of the underlying operating system (and thekernel) is assumed to be intact at all times for the permission model to functionas expected. We do not handle the case where applications are coupled with someexploit that undermines the operating system or has any such malware [5, 46] thatsubverts the permission system and security monitor altogether.The model also does not cover all permission protected resources in the mo-bile phone. A previous work by Felt et al. [47] showed that not all permissioncontrolled resources need runtime attention and only the ones that can result inirreversible harm, highly sensitive data or data that could incur cost need runtimeuser attention so that users make a runtime decision. The first two studies pre-sented in the thesis are only focusing on the 12 resources that Felt suggested inher prior study; this is explain in detail in Section 2.2.1. In the last study, on topof the above mentioned 12 resources, we also added the newly classified set ofresources by Google as Dangerous resources [54]. While we believe the otherresources needs user attention, they are best served with other user consent mech-anisms such as auditing or other mechanisms mentioned in [47].51.1.3 Research MethodologyWe have conducted two one-week long field studies and one 6-week long longitu-dinal field study to gather real-world user data – all of the numbers we are present-ing in this thesis are derived from real-world observations. We have used expe-rience sampling and retrospective experience sampling throughout the studies tocollect empirical datapoints [59]. We have also used both quantitative and qualita-tive analysis in evaluating the real-world datasets. After each study, we have con-ducted either an online exit survey or in-person interviews to understand behaviormore insightfully. All of the quantification of qualitative data (user codes) weredone by three independent coders [12]. We have detailed each study’s method-ology in depth under each different section. All of the field studies carried outthroughout the thesis received institutional review board (IRB) approval prior tothe respective study – approved by the UC Berkeley IRB under protocol #2013-02-4992 and by UBC BREB under protocol #H18-00856 for secondary use ofdata.During the design and the execution phases of the presented studies, we tookextra steps to make sure the ecological validity of the studies are well preserved.All of the study participants were randomly recruited through Craiglist exceptfor the second study. The participant pool for the second study was all somehowaffiliated to University of Buffalo, NY. The results of that study, however, werevalidated in a follow-up study using a completely random sample set to prove thatthe results of the second study are not affected by the selected participant pool.All of the statistical tests were properly used while making sure all of the assumedcriteria are met for respective tests.1.2 Research SummaryThe thesis is evolved around four main research questions geared towards a) bet-ter understanding how third-party application exercise their permissions in thewild, b) understanding how user expectations on privacy vary from one context6to another, c) exploring the feasibility of predicting user privacy decisions, and d)finally how both applications and users react to a more user-aligned and a con-textually aware permission model. In the remainder of this section, we introducethe three different projects we carried out in the process of this thesis and theirobjectives.1.2.1 Resource Usage and User Expectations in the WildPermission systems in mobile platforms protect private user data from third-partyapplications. To design an effective permission system, it is imperative to under-stand how applications access these protected sensitive resources; the understand-ing entails knowing how often and under what circumstances these applicationsare accessing private data. It is also critical to understand how these different cir-cumstances change users’ expectations for the resource access. If a permissionsystem is to be effective on acting on behalf of the users, it is important to under-stand how their expectations are changing under different circumstances so thatpermission systems can act accordingly.We instrumented the Android platform (v 4.1.1) to collect data regarding howoften and under what circumstances smartphone applications access protected re-sources regulated by permissions. We performed a 36-person field study to ex-plore how often applications access protected resources when users are not ex-pecting it. Based on our collection of 27M data points and exit interviews withparticipants, we examine the situations in which users would like the ability todeny applications access to protected resources.Main FindingsFollowing are the main findings based on the analysis of the 27M permissionrequests and based on the exit survey responses from 36 participants.• During the study period (one week), on average, each participant had onesensitive permission requests every 15 seconds to a set of 12 sensitive re-7sources. This observation makes the premise of using runtime prompts togive a better context impractical.• During the exit survey, 80% of our participants wanted to block at leastone permission request that occurred during the study. Overall, participantswanted to block access to protected resources a third of the time. This sug-gests that some requests should be granted by runtime consent dialog, ratherthan Android’s previous all-or-nothing install-time approval approach.• The visibility of the requesting application and the frequency at which re-quests occur are two important factors which need to be taken into accountin designing a future permission system.1.2.2 The Impact of the Surrounding ContextThe observation of impracticality of the runtime prompts calls for finding waysto provide the context to the user when they make privacy decisions and also forapproaches to figure out how to best act on behalf of the users. The frequency ofsensitive permission requests increases the risk of habituation significantly, thusplatforms should be able to act on behalf of the user majority of the time. Thisrequires understanding how users want to act under different contexts so that theplatform won’t make a mistake that could end up violating the user’s privacy.We performed a longitudinal 131-person field study to analyze the contextu-ality behind user privacy decisions to regulate access to sensitive resources. Webuilt a classifier to make privacy decisions on the user’s behalf by detecting whenthe context has changed and, when necessary, inferring privacy preferences basedon the user’s past decisions and behavior. Our goal is to automatically grant ap-propriate resource requests without further user intervention, deny inappropriaterequests, and only prompt the user when the system is uncertain of the user’spreferences.8Main FindingsFollowing are the main findings based on the analysis of the 176M data pointscollected from 131 users over a period of six weeks.• We show that the new permission model in Android, Ask-on-first-use (AOFU),has a median error rate of 15% causing the platform to make an error once inevery minute. An error occurs everytime AOFU makes a decision differentfrom what the user would have done if they had the opportunity.• We show that a significant portion of the studied participants makes contex-tual decisions on permissions—the foreground application and the visibilityof the permission-requesting application are strong cues participants used tomake contextual decisions.• We show how a machine-learned model can incorporate context and betterpredict users’ privacy decisions. We show that our approach can accuratelypredict users’ privacy decisions 96.8% of the time, which is a four-foldreduction in error rate compared to current systems.• To the best of our knowledge, we are the first to use passively (data acquiredwithout prompting the user) observed traits to infer future privacy decisionson a case-by-case basis at runtime.1.2.3 Impact of a Real World Contextual Permission ModelIn the aforementioned model, participants were expressing their expectations with-out any consequences. Given a choice between application functionality and pri-vacy expectations, their privacy decisions could be different. The practicality ofthe entire premise of having a contextually aware, more restrictive permissionmodel depends on how well users and third-party applications receive the newpermission model. A little work has been done on analyzing how third-partyapplications will behave in the presence of actual resource denial and on under-standing how users receive the new permission system[89].9To find answers to these questions, we implemented a novel privacy manage-ment system in Android, in which we use contextual signals to build a classifierthat predicts user privacy preferences under various scenarios. We performed a37-person field study to evaluate this new permission model under normal deviceusage. We show that this new permission model reduces the error rate by 75%(i.e., fewer privacy violations) while preserving usability. We offer guidelines forhow platforms can better support user privacy decision-making.Main FindingsFollowing are the main findings based on our exit interviews and collection ofover 5 million data points from participants,• Given the choice between functionality and privacy, users are still likely totake a restrictive stance – data shows that the context still matters even inthe presence of actual resource denial.• Desire to stick to their restrictive decisions shows the success of the dataspoofing technique in places in the custom Android to make the app believethat they are getting genuine data.• We show that AOFU not only lacks context, but it also fails to match users’understanding of the method 25% of the time, substantially hampering itsability to protect user data.1.3 Main ContributionsIn this section, we enlist the most important contributions of our work and how weenvision each of these contributions will impact the future research in increasingprivacy protection in mobile platforms. In summary, the main goal of the work isto understand, design and develop a better user aligned permission model whichwe believe achieved at the end of the study.101.3.1 Understanding How Applications Access DataAs a research community, there was very little understanding of how applicationsactually use the resources which could benefit research on permission systems.To the best of our knowledge, we are the first to run a field study to under-stand how applications access sensitive resources in the real world and to reportactual frequencies of these accesses under different circumstances – this obser-vation made the proposal on frequent runtime prompts impractical and forcedresearchers to think ways to engage the user while giving them the context. In thesame study, we found a substantial portion of the requests occur when the userdoesn’t have a clue that the application is running at all which had a statisticallysignificant impact towards their expectations and their decision towards denyingsuch permission requests. More details on this are presented in the Chapter 2.The following are the most critical impacts of this contribution;• Any future permission system should account for frequency. This observa-tion makes any calls for increased user intervention in permission models,impractical and obsolete.• Given the significant portion of the invisible requests, our work suggeststhat visibility has to be a factor in any future permission systems enablingthe users to control data accesses that occur when they are not using theapps.1.3.2 How Users Perceive the ContextAlthough, the notion of Contextual Integrity existed for some time and concep-tualized frameworks have been proposed, very little has been done to concretelysystematize the notion in the context of smartphones. Any attempt to understandhow the context is affecting user’s decision needs to first identify the factors thathelp users to grasp the context and how they actually vary their decisions accord-ingly.11While iOS has already started enabling users to vary their decision based thevisibility of the requesting application, we are the first to quantitatively show thatthe visibility of the requesting application has a statistically significant impact to-wards their privacy decisions. We also demonstrated the impact of the foregroundapplication 3 in user’s privacy decisions. Extending the notion of Contextual In-tegrity, we have demonstrated how visibility and the foreground application fit inthe notion of Privacy as Contextual Integrity. More details on this are presentedin the Chapter 3.The following is the most critical impact of this contribution;• Visibility of the requesting application is a critical factor in the user’s deci-sion process. This implies – a) users should be able to vary their decisionbased on the visibility of the requesting application, and b) platforms shouldtake the visibility into account when acting on behalf of the user.• Any future permission models should take the visibility of the requestingapplication and the foreground application at the time of user decision, ifthey want to reuse the user decision in future subsequent instances.1.3.3 Ability to Predict Future Contextual PreferencesThe previous two key contributions demonstrated that one plausible way to moveforward is to understand how users make privacy decisions and predict their fu-ture decisions so that the platform can take the decision on behalf of them withoutinvolving the user in the process. The observation of two key contextual factors(foreground application at the time of the request and the visibility of the request-ing application) showed that those two factors are needed to be in the system if thepredictions are to be effective and aligned with the user’s preferences. Previouswork has already looked into predicting users’ privacy decisions using cluster-ing [73, 74]. The project, however, does not take the surrounding context into3Foreground application is the application the user is engaged with at the time of the request12account and did not measure the accuracy of the systems with respect to the adap-tation of the new permission model of Android (AOFU) among the test subjects.We present an accurate predictive model that can predict users’ future privacydecisions with a 96.8% accuracy, using their past decisions. The use of contextand machine learning not only increased the privacy protection significantly; ithas helped to reduce the user involvement avoiding the risk of habituation. Moredetails on this are presented in the Chapter 3.The following are the most critical impacts of this contribution:• Successful use of the context to predict future privacy decisions which couldbe useful for other domains as well.• Demonstration of the feasibility of machine learning to counter user habit-uation and increase their privacy protection significantly.1.3.4 Contextually Aware Permission ModelThere is a long line of work suggesting fixes and exposing defects in the previousand current permission systems in Android [5, 60, 74, 81, 84, 100]. None of theprevious work, however, was contextually aware or analyzed the impact of thenew permission model in terms of user experience and preserving the applicationfunctionality.To the best of our knowledge, we are the first to implement a real-world con-textually aware permission model that takes surrounding contextual signals intoaccount before deciding on allowing (or denying) a given permission request. Weshow that if suitable data spoofing 4 mechanisms are in-place, a restrictive per-mission model can preserve both privacy of the user and application functionality.More details on this are presented in the Chapter 4.The following are the most critical impacts of this contribution:4Any mechanism that can feed synthetic data to the requesting application without risking userprivacy.13• We demonstrated running a full machine learning pipeline in Android withreal-world applications and users. This is the first proof that such a systemcan be implemented in Android for taking individual privacy decisions real-time based on user preferences.• Contrary to the previous work by Fang et. al. [44], a more restrictive modelcan preserve usability by handling resource denial gracefully; rather thandenying a resource platform can feed synthetic data that has no privacy im-plications.1.4 Minor ContributionsHere, we present a few minor contributions that will have a significant impacttowards future research along the lines of permission systems and privacy.• We are, to the best of our knowledge, the first to report the use of behav-ioral traits to predict future privacy decisions. This is a critically importantobservation for any system which intends to learn users privacy decisions.All of the user behavioral traits are passively observable – user involvementin the learning phase is zero, which is an important victory against userhabituation.There has been previous work done on connecting privacy and human be-havior [3, 63] in a general setup. We, however, report the first successfulattempt to predict individual privacy decisions based on behavioral traits inthe context of smartphone usage.This observation of using behavioral traits 5 is even more important in thedomain of IoT where the user involvement/engagement is minimal if it’snot nonexistent. With behavioral traits are in placed, IoT devices can learnabout user’s privacy preferences with minimal resources available and do abetter job at protecting their user’s privacy.5Participant’s behavioral habits that we hypothesized to be useful in predicting their privacybehavior14Behavioral traits can be used for any permission model to further reduce theuser involvement in the learning phase. There is more work needed to fullyexplore the potential of these passively observable traits.• We have collected one of the largest (if not the largest) real-world data onmobile user behavior (80M), privacy decisions (6K), sensitive data accessby third-party applications (130M), and third-party library data usage datapoints (8M). During the course of the project, we have collected these datapoints from 300+ real-world users.We believe more exploration is needed to understand and fix privacy pro-tection and understanding of the impact of the context. This data could beimmensely valuable for future research in privacy, mobile user behavior,measurements, etc. We have already shared a portion of these data pointswith the research community [84] and hope to continue doing the same inthe future.15Chapter 2Resource UsageFew people read the Android install-time permission requests and even fewercomprehend them [49]. Another problem is habituation: on average, Androidapplications present the user with four permission requests during the installationprocess [45]. While iOS users are likely to see fewer permission requests thanAndroid users, because there are fewer possible permissions and they are onlydisplayed the first time the data is actually requested, it is not clear whether or notusers are being prompted about access to data that they actually find concerning,or whether they would approve of subsequent requests [48].Nissenbaum posited that the reason why most privacy models fail to predictviolations is that they fail to consider contextual integrity [82]. That is, privacyviolations occur when personal information is used in ways that defy users’ ex-pectations. We believe that this notion of “privacy as contextual integrity” can beapplied to smartphone permission systems to yield more effective permissions byonly prompting users when an application’s access to sensitive data is likely todefy expectations. As a first step down this path, we examined how applicationsare currently accessing this data and then examined whether or not it compliedwith users’ expectations.We modified Android to log whenever an application accessed a permission-protected resource and then gave these modified smartphones to 36 participants16who used them as their primary phones for one week. The purpose of this was toperform dynamic analysis to determine how often various applications are actuallyaccessing protected resources under realistic circumstances. Afterwards, subjectsreturned the phones to our laboratory and completed exit surveys. We showedthem various instances over the past week where applications had accessed cer-tain types of data and asked whether those instances were expected, and whetherthey would have wanted to deny access. Participants wanted to block a third ofthe requests. Their decisions were governed primarily by two factors: whetherthey had privacy concerns surrounding the specific data type and whether theyunderstood why the application needed it.Key contributions of this chapter are:• To our knowledge, we performed the first field study to quantify the permis-sion usage by third-party applications under realistic circumstances.• We show that our participants wanted to block access to protected resourcesa third of the time. This suggests that some requests should be grantedby runtime consent dialogs, rather than Android’s previous all-or-nothinginstall-time approval approach.• We show that the visibility of the requesting application and the frequencyat which requests occur are two important factors which need to be takeninto account in designing a runtime consent platform.2.1 Related WorkWhile users are required to approve Android application permission requests dur-ing installation, most do not pay attention and fewer comprehend these requests [49,65]. In fact, even developers are not fully knowledgeable about permissions [106],and are given a lot of freedom when posting an application to the Google PlayStore [19]. Applications often do not follow the principle of least privilege, in-tentionally or unintentionally [116]. Other work has suggested improving the An-droid permission model with better definitions and hierarchical breakdowns [18].17Some researchers have experimented with adding fine-grained access control tothe Android model [28]. Providing users with more privacy information and per-sonal examples has been shown to help users in choosing applications with fewerpermissions [56, 66].Previous work has examined the overuse of permissions by applications [45,55], and attempted to identify malicious applications through their permission re-quests [99] or through natural language processing of application descriptions [85].Researchers have also developed static analysis tools to analyze Android permis-sion specifications [11, 23, 45]. Our work complements this static analysis by ap-plying dynamic analysis to permission usage. Other researchers have applied dy-namic analysis to native (non-Java) APIs among third-party mobile markets [104];we apply it to the Java APIs available to developers in the Google Play Store.Researchers examined user privacy expectations surrounding application per-missions, and found that users were often surprised by the abilities of backgroundapplications to collect data [64, 108]. Their level of concern varied from annoy-ance to seeking retribution when presented with possible risks associated with per-missions [48]. Some studies employed crowdsourcing to create a privacy modelbased on user expectations [71].Researchers have designed systems to track or reduce privacy violations byrecommending applications based on users’ security concerns [5, 43, 53, 60, 67,121, 123, 125]. Other tools dynamically block runtime permission requests [100].Enck et al. found that a considerable number of applications transmitted locationor other user data to third parties without requiring user consent [43]. Hornyacket al.’s AppFence system gave users the ability to deny data to applications orsubstitute fake data [60]. However, this broke application functionality for one-third of the applications tested.Reducing the number of security decisions a user must make is likely to de-crease habituation, and therefore, it is critical to identify which security decisionsusers should be asked to make. Based on this theory, Felt et al. created a decisiontree to aid platform designers in determining the most appropriate permission-18granting mechanism for a given resource (e.g., access to benign resources shouldbe granted automatically, whereas access to dangerous resources should requireapproval) [47]. They concluded that the majority of Android permissions can beautomatically granted, but 16% (corresponding to the 12 permissions in Table 2.1)should be granted via runtime dialogs.Nissenbaum’s theory of contextual integrity can help us to analyze “the ap-propriateness of a flow" in the context of permissions granted to Android appli-cations [82]. There is ambiguity in defining when an application actually needsaccess to user data to run properly. It is quite easy to see why a location-sharingapplication would need access to GPS data, whereas that same request comingfrom a game like Angry Birds is less obvious. “Contextual integrity is preservedif information flows according to contextual norms” [82], however, the lack ofthorough documentation on the Android permission model makes it easier for pro-grammers to neglect these norms, whether intentionally or accidentally [101]. De-ciding on whether an application is violating users’ privacy can be quite compli-cated since “the scope of privacy is wide-ranging” [82]. To that end, we performeddynamic analysis to measure how often (and under what circumstances) applica-tions were accessing protected resources, whether this complied with users’ ex-pectations, as well as how often they might be prompted if we adopt Felt et al.’sproposal to require runtime user confirmation before accessing a subset of theseresources [47]. Finally, we show how it is possible to develop a classifier to auto-matically determine whether or not to prompt the user based on varying contextualfactors.2.2 MethodologyOur long-term research goal is to minimize habituation by only confronting userswith necessary security decisions and avoiding showing them permission requeststhat are either expected, reversible, or unconcerning. Selecting which permissionsto ask about requires understanding how often users would be confronted witheach type of request (to assess the risk of habituation) and user reactions to these19requests (to assess the benefit to users). In this study, we explored the problemspace in two parts: we instrumented Android so that we could collect actual usagedata to understand how often access to various protected resources is requestedby applications in practice, and then we surveyed our participants to understandthe requests that they would not have granted, if given the option. This fieldstudy involved 36 participants over the course of one week of normal smartphoneusage. In this section, we describe the log data that we collected, our recruitmentprocedure, and then our exit survey.2.2.1 Tracking Access to Sensitive DataIn Android, when applications attempt to access protected resources (e.g., per-sonal information, sensor data, etc.) at runtime, the operating system checks tosee whether or not the requesting application was previously granted access dur-ing installation. We modified the Android platform to add a logging frameworkso that we could determine every time one of these resources was accessed by anapplication at runtime. Because our target device was a Samsung Nexus S smart-phone, we modified Android 4.1.1 (Jellybean), which was the newest version ofAndroid supported by our hardware.Data Collection ArchitectureOur goal was to collect as much data as possible about each applications’ accessto protected resources, while minimizing our impact on system performance. Ourdata collection framework consisted of two main components: a series of “pro-ducers” that hooked various Android API calls and a “consumer” embedded inthe main Android framework service that wrote the data to a log file and uploadedit to our collection server.We logged three kinds of permission requests. First, we logged function callschecked by checkPermission() in the Android Context implementation. Instru-menting the Context implementation, instead of the ActivityManagerServiceor PackageManager, allowed us to also log the function name invoked by the user-20space application. Next, we logged access to the ContentProvider class, whichverifies the read and write permissions of an application prior to it accessing struc-tured data (e.g., contacts or calendars) [9]. Finally, we tracked permission checksduring Intent transmission by instrumenting the ActivityManagerService andBroadcastQueue. Intents allow an application to pass messages to another ap-plication when an activity is to be performed in that other application (e.g., open-ing a URL in the web browser) [10].We created a component called Producer that fetches the data from the aboveinstrumented points and sends it back to the Consumer, which is responsible forlogging everything reported. Producers are scattered across the Android Plat-form, since permission checks occur in multiple places. The Producer that loggedthe most data was in system_server and recorded direct function calls to An-droid’s Java API. For a majority of privileged function calls, when a user appli-cation invokes the function, it sends the request to system_server via Binder.Binder is the most prominent IPC mechanism implemented to communicate withthe Android Platform (whereas Intents communicate between applications). Forrequests that do not make IPC calls to the system_server, a Producer is placedin the user application context (e.g., in the case of ContentProviders).The Consumer class is responsible for logging data produced by each Producer.Additionally, the Consumer also stores contextual information, which we describein Section 2.2.1. The Consumer syncs data with the filesystem periodically tominimize impact on system performance. All log data is written to the internalstorage of the device because the Android kernel is not allowed to write to exter-nal storage for security reasons. Although this protects our data from curious orcareless users, it also limits our storage capacity. Thus, we compressed the logfiles once every two hours and upload them to our collection servers whenever thephone had an active Internet connection (the average uploaded and zipped log filewas around 108KB and contained 9,000 events).Due to the high volume of permission checks we encountered and our goalof keeping system performance at acceptable levels, we added rate-limiting logic21to the Consumer. Specifically, if it has logged permission checks for a particularapplication/permission combination more than 10,000 times, it examines whetherit did so while exceeding an average rate of 1 permission check every 2 seconds.If so, the Consumer will only record 10% of all future requests for this applica-tion/permission combination. When this rate-limiting is enabled, the Consumertracks these application/permission combinations and updates all the Producersso that they start dropping these log entries. Finally, the Consumer makes a noteof whenever this occurs so that we can extrapolate the true number of permissionchecks that occurred.Data CollectionWe hooked the permission-checking APIs so that every time the system checkedwhether an application had been granted a particular permission, we logged thename of the permission, the name of the application, and the API method thatresulted in the check. In addition to timestamps, we collected the following con-textual data:• Visibility—We categorized whether the requesting application was visibleto the user, using four categories: running (a) as a service with no user inter-action; (b) as a service, but with user interaction via notifications or sounds;(c) as a foreground process, but in the background due to multitasking; or(d) as a foreground process with direct user interaction.• Screen Status—Whether the screen was on/off.• Connectivity—The phone’s WiFi connection state.• Location—The user’s last known coordinates. In order to preserve batterylife, we collected cached location data, rather than directly querying theGPS.• View—The UI elements in the requesting application that were exposed tothe user at the time that a protected resource was accessed. Specifically,since the UI is built from an XML file, we recorded the name of the screenas defined in the DOM.22• History—A list of applications with which the user interacted prior to therequesting application.• Path—When access to a ContentProvider object was requested, the pathto the specific content.Felt et al. proposed granting most Android permissions without a priori userapproval and granting 12 permissions (Table 2.1) at runtime so that users havecontextual information to infer why the data might be needed [47]. The idea isthat, if the user is asked to grant a permission while using an application, she mayhave some understanding of why the application needs that permission based onwhat she was doing. We initially wanted to perform experience sampling by prob-abilistically questioning participants whenever any of these 12 permissions werechecked [68]. Our goal was to survey participants about whether access to theseresources was expected and whether it should proceed, but we were concernedthat this would prime them to the security focus of our experiment, biasing theirsubsequent behaviors. Instead, we instrumented the phones to probabilisticallytake screenshots of what participants were doing when these 12 permissions werechecked so that we could ask them about it during the exit survey. We used reser-voir sampling to minimize storage and performance impacts, while also ensuringthat the screenshots covered a broad set of applications and permissions [114].Figure 4.1 shows a screenshot captured during the study along with its corre-sponding log entry shown in Table2.2. The user was playing the Solitaire gamewhile Spotify requested a WiFi scan. Since this permission was of interest (Table2.1), our instrumentation took a screenshot. Since Spotify was not the applica-tion the participant was interacting with, its visibility was set to false. The historyshows that prior to Spotify calling getScanResults(), the user had viewed Soli-taire, the call screen, the launcher, and the list of MMS conversations.23Permission Type ActivityWRITE_SYNC_SETTINGSChange application sync settingswhen the user is roamingACCESS_WIFI_STATEView nearby SSIDsINTERNET Access Internet when roamingNFC Communicate via NFCREAD_HISTORY_BOOKMARKSRead users’ browser historyACCESS_FINE_LOCATIONRead GPS locationACCESS_COARSE_LOCATIONRead network-inferred location(i.e., cell tower and/or WiFi)LOCATION_HARDWAREDirectly access GPS dataREAD_CALL_LOG Read call historyADD_VOICEMAIL Read call historyREAD_SMS Read sent/received/draft SMSSEND_SMS Send SMSTable 2.1: The 12 permissions that Felt et al. recommend be granted via runtimedialogs [47]. We randomly took screenshots when these permissions were re-quested by applications, and we asked about them in our exit survey.2.2.2 RecruitmentWe placed an online recruitment advertisement on Craigslist in October of 2014,under the “et cetera jobs” section.1 The title of the advertisement was “ResearchStudy on Android Smartphones,” and it stated that the study was about how peo-ple interact with their smartphones. We made no mention of security or privacy.Those interested in participating were directed to an online consent form. Uponagreeing to the consent form, potential participants were directed to a screeningapplication in the Google Play store. The screening application asked for informa-tion about each potential participant’s age, gender, smartphone make and model.1Approved by the UC Berkeley IRB under protocol #2013-02-499224Figure 2.1: ScreenshotIt also collected data on their phones’ internal memory size and the installed ap-plications. We screened out applicants who were under 18 years of age or usedproviders other than T-Mobile, since our experimental phones could not attain3G speeds on other providers. We collected data on participants’ installed ap-plications so that we could pre-install free applications prior to them visiting ourlaboratory. (We copied paid applications from their phones, since we could not25Name Log DataType API_FUNCPermission ACCESS_WIFI_STATEApp_Name com.spotify.musicTimestamp 1412888326273API Function getScanResults()Visibility FALSEScreen Status SCREEN_ONConnectivity NOT_CONNECTEDLocation Lat 37.XXX Long -122.XXXView com.mobilityware.solitaire/ 2.2: Corresponding log entrydownload those ahead of time.)We contacted participants who met our screening requirements to schedulea time to do the initial setup. Overall, 48 people showed up to our laboratory,and of those, 40 qualified (8 were rejected because our screening application didnot distinguish some Metro PCS users from T-Mobile users). In the email, wenoted that due to the space constraints of our experimental phones, we might notbe able to install all the applications on their existing phones, and therefore theyneeded to make a note of the ones that they planned to use that week. The initialsetup took roughly 30 minutes and involved transferring their SIM cards, helpingthem set up their Google and other accounts, and making sure they had all theapplications they needed. We compensated each participant with a $35 gift cardfor showing up at the setup session. Out of 40 people who were given phones, 2did not return them, and 2 did not regularly use them during the study period. Ofour 36 remaining participants who used the phones regularly, 19 were male and17 were female; ages ranged from 20 to 63 years old (µ = 32, σ= 11).After the initial setup session, participants used the experimental phones for26one week in lieu of their normal phones. They were allowed to install and unin-stall applications, and we instructed them to use these phones as they would theirnormal phones. Our logging framework kept track of every protected resourceaccessed by a user-level application along with the previously-mentioned contex-tual data. Due to storage constraints on the devices, our software uploaded logfiles to our server every two hours. However, to preserve participants’ privacy,screenshots remained on the phones during the course of the week. At the end ofthe week, each participant returned to our laboratory, completed an exit survey,returned the phone, and then received an additional $100 gift card (i.e., slightlymore than the value of the phone).2.2.3 Exit SurveyWhen participants returned to our laboratory, they completed an exit survey. Theexit survey software ran on a laptop in a private room so that it could ask questionsabout what they were doing on their phones during the course of the week withoutraising privacy concerns. We did not view their screenshots until participants gaveus permission. The survey had three components:• Screenshots—Our software displayed a screenshot taken after one of the12 resources in Table 2.1 was accessed. Next to the screenshot (Figure 2.2),we asked participants what they were doing on the phone when the screen-shot was taken (open-ended). We also asked them to indicate which ofseveral actions they believed the application was performing, chosen from amultiple-choice list of permissions presented in plain language (e.g., “read-ing browser history,” “sending a SMS,” etc.). After answering these ques-tions, they proceeded to a second page of questions (Figure 2.3). We in-formed participants at the top of this page of the resource that the applica-tion had accessed when the screenshot was taken, and asked them to indicatehow much they expected this (5-point Likert scale). Next, we asked, “if youwere given the choice, would you have prevented the app from accessingthis data,” and to explain why or why not. Finally, we asked for permission27to view the screenshot. This phase of the exit survey was repeated for 10-15different screenshots per participant, based on the number of screenshotssaved by our reservoir sampling algorithm.• Locked Screens—The second part of our survey involved questions aboutthe same protected resources, though accessed while device screens wereoff (i.e., participants were not using their phones). Because there were nocontextual cues (i.e., screenshots), we outright told participants which ap-plications were accessing which resources and asked them multiple choicequestions about whether they wanted to prevent this and the degree to whichthese behaviors were expected. They answered these questions for up to 10requests, similarly chosen by our reservoir sampling algorithm to yield abreadth of application/permission combinations.• Personal Privacy Preferences—Finally, in order to correlate survey re-sponses with privacy preferences, participants completed two privacy scales.Because of the numerous reliability problems with the Westin index [119],we computed the average of both Buchanan et al.’s Privacy Concerns Scale(PCS) [27] and Malhotra et al.’s Internet Users’ Information Privacy Con-cerns (IUIPC) scale [77].After participants completed the exit survey, we re-entered the room, answeredany remaining questions, and then assisted them in transferring their SIM cardsback into their personal phones. Finally, we compensated each participant with a$100 gift card.Three researchers independently coded 423 responses to the open-ended ques-tion in the screenshot portion of the survey. The number of responses per partic-ipant varied, as they were randomly selected based on the number of screenshotstaken: participants who used their phones more heavily had more screenshots, andthus answered more questions. Prior to meeting to achieve consensus, the threecoders disagreed on 42 responses, which resulted in an inter-rater agreement of90%. Taking into account the 9 possible codings for each response, Fleiss’ kappayielded 0.61, indicating substantial agreement.28Figure 2.2: On the first screen, participants answered questions to establish aware-ness of the permission request based on the screenshot.2.3 Application BehaviorsOver the week-long period, we logged 27M application requests to protected re-sources governed by Android permissions. This translates to over 100,000 re-quests per user/day. In this section, we quantify the circumstances under whichthese resources were accessed. We focus on the rate at which resources wereaccessed when participants were not actively using those applications (i.e., situ-ations likely to defy users’ expectations), access to certain resources with partic-ularly high frequency, and the impact of replacing certain requests with runtimeconfirmation dialogs (as per Felt et al.’s suggestion [47]).2.3.1 Invisible Permission RequestsIn many cases, it is entirely expected that an application might make frequentrequests to resources protected by permissions. For instance, the INTERNET per-mission is used every time an application needs to open a socket, ACCESS_FINE_LOCATION29Figure 2.3: On the second screen, they saw the resource accessed, stated whether itwas expected, and whether it should have been used every time the user’s location is checked by a mapping application, and soon. However, in these cases, one expects users to have certain contextual cuesto help them understand that these applications are running and making these re-quests. Based on our log data, most requests occurred while participants were notactually interacting with those applications, nor did they have any cues to indicatethat the applications were even running. When resources are accessed, applica-tions can be in five different states, with regard to their visibility to users:1. Visible foreground application (12.04%): the user is using the applicationrequesting the resource.2. Invisible background application (0.70%): due to multitasking, the ap-plication is in the background.3. Visible background service (12.86%): the application is a backgroundservice, but the user may be aware of its presence due to other cues (e.g., itis playing music or is present in the notification bar).4. Invisible background service (14.40%): the application is a backgroundservice without visibility.305. Screen off (60.00%): the application is running, but the phone screen is offbecause it is not in use.Combining the 3.3M (12.04% of 27M) requests that were granted when theuser was actively using the application (Category 1) with the 3.5M (12.86% of27M) requests that were granted when the user had other contextual cues to in-dicate that the application was running (Category 3), we can see that fewer thanone quarter of all permission requests (24.90% of 27M) occurred when the userhad clear indications that those applications were running. This suggests that dur-ing the vast majority of the time, access to protected resources occurs opaquelyto users. We focus on these 20.3M “invisible” requests (75.10% of 27M) in theremainder of this subsection.Harbach et al. found that users’ phone screens are off 94% of the time on av-erage [57]. We observed that 60% of permission requests occurred while partici-pants’ phone screens were off, which suggests that permission requests occurredless frequently than when participants were using their phones. At the same time,certain applications made more requests when participants were not using theirphones: “Brave Frontier Service,” “Microsoft Sky Drive,” and “Tile game byUMoni.” Our study collected data on over 300 applications, and therefore it is pos-sible that with a larger sample size, we would observe other applications engagingin this behavior. All of the aforementioned applications primarily requested AC-CESS_WIFI_STATE and INTERNET. While a definitive explanation for this be-havior requires examining source code or the call stacks of these applications, wehypothesize that they were continuously updating local data from remote servers.For instance, Sky Drive may have been updating documents, whereas the othertwo applications may have been checking the status of multiplayer games.Table 2.3 shows the most frequently requested permissions from applicationsrunning invisibly to the user (i.e., Categories 2, 4, and 5); Table 2.4 shows theapplications responsible for these requests (Appendix A.1 lists the permissionsrequested by these applications). We normalized the numbers to show requestsper user/day. ACCESS_NETWORK_STATE was most frequently requested, av-31Permission RequestsACCESS_NETWORK_STATE 31,206WAKE_LOCK 23,816ACCESS_FINE_LOCATION 5,652GET_ACCOUNTS 3,411ACCESS_WIFI_STATE 1,826UPDATE_DEVICE_STATS 1,426ACCESS_COARSE_LOCATION 1,277AUTHENTICATE_ACCOUNTS 644READ_SYNC_SETTINGS 426INTERNET 416Table 2.3: The most frequently requested permissions by applications with zero vis-ibility to the user.Application RequestsFacebook 36,346Google Location Reporting 31,747Facebook Messenger 22,008Taptu DJ 10,662Google Maps 5,483Google Gapps 4,472Foursquare 3,527Yahoo Weather 2,659Devexpert Weather 2,567Tile Game(Umoni) 2,239Table 2.4: The applications making the most permission requests while running in-visibly to the user.eraging 31,206 times per user/day—roughly once every 3 seconds. This is due toapplications constantly checking for Internet connectivity. However, the 5,562 re-quests/day to ACCESS_FINE_LOCATION and 1,277 requests/day to ACCESS_COARSE_LOCATIONare more concerning, as this could enable detailed tracking of the user’s move-ment throughout the day. Similarly, a user’s location can be inferred by using32ACCESS_WIFI_STATE to get data on nearby WiFi SSIDs.Contextual integrity means ensuring that information flows are appropriate,as determined by the user. Thus, users need the ability to see information flows.Current mobile platforms have done some work to let the user know about loca-tion tracking. For instance, recent versions of Android allow users to see whichapplications have used location data recently. While attribution is a positive steptowards contextual integrity, attribution is most beneficial for actions that are re-versible, whereas the disclosure of location information is not something that canbe undone [47]. We observed that fewer than 1% of location requests were madewhen the applications were visible to the user or resulted in the displaying of aGPS notification icon. Given that Thompson et al. showed that most users do notunderstand that applications running in the background may have the same abil-ities as applications running in the foreground [108], it is likely that in the vastmajority of cases, users do not know when their locations are being disclosed.This low visibility rate is because Android only shows a notification iconwhen the GPS sensor is accessed, while offering alternative ways of inferringlocation. In 66.1% of applications’ location requests, they directly queried theTelephonyManager, which can be used to determine location via cellular towerinformation. In 33.3% of the cases, applications requested the SSIDs of nearbyWiFi networks. In the remaining 0.6% of cases, applications accessed locationinformation using one of three built-in location providers: GPS, network, or pas-sive. Applications accessed the GPS location provider only 6% of the time (whichdisplayed a GPS notification). In the other 94% of the time, 13% queried the net-work provider (i.e., approximate location based on nearby cellular towers andWiFi SSIDs) and 81% queried the passive location provider. The passive locationprovider caches prior requests made to either the GPS or network providers. Thus,across all requests for location data, the GPS notification icon appeared 0.04% ofthe time.While the alternatives to querying the GPS are less accurate, users are stillsurprised by their accuracy [51]. This suggests a serious violation of contextual33integrity, since users likely have no idea their locations are being requested in thevast majority of cases. Thus, runtime notifications for location tracking need tobe improved [52].Apart from these invisible location requests, we also observed applicationsreading stored SMS messages (125 times per user/day), reading browser history(5 times per user/day), and accessing the camera (once per user/day). Thoughthe use of these permissions does not necessarily lead to privacy violations, usershave no contextual cues to understand that these requests are occurring.2.3.2 High Frequency RequestsSome permission requests occurred so frequently that a few applications (i.e.,Facebook, Facebook Messenger, Google Location Reporting, Google Maps, FarmHeroes Saga) had to be rate limited in our log files (see Section 2.2.1), so thatthe logs would not fill up users’ remaining storage or incur performance over-head. Table 2.5 shows the complete list of application/permission combinationsthat exceeded the threshold. For instance, the most frequent requests came fromFacebook requesting ACCESS_NETWORK_STATE with an average interval of213.88 ms (i.e., almost 5 times per second).With the exception of Google’s applications, all rate-limited applications madeexcessive requests for the connectivity state. We hypothesize that once these ap-plications lose connectivity, they continuously poll the system until it is regained.Their use of the getActiveNetworkInfo() method results in permission checksand returns NetworkInfo objects, which allow them to determine connection state(e.g., connected, disconnected, etc.) and type (e.g., WiFi, Bluetooth, cellular, etc.).Thus, these requests do not appear to be leaking sensitive information per se, buttheir frequency may have adverse effects on performance and battery life. It ispossible that using the ConnectivityManager’s NetworkCallback method maybe able to fulfill this need with far fewer permission checks.34Application / Permission Peak (ms) Avg. (ms)com.facebook.katana213.88 956.97ACCESS_NETWORK_STATEcom.facebook.orca334.78 1901.91ACCESS_WIFI_STATEcom.king.farmheroessaga284.02 731.27ACCESS_NETWORK_STATEcom.pandora.android541.37 541.37ACCESS_NETWORK_STATEcom.taptu.streams1746.36 1746.36ACCESS_NETWORK_STATETable 2.5: The application/permission combinations that needed to be rate limitedduring the study. The last two columns show the fastest interval recorded andthe average of all the intervals recorded before rate-limiting.2.3.3 Frequency of Data ExposureFelt et al. posited that while most permissions can be granted automatically in or-der to not habituate users to relatively benign risks, certain requests should requireruntime consent [47]. They advocated using runtime dialogs before the following35Resource Visible Invisible TotalData Exposed Requests Data Exposed Requests Data Exposed RequestsLocation 758 2,205 3,881 8,755 4,639 10,960Read SMS data 378 486 72 125 450 611Sending SMS 7 7 1 1 8 8Browser History 12 14 2 5 14 19Total 1,155 2,712 3,956 8,886 5,111 11,598Table 2.6: The sensitive permission requests (per user/day) when requesting appli-cations were visible/invisible to users. “Data exposed” reflects the subset ofpermission-protected requests that resulted in sensitive data being accessed.actions should proceed:1. Reading location information (e.g., using conventional location APIs, scan-ning WiFi SSIDs, etc.).2. Reading the user’s web browser history.3. Reading saved SMS messages.4. Sending SMS messages that incur charges, or inappropriately spamming theuser’s contact list.These four actions are governed by the 12 Android permissions listed in Ta-ble 2.1. Of the 300 applications that we observed during the experiment, 91(30.3%) performed one of these actions. On average, these permissions wererequested 213 times per hour/user—roughly every 20 seconds. However, per-mission checks occur under a variety of circumstances, only a subset of whichexpose sensitive resources. As a result, platform developers may decide to onlyshow runtime warnings to users when protected data is read or modified. Thus,we attempted to quantify the frequency with which permission checks actuallyresult in access to sensitive resources for each of these four categories. Table 2.6shows the number of requests seen per user/day under each of these four cate-gories, separating the instances in which sensitive data was exposed from the total36permission requests observed. Unlike Section 2.3.1, we include “visible” permis-sion requests (i.e., those occurring while the user was actively using the applica-tion or had other contextual information to indicate it was running). We didn’tobserve any uses of NFC, READ_CALL_LOG, ADD_VOICEMAIL, accessingWRITE_SYNC_SETTINGS or INTERNET while roaming in our dataset.Of the location permission checks, a majority were due to requests for locationprovider information (e.g., getBestProvider() returns the best location providerbased on application requirements), or checking WiFi state (e.g., getWifiState()only reveals whether WiFi is enabled). Only a portion of the requests actually ex-posed participants’ locations (e.g., getLastKnownLocation() or getScanResults()exposed SSIDs of nearby WiFi networks).Although a majority of requests for the READ_SMS permission exposed con-tent in the SMS store (e.g., Query() reads the contents of the SMS store), a consid-erable portion simply read information about the SMS store (e.g., renewMmsConnectivity()resets an applications’ connection to the MMS store). An exception to this is theuse of SEND_SMS, which resulted in the transmission of an SMS message everytime the permission was requested.Regarding browser history, both accessing visited URLs (getAllVisitedUrls())and reorganizing bookmark folders (addFolderToCurrent()) result in the samepermission being checked. However, the latter does not expose specific URLs tothe invoking application.Our analysis of the API calls indicated that on average, only half of all per-mission checks granted applications access to sensitive data. For instance, acrossboth visible and invisible requests, 5,111 of the 11,598 (44.3%) permission checksinvolving the 12 permissions in Table 2.1 resulted in the exposure of sensitive data(Table 2.6).While limiting runtime permission requests to only the cases in which pro-tected resources are exposed will greatly decrease the number of user interrup-tions, the frequency with which these requests occur is still too great. Promptingthe user on the first request is also not appropriate (e.g., à la iOS and Android M),37because our data show that in the vast majority of cases, the user has no contex-tual cues to understand when protected resources are being accessed. Thus, a usermay grant a request the first time an application asks, because it is appropriate inthat instance, but then she may be surprised to find that the application continuesto access that resource in other contexts (e.g., when the application is not activelyused). As a result, a more intelligent method is needed to determine when a givenpermission request is likely to be deemed appropriate by the user.2.4 User Expectations and ReactionsTo identify when users might want to be prompted about permission requests, ourexit survey focused on participants’ reactions to the 12 permissions in Table 2.1,limiting the number of requests shown to each participant based on our reservoirsampling algorithm, which was designed to ask participants about a diverse set ofpermission/application combinations. We collected participants’ reactions to 673permission requests (≈19/participant). Of these, 423 included screenshots be-cause participants were actively using their phones when the requests were made,whereas 250 permission requests were performed while device screens were off.2Of the former, 243 screenshots were taken while the requesting application wasvisible (Category 1 and 3 from Section 2.3.1), whereas 180 were taken while theapplication was invisible (Category 2 and 4 from Section 2.3.1). In this section, wedescribe the situations in which requests defied users’ expectations. We presentexplanations for why participants wanted to block certain requests, the factors in-fluencing those decisions, and how expectations changed when devices were notin use.2.4.1 Reasons for BlockingWhen viewing screenshots of what they were doing when an application requesteda permission, 30 participants (80% of 36) stated that they would have preferred2Our first 11 participants did not answer questions about permission requests occurring whilenot using their devices, and therefore the data only corresponds to our last 25 participants.38to block at least one request, whereas 6 stated a willingness to allow all requests,regardless of resource type or application. Across the entire study, participantswanted to block 35% of these 423 permission requests. When we asked partici-pants to explain their rationales for these decisions, two main themes emerged: therequest did not—in their minds—pertain to application functionality or it involvedinformation they were uncomfortable sharing.Relevance to Application FunctionalityWhen prompted for the reason behind blocking a permission request, 19 (53%of 36) participants did not believe it was necessary for the application to performits task. Of the 149 (35% of 423) requests that participants would have preferredto block, 79 (53%) were perceived as being irrelevant to the functionality of theapplication:• “It wasn’t doing anything that needed my current location.” (P1)• “I don’t understand why this app would do anything with SMS.” (P10)Accordingly, functionality was the most common reason for wanting a permis-sion request to proceed. Out of the 274 permissible requests, 195 (71% of 274)were perceived as necessary for the core functionality of the application, as notedby thirty-one (86% of 36) participants:• “Because it’s a weather app and it needs to know where you are to give youweather information.”(P13)• “I think it needs to read the SMS to keep track of the chat conversation.”(P12)Beyond being necessary for core functionality, participants wanted 10% (27of 274) of requests to proceed because they offered convenience; 90% of theserequests were for location data, and the majority of those applications were pub-lished under the Weather, Social, and Travel & Local categories in the GooglePlay store:39• “It selects the closest stop to me so I don’t have to scroll through the wholelist.” (P0)• “This app should read my current location. I’d like for it to, so I won’t haveto manually enter in my zip code / area.” (P4)Thus, requests were allowed when they were expected: when participantsrated the extent to which each request was expected on a 5-point Likert scale,allowable requests averaged 3.2, whereas blocked requests averaged 2.3 (lower isless expected).Privacy ConcernsParticipants also wanted to deny permission requests that involved data that theyconsidered sensitive, regardless of whether they believed the application actuallyneeded the data to function. Nineteen (53% of 36) participants noted privacy as aconcern while blocking a request, and of the 149 requests that participants wantedto block, 49 (32% of 149) requests were blocked for this reason:• “SMS messages are quite personal.” (P14)• “It is part of a personal conversation.” (P11)• “Pictures could be very private and I wouldn’t like for anybody to haveaccess.” (P16)Conversely, 24 participants (66% of 36) wanted requests to proceed simplybecause they did not believe that the data involved was particularly sensitive; thisreasoning accounted for 21% of the 274 allowable requests:• “I’m ok with my location being recorded, no concerns.” (P3)• “No personal info being shared.” (P29)2.4.2 Influential FactorsBased on participants’ responses to the 423 permission requests involving screen-shots (i.e., requests occurring while they were actively using their phones), we40quantitatively examined how various factors influenced their desire to block someof these requests.Effects of Identifying Permissions on Blocking: In the exit survey, we askedparticipants to guess the permission an application was requesting, based on thescreenshot of what they were doing at the time. The real answer was among fourother incorrect answers. Of the 149 cases where participants wanted to blockpermission requests, they were only able to correctly state what permission wasbeing requested 24% of the time; whereas when wanting a request to proceed,they correctly identified the requested permission 44% (120 of 274) of the time.However, Pearson’s product-moment test on the average number of blocked re-quests per user and the average number of correct answers per user3 did not yielda statistically significant correlation (r=−0.171, p<0.317).Effects of Visibility on Expectations: We were particularly interested in ex-ploring if permission requests originating from foreground applications (i.e., vis-ible to the user) were more expected than ones from background applications. Ofthe 243 visible permission requests that we asked about in our exit survey, par-ticipants correctly identified the requested permission 44% of the time, and theiraverage rating on our expectation scale was 3.4. On the other hand, participantscorrectly identified the resources accessed by background applications only 29%of the time (52 of 180), and their average rating on our expectation scale was3.0. A Wilcoxon Signed-Rank test with continuity correction revealed a statisti-cally significant difference in participants’ expectations between these two groups(V=441.5, p<0.001).Effects of Visibility on Blocking: Participants wanted to block 71 (29% of243) permission requests originating from applications running in the foreground,whereas this increased by almost 50% when the applications were in the back-ground invisible to them (43% of 180). We calculated the percentage of denialsfor each participant, for both visible and invisible requests. A Wilcoxon Signed-Rank test with continuity correction revealed a statistically significant difference3Both measures were normally distributed.41(V=58, p<0.001).Effects of Privacy Preferences on Blocking: Participants completed the Pri-vacy Concerns Scale (PCS) [27] and the Internet Users’ Information Privacy Con-cerns (IUIPC) scale [77]. A Spearman’s rank test yielded no statistically sig-nificant correlation between their privacy preferences and their desire to blockpermission requests (ρ = 0.156, p<0.364).Effects of Expectations on Blocking: We examined whether participants’expectations surrounding requests correlated with their desire to block them. Foreach participant, we calculated their average Likert scores for their expectationsand the percentage of requests that they wanted to block. Pearson’s product-moment test showed a statistically significant correlation (r=−0.39, p<0.018).The negative correlation shows that participants were more likely to deny un-expected requests.2.4.3 User Inactivity and Resource AccessIn the second part of the exit survey, participants answered questions about 10resource requests that occurred when the screen was off (not in use). Overall, theywere more likely to expect resource requests to occur when using their devices(µ = 3.26 versus µ = 2.66). They also stated a willingness to block almost halfof the permission requests (49.6% of 250) when not in use, compared to a thirdof the requests that occurred when using their phones (35.2% of 423). However,neither of these differences was statistically significant.2.5 Feasibility of Runtime RequestsFelt et al. posited that certain sensitive permissions (Table 2.1) should requireruntime consent [47], but in Section 2.3.3 we showed that the frequencies withwhich applications are requesting these permissions make it impractical to promptthe user each time a request occurs. Instead, the major mobile platforms haveshifted towards a model of prompting the user the first time an application requests42access to certain resources: iOS does this for a selected set of resources, such aslocation and contacts, and Android M does this for “dangerous” permissions.How many prompts would users see, if we added runtime prompts for the firstuse of these 12 permissions? We analyzed a scheme where a runtime promptis displayed at most once for each unique triplet of (application, permission, ap-plication visibility), assuming the screen is on. With a naïve scheme, our studydata indicates our participants would have seen an average of 34 runtime prompts(ranging from 13 to 77, σ=11). As a refinement, we propose that the user shouldbe prompted only if sensitive data will be exposed (Section 2.3.3), reducing theaverage number of prompts to 29.Of these 29 prompts, 21 (72%) are related to location. Apple iOS alreadyprompts users when an application accesses location for the first time, with no ev-idence of user habituation or annoyance. Focusing on the remaining prompts, wesee that our policy would introduce an average of 8 new prompts per user: about 5for reading SMS, 1 for sending SMS, and 2 for reading browser history. Our datacovers only the first week of use, but as we only prompt on first use of a permis-sion, we expect that the number of prompts would decline greatly in subsequentweeks, suggesting that this policy would likely not introduce significant risk ofhabituation or annoyance. Thus, our results suggest adding runtime prompts forreading SMS, sending SMS, and reading browser history would be useful giventheir sensitivity and low frequency.Our data suggests that taking visibility into account is important. If we ignorevisibility and prompted only once for each pair of (application, permission), userswould have no way to select a different policy for when the application is visibleor not visible. In contrast, “ask-on-first-use” for the triple (application, permis-sion, visibility) gives users the option to vary their decision based on the visibilityof the requesting application. We evaluated these two policies by analyzing theexit survey data (limited to situations where the screen was on) for cases wherethe same user was asked twice in the survey about situations with the same (ap-plication, permission) pair or the same (application, permission, visibility) triplet,43to see whether the user’s first decision to block or not matched their subsequentdecisions. For the former policy, we saw only 51.3% agreement; for the latter,agreement increased to 83.5%. This suggests that the (application, permission,visibility) triplet captures many of the contextual factors that users care about,and thus it is reasonable to prompt only once per unique triplet.A complicating factor is that applications can also run even when the user isnot actively using the phone. In addition to the 29 prompts mentioned above, ourdata indicates applications would have triggered an average of 7 more promptswhile the user was not actively using the phone: 6 for location and one for readingSMS. It is not clear how to handle prompts when the user is not available torespond to the prompt: attribution might be helpful, but further research is needed.2.5.1 Modeling Users’ DecisionsWe constructed several statistical models to examine whether users’ desire toblock certain permission requests could be predicted using the contextual data thatwe collected. If such a relationship exists, a classifier could determine when todeny potentially unexpected permission requests without user intervention. Con-versely, the classifier could be used to only prompt the user about questionabledata requests. Thus, the response variable in our models is the user’s choice ofwhether to block the given permission request. Our predictive variables consistedof the information that might be available at runtime: permission type (with therestriction that the invoked function exposes data), requesting application, andvisibility of that application. We constructed several mixed effects binary logisticregression models to account for both inter-subject and intra-subject effects.Model SelectionIn our mixed effects models, permission types and the visibility of the requestingapplication were fixed effects, because all possible values for each variable existedin our data set. Visibility had two values: visible (the user is interacting with theapplication or has other contextual cues to know that it is running) and invisible.44Permission types were categorized based on Table 2.6. The application name andthe participant ID were included as random effects, because our survey data didnot have an exhaustive list of all possible applications a user could run, and theparticipant has a non-systematic effect on the data.Table 2.7 shows two goodness-of-fit metrics: the Akaike Information Criterion(AIC) and Bayesian Information Criterion (BIC). Lower values for AIC and BICrepresent better fit. Table 2.7 shows the different parameters included in eachmodel. We found no evidence of interaction effects and therefore did not includethem. Visual inspection of residual plots of each model did not reveal obviousdeviations from homoscedasticity or normality.We initially included the phone’s screen state as another variable. However,we found that creating two separate models based on the screen state resultedin better fit than using a single model that accounted for screen state as a fixedeffect. When the screen was on, the best fit was a model including applicationvisibility and application name, while controlling for subject effects. Here, fit im-proved once permission type was removed from the model, which shows that thedecision to block a permission request was based on contextual factors: users donot categorically deny permission requests based solely on the type of resourcebeing accessed (i.e., they also account for their trust in the application, as well aswhether they happened to be actively using it). When the screen was off, however,the effect of permission type was relatively stronger. The strong subject effect inboth models indicates that these decisions vary from one user to the next. As aresult, any classifier developed to automatically decide whether to block a per-mission at runtime (or prompt the user) will need to be tailored to that particularuser’s needs.Predicting User ReactionsUsing these two models, we built two classifiers to make decisions about whetherto block any of the sensitive permission requests listed in Table 2.6. We usedour exit survey data as ground truth, and used 5-fold cross-validation to evaluate45Predictors AIC BIC Screen StateUserCode 490.60 498.69 Screen OnApplication 545.98 554.07 Screen OnApplicationUserCode491.86 503.99 Screen OnPermissionApplicationUserCode494.69 527.05 Screen OnVisibilityApplicationUserCode481.65 497.83 Screen OnPermissionVisibilityApplicationUserCode484.23 520.64 Screen OnUserCode 245.13 252.25 Screen OffApplication 349.38 356.50 Screen OffApplicationUserCode238.84 249.52 Screen OffPermissionApplicationUserCode235.48 263.97 Screen OffTable 2.7: Goodness-of-fit metrics for various mixed effects logistic regressionmodels on the exit survey data.model accuracy.We calculated the receiver operating characteristic (ROC) to capture the trade-off between true-positive and false-positive rate. The quality of the classifier canbe quantified with a single value by calculating the area under its ROC curve(AUC) [58]. The closer the AUC gets to 1.0, the better the classifier is. Whenscreens were on, the AUC was 0.7, which is 40% better than the random base-line (0.5). When screens were off, the AUC was 0.8, which is 60% better than arandom baseline.462.6 DiscussionDuring the study, 80% of our participants deemed at least one permission re-quest as inappropriate. This violates Nissenbaum’s notion of “privacy as con-textual integrity” because applications were performing actions that defied users’expectations [83]. Felt et al. posited that users may be able to better understandwhy permission requests are needed if some of these requests are granted viaruntime consent dialogs, rather than Android’s previous install-time notificationapproach [47]. By granting permissions at runtime, users will have additional con-textual information; based on what they were doing at the time that resources arerequested, they may have a better idea of why those resources are being requested.We make two primary contributions that system designers can use to makemore usable permissions systems. We show that the visibility of the requestingapplication and the frequency at which requests occur are two important factors indesigning a runtime consent platform. Also, we show that “prompt-on-first-use”per triplet could be implemented for some sensitive permissions without riskinguser habituation or annoyance.Based on the frequency with which runtime permissions are requested (Sec-tion 2.3), it is infeasible to prompt users every time. Doing so would overwhelmthem and lead to habituation. At the same time, drawing user attention to the sit-uations in which users are likely to be concerned will lead to greater control andawareness. Thus, the challenge is in acquiring their preferences by confrontingthem minimally and then automatically inferring when users are likely to find apermission request unexpected, and only prompting them in these cases. Our datasuggests that participants’ desires to block particular permissions were heavilyinfluenced by two main factors: their understanding of the relevance of a permis-sion request to the functionality of the requesting application and their individualprivacy concerns.Our models in Section 2.5.1 showed that individual characteristics greatly ex-plain the variance between what different users deem appropriate, in terms ofaccess to protected resources. While responses to privacy scales failed to explain47these differences, this was not a surprise, as the disconnect between stated privacypreferences and behaviors is well-documented (e.g., [2]). This means that in orderto accurately model user preferences, the system will need to learn what a specificuser deems inappropriate over time. Thus, a feedback loop is likely needed: whendevices are “new,” users will be required to provide more input surrounding per-mission requests, and then based on their responses, they will see fewer requestsin the future. Our data suggests that prompting once for each unique (application,permission, application visibility) triplet can serve as a practical mechanism inacquiring users’ privacy preferences.Beyond individual subject characteristics (i.e., personal preferences), partic-ipants based their decisions to block certain permission requests on the specificapplications making the requests and whether they had contextual cues to indicatethat the applications were running (and therefore needed the data to function).Future systems could take these factors into account when deciding whether ornot to draw user attention to a particular request. For example, when an applica-tion that a user is not actively using requests access to a protected resource, sheshould be shown a runtime prompt. Our data indicates that, if the user decides togrant a request in this situation, then with probability 0.84 the same decision willhold in future situations where she is actively using that same application, andtherefore a subsequent prompt may not be needed. At a minimum, platforms needto treat permission requests from background applications differently than thoseoriginating from foreground applications. Similarly, applications running in thebackground should use passive indicators to communicate when they are access-ing particular resources. Platforms can also be designed to make decisions aboutwhether or not access to resources should be granted based on whether contextualcues are present, or at its most basic, whether the device screen is even on.Finally, we built our models and analyzed our data within the framework ofwhat resources our participants believed were necessary for applications to cor-rectly function. Obviously, their perceptions may have been incorrect: if theybetter understood why a particular resource was necessary, they may have been48more permissive. Thus, it is incumbent on developers to adequately communicatewhy particular resources are needed, as this impacts user notions of contextualintegrity. Yet, no mechanisms in Android exist for developers to do this as part ofthe permission-granting process. For example, one could imagine requiring meta-data to be provided that explains how each requested resource will be used, andthen automatically integrating this information into permission requests. Tan etal. examined a similar feature on iOS that allows developers to include free-formtext in runtime permission dialogs and observed that users were more likely togrant requests that included this text [107]. Thus, we believe that including suc-cinct explanations in these requests would help preserve contextual integrity bypromoting greater transparency.In conclusion, we believe this study was instructive in showing the circum-stances in which Android permission requests are made under real-world usage.While prior work has already identified some limitations of deployed mobile per-missions systems, we believe our study can benefit system designers by demon-strating several ways in which contextual integrity can be improved, thereby em-powering users to make better security decisions.49Chapter 3PredictionIn iOS and Android M, the platform prompts the user when an application at-tempts to access one of a set of “dangerous”1 permission types (e.g., location,contacts, etc.) for the first time. This ask-on-first-use (AOFU) model is an im-provement over ask-on-install (AOI). Prompting users the first time an applicationuses one of the designated permissions gives users a better sense of context: theirknowledge of what they were doing when the application first tried to access thedata should help them determine whether the request is appropriate.One critical caveat of this approach is that mobile platforms seek the consentof the user the first time a given application attempts to access a certain data typeand then enforce the user’s decision for all subsequent cases, regardless of thecircumstances surrounding each access. For example, a user may grant an appli-cation access to location data because she is using location-based features, but bydoing this, the application can subsequently access location data for behavioraladvertising, which may violate the user’s preferences. Based on the results pre-sented in the previous chapter, however, it is not feasible to prompt the user everytime data is accessed, due to the high frequency of permission requests.In the previous chapter we presented data from a field to operationalize the1Android designated a selected set of 24 resource types as more sensitive over the otherresources.[54]50notion of “context,” to allow an operating system to differentiate between appro-priate and inappropriate data requests by a single application for a single datatype. We show that users’ decisions to allow a permission request significantlycorrelated with that application’s visibility – that this visibility is a strong contex-tual cue that influences users’ responses to permission prompts. We also observedthat privacy decisions were highly nuanced, demonstrating that a one-size-fits-allmodel is unlikely to be sufficient; a given information flow may be deemed appro-priate by one user but not by another user – we suggest applying machine learningin order to infer individual users’ privacy preferences.To achieve this, research is needed to determine what factors affect user pri-vacy decisions and how to use those factors to make privacy decisions on theuser’s behalf. While we cannot automatically capture everything involved in Nis-senbaum’s notion of context, we can try to detect when context has likely changed(insofar as to decide whether a different privacy decision should be made for thesame application and data type), by seeing whether the circumstances surroundinga data request are similar to previous requests.To this end, we collected real-world Android usage data in order to explorewhether we could infer users’ future privacy decisions based on their past privacydecisions, contextual circumstances surrounding applications’ data requests, andusers’ behavioral traits. We conducted a field study where 131 participants usedAndroid phones that were instrumented to gather data over an average of 32 daysper participant. Also, their phones periodically prompted them to make privacydecisions when applications used sensitive permissions, and we logged their de-cisions. Overall, participants wanted to block 60% of these requests. We foundthat AOFU yields 84% accuracy, i.e., its policy agrees with participants’ promptedresponses 84% of the time. AOI achieves only 25% accuracy.We designed new techniques that use machine learning to automatically pre-dict how users would respond to prompts, so that we can avoid prompting themin most cases, thereby reducing user burden. Our classifier uses the user’s pastdecisions in similar situations to predict their response to a particular permission51request. The classifier outputs a prediction and a confidence score; if the classi-fier is sufficiently confident, we use its prediction, otherwise we prompt the userfor their decision. We also incorporate information about the user’s behavior inother security and privacy situations to make inferences about their preferences:whether they have a screen lock activated, how often they visit HTTPS websites,and so on. We show that our scheme achieves 96.8% accuracy (a 4× reductionin error rate over AOFU) with significantly less user involvement than the statusquo.The specific contributions of this chapter are the following:• We conducted the first known large-scale study on quantifying the effec-tiveness of ask-on-first-use permissions.• We show that a significant portion of the studied participants make contex-tual decisions on permissions—the foreground application and the visibilityof the permission-requesting application are strong cues participants used tomake contextual decisions.• We show how a machine-learned model can incorporate context and betterpredict users’ privacy decisions.• To the best of our knowledge, we are the first to use passively observed traitsto infer future privacy decisions on a case-by-case basis at runtime.3.1 Related WorkThere is a large body of work demonstrating that install-time prompts fail be-cause users do not understand or pay attention to them [55, 65, 116]. When usinginstall-time prompts, users often do not understand which permission types corre-spond to which sensitive resources and are surprised by the ability of backgroundapplications to collect information [49, 64, 108]. Applications also transmit alarge amount of location or other sensitive data to third parties without user con-sent [43]. When possible risks associated with these requests are revealed to users,their concerns range from being annoyed to wanting to seek retribution [48].52To mitigate some of these problems, systems have been developed to track in-formation flows across the Android system [43, 53, 67] or introduce finer-grainedpermission control into Android [5, 60, 100], but many of these solutions increaseuser involvement significantly, which can lead to habituation. Additionally, manyof these proposals are useful only to the most-motivated or technically savvyusers. For example, many such systems require users to configure complicatedcontrol panels, which many are unlikely to do [122]. Other approaches involvestatic analysis in order to better understand how applications could request in-formation [11, 23, 45], but these say little about how applications actually useinformation. Dynamic analysis improves upon this by allowing users to see howoften this information is requested in real time [43, 104, 117], but substantial workis likely needed to present that information to average users in a meaningful way.Solutions that require user interruptions need to also minimize user interventionin order to prevent habituation.Other researchers have developed recommendation systems to recommend ap-plications based on users’ privacy preferences [125], or detect privacy violationsand suggest preferences based on crowdsourcing [4, 71], but such approaches of-ten do not take individual user differences into account without significant userintervention. Systems have also been developed to predict what users would shareon mobile social networks [22], which suggests that future systems could po-tentially infer what information users would be willing to share with third-partyapplications. By requiring users to self-report privacy preferences, clustering al-gorithms have been used to define user privacy profiles even in the face of diversepreferences [72, 97]. However, researchers have found that the order in whichinformation is requested has an impact on prediction accuracy [120], which couldmean that such systems are only likely to be accurate when they examine actualuser behavior over time (as opposed to one-time self-reports).Liu et al. clustered users by privacy preferences and used ML techniquesto predict whether to allow or deny an application’s request for sensitive userdata [73]. Their dataset, however, was collected from a set of highly privacy-53conscious individuals: those who choose to install a permission-control mecha-nism. Furthermore, the researchers removed “conflicting” user decisions, in whicha user chose to deny a permission for an application, and then later chose to allowit. These conflicting decisions, however, do not represent noisy data. They occurnearly 50% of the time in the real world as it was shown in the previous chap-ter [117], and accurately reflect the nuances of user privacy preferences. Modelsmust therefore account for them. In fact, previous work found that users com-monly reassess privacy preferences after usage [6]. Liu et al. also expect users tomake 10% of permission decisions manually, which, based on our previous fieldstudy results, would result in being prompted every three minutes [117]. This isobviously impractical. Our goal is to design a system that can automatically makedecisions on behalf of users, that accurately models their preferences, while alsonot over-burdening them with repeated requests.Closely related to this work, Liu et al. [74] performed a field study to measurethe effectiveness of a Privacy Assistant that offers recommendations to users onprivacy settings that they could adopt based on each user’s privacy profile—theprivacy assistant predicts what the user might want based on the inferred privacyprofile and static analysis of the third-party application. While this approach in-creased user awareness on resource usage, the recommendations are static: theydo not consider each application’s access to sensitive data on a case-by-case basis.Such a coarse-grained approach goes against our previous work suggesting thatusers do want to vary their decisions based on contextual circumstances [117]. Ablanket approval or denial of a permission to a given application carries a con-siderable risk of privacy violations or loss of desired functionality. In contrast,our work uses dynamic analysis to infer the appropriateness of each given requestby considering the surrounding contextual cues and how the user has behaved insimilar situations in the past. As with Liu et al., their dataset was also collectedfrom privacy-conscious and considerably tech-savvy individuals, which may limitthe generalization of their results. The field study we conduct in our work uses amore representative sample.54Nissenbaum’s theory of contextual integrity suggests that permission modelsshould focus on information flows that are likely to defy user expectations [82].There are three main components involved in deciding the appropriateness of aflow [20]: the context in which the resource request is made, the role playedby the requesting application under the current context, and the type of resourcebeing accessed. Neither previous nor currently deployed permission models takeall three factors into account. This model could be used to improve permissionmodels by automatically granting access to data when the system determines thatit is appropriate, denying access when it is inappropriate, and prompting the useronly when a decision cannot be made automatically, thereby reducing user burden.Access Control Gadgets (ACGs) were proposed as a mechanism to tie sensi-tive resource access to certain UI elements [78, 94–96]. Authors posit that suchan approach will increase user expectations, as a significant portion of participantsexpected a UI interaction before a sensitive resource usage, giving users an im-plicit mechanism to control access and increasing awareness on resource usage.The biggest caveat in this approach is that tying a UI interaction to each sensitiveresource access is impossible in practice because resources are accessed at a highfrequency [117], and because many legitimate resource accesses occur withoutuser initiation [47].3.2 MethodologyWe collected data from 131 participants to understand what factors could be usedto infer whether a permission request is likely to be deemed appropriate by theuser.Previous work by Felt et al. made the argument that certain permissions areappropriate for runtime prompts, because they protect sensitive resources and be-cause viewing the prompt at runtime imparts additional contextual informationabout why an application might need the permission [47]. Similarly, Thompsonet al. showed that other permission requests could be replaced with audit mech-anisms, because they represent either reversible changes or are sufficiently low55Permission Type ActivityACCESS_WIFI_STATE View nearby SSIDsNFC Communicate via NFCREAD_HISTORY_BOOKMARKS Read users’ browser historyACCESS_FINE_LOCATION Read GPS locationACCESS_COARSE_LOCATIONRead network-inferred location(i.e., cell tower and/or WiFi)LOCATION_HARDWARE Directly access GPS dataREAD_CALL_LOG Read call historyADD_VOICEMAIL Read call historyREAD_SMS Read sent/received/draftSMSSEND_SMS Send SMS*INTERNET Access Internet when roam-ing*WRITE_SYNC_SETTINGSChange application syncsettings when roamingTable 3.1: Felt et al. proposed granting a select set of 12 permissions at run-time so that users have contextual information to infer why the data mightbe needed [47]. Our instrumentation omits the last two permission types(INTERNET & WRITE_SYNC_SETTINGS) and records information about theother 10.risk to not warrant habituating the user to prompts [108]. We collected informa-tion about 10 of the 12 permissions Felt et al. suggest are best-suited for runtimeprompts. We omitted INTERNET and WRITE_SYNC_SETTINGS, because thosepermissions only warrant runtime prompts if the user is roaming and we did notexpect any participant to be roaming during the study period, and focused on theremaining 10 permission types (Table 3.1). While there are many other sensitivepermissions beyond this set, Felt et al. concluded that the others are best handledby other mechanisms (e.g., install-time prompts, ACGs, etc.).We used the Experience Sampling Method (ESM) to collect ground truth dataabout users’ privacy preferences [59]. ESM involves repeatedly questioning par-56Figure 3.1: A screenshot of an ESM prompt.ticipants in situ about a recently observed event; in this case, we probabilisti-cally asked them about an application’s recent access to data on their phone, andwhether they would have permitted it if given the choice. We treated participants’responses to these ESM probes as our main dependent variable (Figure 4.1).We also instrumented participants’ smartphones to obtain data about theirprivacy-related behaviors and the frequency with which applications accessedprotected resources. The instrumentation required a set of modifications to theAndroid operating system and flashing a custom Android version onto partici-pants’ devices. To facilitate such experiments, the University of Buffalo offers57non-affiliated academic researchers access to the PhoneLab panel [80], whichconsists of more than 200 participants. All of these participants had LG Nexus5 phones running Android 5.1.1 and the phones were periodically updated over-the-air (OTA) with custom modifications to the Android operating system. Par-ticipants can decide when to install the OTA update, which marks their entry intonew experiments. During our experiment period, different participants installedthe OTA update with our instrumentation at different times, thus we have neitherdata on all PhoneLab participants nor data for the entire period. Our OTA updatewas available to participants for a period of six weeks, between February 2016 andMarch 2016. At the end of the study period, we emailed participants a link to anexit survey to collect demographic information. Our study received institutionalreview board (IRB) approval.23.2.1 InstrumentationThe goal of our instrumentation was to collect as much runtime and behavioraldata as could be observed from the Android platform, with minimal performancecost. We collected three categories of data: behavioral information, runtime in-formation, and user decisions. We made no modifications to any third-party ap-plication code; our dynamic analysis techniques could be used on any third-partyAndroid application.Table 3.2 contains the complete list of behavioral and runtime events our in-strumentation recorded. The behavioral data fell under several categories, all cho-sen based on several hypotheses that we had about the types of behaviors thatmight correlate with privacy preferences: web-browsing habits, screen lockingbehavior, third-party application usage behavior, audio preferences, call habits,camera usage patterns, and behavior related to security settings. For example,we hypothesized that someone who manually locks their device screen are moreprivacy-conscious than someone who lets it time out.We also collected runtime information about the context of each permission2Approved by the UC Berkeley IRB under protocol #2013-02-499258Type Event RecordedBehavioralInstrumentationChanging developer optionsOpening/Closing security settingsChanging security settingsEnabling/Disabling NFCChanging location modeOpening/Closing location settingsChanging screen-lock typeUse of two factor authenticationLog initial settings informationUser locks the screenScreen times outApp locks the screenAudio mode changedEnabling/Disabling speakerphoneConnecting/Disconnecting headphonesMuting the phoneTaking an audio callTaking a picture (front- vs. rear-facing)Visiting an HTTPS link in ChromeResponding to a notificationUnlocking the phoneRuntimeInformationAn application changing the visibilityPlatform switches to a new activityPermissionRequestsAn app requests a sensitive permissionESM prompt for a selected permissionTable 3.2: Instrumented events that form our feature setrequest, including the visibility of the requesting application at the time of re-quest, what the user was doing when the request was made (i.e., the name ofthe foreground application), and the exact Android API function invoked by theapplication to determine what information was requested. The visibility of anapplication reflects the extent to which the user was likely aware that the appli-cation was running; if the application was in the foreground, the user had cues59that the application was running, but if it was in the background, then the userwas likely not aware that the application was running and therefore might find thepermission request unexpected—some background services can still be visible tothe user due to on-screen notification or other cues that could be perceptible. Wemonitored processes’ memory priority levels to determine the visibility of all An-droid processes. We also collected information about which Android Activitywas active in the application.3Once per day we probabilistically selected one of these permission requestsand prompted the user about them at runtime (Figure 4.1). We used weightedreservoir sampling to select a permission request to prompt about. We weightthe combination of application, permission, visibility based on their frequencyof occurrence seen by the instrumentation; the most-frequent combination hasa higher probability of being shown to participants using ESM. We promptedparticipants a maximum of three times for each unique combination. We tuned thewording of the prompt to make it clear that the request had just occurred and theirresponse would not affect the system (a deny response would not actually denydata). These responses serve as the ground truth for all the analysis mentioned inthe remainder of the chapter.The intuition behind using weighted reservoir sampling is to focus more onthe frequently occurring permission requests over rare ones. Common permissionrequests contribute most to user habituation due to their high frequency. Thus, itis more important to learn about user privacy decisions on highly frequent permis-sion requests over the rare ones, which might not risk user habituation or annoy-ance (and the context of rare requests may be less likely to change).3.2.2 Exit SurveyAt the end of our data collection period, PhoneLab staff emailed participants a linkto our online exit survey, which they were incentivized to complete with a raffle for3An Android Activity represents the application screen and UI elements currently exposedto the user.60two $100 Amazon gift cards. The survey gathered demographic information andqualitative information on their privacy preferences. Of the 203 participants in ourexperiment, 53 fully completed the survey, and another 14 partially completed it.Of the 53 participants to fully complete the survey, 21 were male, 31 were female,and 1 undisclosed. Participants ranged from 20 to 72 years of age (µ = 40.83, σ =14.32). Participants identified themselves as 39.3% staff, 32.1% students, 19.6%faculty, and 9% other. Only 21% of the survey respondents had an academicqualification in STEM, which suggests that the sample is unlikely to be biasedtowards tech-savvy users.3.2.3 SummaryWe collected data from February 5 to March 17, 2016. PhoneLab allows any par-ticipant to opt-out of an experiment at any time. Thus, of the 203 participants whoinstalled our custom Android build, there were 131 who used it for more than 20days. During the study period, we collected 176M events across all participants(31K events per participant/day). Our dataset consists of 1,686 unique applica-tions and 13K unique activities. Participants also responded to 4,636 promptsduring the study period. We logged 96M sensitive permission requests, whichtranslates to roughly one sensitive permission request every 6 seconds per partic-ipant. For the remainder of the paper, we only consider the data from the 131participants who used the system for at least 20 days, which corresponds to 4,224ESM prompts.Of the 4,224 prompts, 55.3% were in response to ACCESS_WIFI_STATE, whentrying to access WiFi SSID information that could be used to infer the locationof the smartphone; 21.0%, 17.3%, 5.08%, 0.78%, and 0.54% were from access-ing location directly, reading SMS, sending SMS, reading call logs, and access-ing browser history, respectively. A total of 137 unique applications triggeredprompts during the study period. Of the 4,224 prompts, participants wanted todeny 60.01% of them, and 57.65% of the prompts were shown when the request-ing application was running in the foreground or the user had visual cues that the61application was running (e.g., notifications). A Wilcoxon signed rank test withcontinuity correction revealed a statistically significant difference in participants’desire to allow or deny a permission request based on the visibility of the re-questing application (p < 0.0152, r = 0.221), which corroborates findings in theprevious chapter [117].3.3 Types of UsersWe hypothesized that there may be different types of users based on how they wantto disclose their private information to third parties. It is imperative to identifythese different sub-populations since different permission models affect users dif-ferently based on their privacy preferences; performance numbers averaged acrossa user population could be misleading since different sub-populations might reactdifferently to the same permission model.While our study size was too small to effectively apply clustering techniquesto generate classes of users, we did find a meaningful distinction using the denialrate (i.e., the percentage of prompts to which users wanted to deny access). Weaggregated users by their denial rate in 10% increments and examined how thesedifferent participants considered the surrounding contextual circumstances in theirdecisions.We discovered that application visibility was a significant factor for users witha denial rate of 10–90%, but not for users with a denial rate of 0–10% or 90–100%.We call the former group Contextuals, as they seem to care about the surround-ing context (i.e., they make nuanced decisions, allowing or denying a permissionrequest based on whether they had contextual cues that indicated that the request-ing application was running), and the latter group Defaulters, because they seemto simply always allow or always deny requests, regardless of contextual cues.We analyzed how the effects of the visibility of the requesting application variesamong different participants to decide the boundaries of the two groups. The rea-son for us to draw the boundary at the two ends was better explained later whenwe explain the benefit of the figuring out the defaulter as early as possible for620510150 25 50 75 100Denial RateNumber of ParticipantsCategoryContextualsDefaultersFigure 3.2: Histogram of users based on their denial rate. Defaulters tended to al-low or deny almost all requests without regard for contextual cues, whereasContextuals considered the visibility of the requesting application.better performance.Defaulters accounted for 53% of 131 participants and Contextuals accountedfor 47%. A Wilcoxon signed-rank test with continuity correction revealed a statis-tically significant difference in Contextuals’ responses based on requesting appli-cation visibility (p < 0.013, r = 0.312), while for Defaulters there was no statis-tically significant difference (p = 0.227). That is, Contextuals used visibility as acontextual cue, when deciding the appropriateness of a given permission request,whereas Defaulters did not vary their decisions based on this cue. Figure 3.2shows the distribution of users based on their denial rate. Vertical lines indicatethe borders between Contextuals and Defaulters.63Policy Contextuals Defaulters Overall PromptsAOI 44.11% 6.00% 25.00% 0.00AOFU-AP 64.49% 93.33% 84.61% 12.34AOFU-APV 64.28% 92.85% 83.33% 15.79AOFU-AFPV 66.67% 98.95% 84.61% 16.91AOFU-VP 58.65% 94.44% 78.04% 6.43AOFU-VA 63.39% 93.75% 84.21% 12.24AOFU-A 64.27% 93.54% 83.33% 9.06AOFU-P 57.95% 95.45% 82.14% 3.84AOFU-V 52.27% 95.34% 81.48% 2.00Table 3.3: The accuracy and number of different possible ask-on-first-use combina-tions. A: Application requesting the permission, P: Permission type requested,V: Visibility of the application requesting the permission, AF : Application run-ning in the foreground when the request is made. AOFU-AP is the policy usedin Android Marshmallow i.e., asking (prompting) the user for each unique ap-plication, permission combination. The table also differentiates policy numbersbased on the subpopulation of Contextuals, Defaulters, and across all users.In the remainder of this chapter, we use our Contextuals–Defaulters cate-gorization to measure how current and proposed models affect these two sub-populations, issues unique to these sub-populations, and ways to address theseissues.3.4 Ask-On-First-Use PermissionsAsk-on-first-use (AOFU) is the current Android permission model, which wasfirst adopted in Android 6.0 (Marshmallow). AOFU prompts the user wheneveran application requests a dangerous permission for the first time [36]; the user’sresponse to this prompt is thereafter applied whenever the same application re-quests the same permission. As of March 2017, only 34.1% of Android users haveAndroid Marshmallow or a higher version [38], and among these Marshmallowusers, those who upgraded from a previous version only see runtime permissionprompts for freshly-installed applications.64For the remaining 65.9% of users, the system policy is ask-on-install (AOI),which automatically allows all runtime permission requests. During the studyperiod, all of our participants had AOI running as the default permission model.Because all runtime permission requests are allowed in AOI, any of our ESMprompts that the user wanted to deny correspond to mispredictions under the AOImodel (i.e., the AOI model granted access to the data against users’ actual prefer-ences). Table 3.3 shows the expected median accuracy for AOI, as well as severalother possible variants that we discuss in this section. The low median accuracyfor Defaulters was due to the significant number of people who simply deniedmost of the prompts. The prompt count is zero for AOI because it does not promptthe user during runtime; users are only shown permission prompts at installation.More users will have AOFU in the future, as they upgrade to Android 6.0 andbeyond. To the best of our knowledge, no prior work has looked into quantify-ing the effectiveness of AOFU systematically; this section presents analysis ofAOFU based on prompt responses collected from participants and creates a base-line against which to measure our system’s improvement. We simulate how AOFUperforms through our ESM prompt responses. Because AOFU is deterministic,each user’s response to the first prompt for each application:permission combi-nation tells us how the AOFU model would respond for subsequent requests bythat same combination. For participants who responded to more than one promptfor each combination, we can quantify how often AOFU would have been correctfor subsequent requests. Similarly, we also measure the accuracy for other pos-sible policies that the platform could use to decide whether to prompt the user.For example, the status quo is for the platform to prompt the user for each newapplication:permission combination, but how would accuracy (and the number ofprompts shown) change if the policy were to prompt on all new combinations ofapplication:permission:visibility?Table 3.3 shows the expected median accuracy4 for each policy based on par-4The presented numbers—except for average prompt count, which was normally distributed—are median values, because the distributions were skewed.65ticipants’ responses. For each policy, A represents the application requesting thepermission, P represents the requested permission, V represents the visibility ofthe requesting application, and AF represents the application running in the fore-ground when a sensitive permission request was made. For instance, AOFU-APis the policy where the user will be prompted for each new instance of an appli-cation:permission combination, which the Android 6.0 model employs. The lastcolumn shows the number of runtime prompts a participant would see under eachpolicy over the duration of the study, if that policy were to be implemented. BothAOFU-AP and AOFU-AFPV show about a 4.9× reduction in error rate comparedto AOI; AOFU-AFPV would require more prompts over AOFU-AP, though yieldsa similar overall accuracy rate. 5 Moving forward, we focus our analysis only onAOFU-AP (i.e., the current standard).Instances where the user wants to deny a permission and the policy insteadallows it (false positives) are privacy violations, because they expose more infor-mation to the application than the user desires. Instances where the user wantsto allow a permission, but the policy denies it (false negatives) are functionalitylosses. This is because the application is likely to lose some functionality that theuser desired when it is incorrectly denied a permission. Privacy violations andfunctionality losses were approximately evenly split between the two categoriesfor AOFU-AP: median privacy violations and median functionality losses were6.6% and 5.0%, respectively.The AOFU policy works well for Defaulters because, by definition, they tendto be consistent after their initial responses for each combination. In contrast,the decisions of Contextuals vary due to other factors beyond just the requestingapplication and the requested permission type. Hence, the accuracy of AOFUfor Contextuals is significantly lower than the accuracy for Defaulters. This dis-tinction shows that learning privacy preferences for a significant portion of usersrequires a deeper understanding of factors affecting their decisions, such as behav-5While AOFU-AF PV has greater median accuracy when examining Defaulters and Contextu-als separately, because the distributions are skewed, the median overall accuracy is identical toAOFU-AP when combining the groups.66ioral tendencies and contextual cues. As Table 3.3 suggests, superficially addingmore contextual variables (such as visibility of the requesting application) doesnot necessarily help to increase the accuracy of the AOFU policy.The context in which users are prompted under AOFU might be a factor af-fecting its ability to predict subsequent instances. In the previous chapter [117],we found that the visibility of the requesting application is a strong contextual cueusers use to vary their decisions. During the study period, under the AOFU-APpolicy, 60% of the prompts could have occurred when the requesting applicationwas visible to the participant—these prompts had an accuracy of 83.3% in predict-ing subsequent instances. In instances where participants were prompted when therequesting application was running invisibly to the user, AOFU-AP had an accu-racy of 93.7% in predicting subsequent instances. A Wilcoxon signed-ranks test,however, did not reveal a statistically significant difference (p = 0.3735).Our estimated accuracy numbers for AOFU may be inflated because AOFUin deployment (Android 6 and above) does not filter permission requests that donot reveal any sensitive information. For example, an application can request theACCESS_FINE_LOCATION permission to check whether the phone has a specificlocation provider, which does not leak sensitive information. Our AOFU simula-tion uses the invoked function to determine if sensitive data was actually accessed,and only prompts in those cases (in the interest of avoiding any false positives), adistinction that AOFU in Android does not make. Thus, an Android user wouldsee a permission request prompt when the application examines the list of locationproviders, and if the permission is granted, would not subsequently see promptswhen location data is actually captured. In our previous field study, we foundthat 79% of first-time permission requests do not reveal any sensitive informa-tion [117], and nearly 33.9% of applications that request these sensitive permis-sion types do not access sensitive data at all. The majority of AOFU prompts inMarshmallow are therefore effectively false positives, which incorrectly serve asthe basis for future decisions. Given this, AOFU’s average accuracy is likely lessthan the numbers presented in Table 3.3. We therefore consider our estimates of67AOFU to be an upper bound.3.5 Learning Privacy PreferencesTable 3.3 shows that a significant portion of users (the 47% classified as Contex-tuals) make privacy decisions that depend on factors other than the applicationrequesting the permission, the permission requested, and the visibility of the re-questing application. To make decisions on behalf of the user, we must understandwhat other factors affect their privacy decisions. We built a machine learningmodel trained and tested on our labeled dataset of 4,224 prompts collected from131 users over the period of 42 days. This approach is equivalent to training amodel based on runtime prompts from hundreds of users and using it to predictthose users’ future decisions.We focus the scope of this work by making the following assumptions. We as-sume that the platform, i.e., the Android OS, is trusted to manage and enforce per-missions for applications. We assume that applications must go through the plat-form’s permission system to gain access to protected resources. We assume thatwe are in a non-adversarial machine-learning setting wherein the adversary doesnot attempt to circumvent the machine-learned classifier by exploiting knowledgeof its decision-making process—though we do present a discussion of this prob-lem and potential solutions in Section Feature SelectionUsing the behavioral, contextual, and aggregate features shown in Table 3.2, weconstructed 16K candidate features, formed by combinations of specific applica-tions and actions. We then selected 20 features by measuring Gini importancethrough random forests [75], significance testing for correlations, and singularvalue decomposition (SVD). SVD was particularly helpful to address the sparsityand high dimensionality issues caused by features generated based on applicationand activity usage. Table 3.4 lists the 20 features used in the rest of this work.68FeatureGroup Feature TypeBehavioralFeatures(B)Number of times a website is loaded tothe Chrome browser. NumericalOut of all visited websites, the proportionof HTTPS-secured websites. NumericalThe number of downloads through Chrome. NumericalProportion of websites requested locationthrough Chrome. NumericalNumber of times PIN/Password was used tounlock the screen. NumericalAmount of time spent unlocking the screen. NumericalProportion of times screen was timed outinstead of pressing the lock button. NumericalFrequency of audio calls. NumericalAmount of time spent on audio calls. NumericalProportion of time spent on silent mode. NumericalRuntimeFeatures(R1)Application visibility (True/False) CategoricalPermission type CategoricalUser ID CategoricalTime of day of permission request NumericalAggregatedFeatures(A)Average denial rate for (A1)application:permission:visibility NumericalAverage denial rate for (A2)applicationF :permission:visibilityNumericalTable 3.4: The complete list of features used in the ML model evaluation. All thenumerical values in the behavioral group are normalized per day. We use one-hot encoding for categorical variables. We normalized numerical variables bymaking each one a z-score relative to its own average.The behavioral features (B) that proved predictive relate to browsing habits,audio/call traits, and locking behavior. All behavioral features were normalizedper day/user and were scaled in the actual model. Features relating to browsinghabits included the number of websites visited, the proportion of HTTPS-secured69links visited, the number of downloads, and proportion of sites visited that re-quested location access. Features relating to locking behavior included whetherusers employed a passcode/PIN/pattern, the frequency of screen unlocking, theproportion of times they allowed the screen to timeout instead of pressing the lockbutton, and the average amount of time spent unlocking the screen. Features underthe audio and call category were the frequency of audio calls, the amount of timethey spend on audio calls, and the proportion of time they spent on silent mode.Our runtime features (R1/R2) include the requesting application’s visibility,permission requested, and time of day of the request. Initially, we included theuser ID to account for user-to-user variance, but as we discuss later, we subse-quently removed it. Surprisingly, the application requesting the permission wasnot predictive, nor were other features based on the requesting application, suchas application popularity.Different users may have different ways of perceiving privacy threats posed bythe same permission request. To account for this, the learning algorithm should beable to determine how each user perceives the appropriateness of a given requestin order to accurately predict future decisions. To quantify the difference betweenusers in how they perceive the threat posed by the same set of permission requests,we introduced a set of aggregate features that could be measured at runtime andthat may partly capture users’ privacy preferences. We compute the average denialrate for each unique combination of application:permission:visibility (A1) and ofapplicationF 6:permission:visibility (A2). These aggregate features indicate howthe user responded to previous prompts associated with that combination. Asexpected, after we introduced the aggregate features, the relative importance ofthe user ID variable diminished and so we removed it (i.e., users no longer neededto be uniquely identified). We define R2 as R1 without the user ID.6The application running in the foreground when the permission is requested by another appli-cation.70Feature Set Contextuals Defaulters OverallR1 69.30% 95.80% 83.71%R2 + B 69.48% 95.92% 83.93%R2 + A 75.45% 99.20% 92.24%Table 3.5: The median accuracy of the machine learning model for different featuregroups across different sub populations.3.5.2 Inference Based on BehaviorOne of our main hypotheses is that passively observing users’ behaviors helpsinfer users’ future privacy decisions. To this end, we instrumented Android tocollect a wide array of behavioral data, listed in Table 3.2. We categorize our be-havioral instrumentation into interaction with Android privacy/security settings,locking behavior, audio settings and call habits, web-browsing habits, and appli-cation usage habits. After the feature selection process (§3.5.1), we found thatonly locking behavior, audio habits, and web-browsing habits correlated with pri-vacy behaviors. Appendix B.2 contains more information on feature importance.All the numerical values under the behavioral group were normalized per day.We trained an SVM model with an RBF kernel on only the behavioral and run-time features listed in Table 3.4, excluding user ID. The 5-fold cross-validation ac-curacy (with random splitting) was 83% across all users. This first setup assumeswe have prior knowledge of previous privacy decisions to a certain extent fromeach user before inferring their future privacy decisions, so it is primarily relevantafter the user has been using their phone for a while. However, the biggest ad-vantage of using behavioral data is that it can be observed passively without anyactive user involvement (i.e., no prompting).We use leave-one-out cross validation to measure the extent to which we caninfer user privacy decisions with absolutely no user involvement (and without anyprior data on a user). In this second setup, when a new user starts using a smart-phone, we assume there is a ML model which is already trained with behavioral71data and privacy decisions collected from a selected set of other users. We thenmeasured the efficacy of such a model to predict the privacy decisions of a newuser, purely based on passively observed behavior and runtime information onthe request, without ever prompting that new user. This is an even stricter lowerbound on user involvement, which essentially mandates that a user has to make noeffort to indicate privacy preferences, something that no system currently does.We performed leave-one-out cross validation for each of our 131 participants,meaning we predicted a single user’s privacy decisions using a model trained usingthe data from the other 130 users’ privacy decisions and behavioral data. The onlyinput for each test user was the passively observed behavioral data and runtimedata surrounding each request. The model yielded a median accuracy of 75%,which is a 3× improvement over AOI. Furthermore, AOI requires users to makeactive decisions during the installation of an application, which our second modeldoes not require.Examining only behavioral data with leave-one-group-out cross validationyielded a median accuracy of 56% for Contextuals, while for Defaulters it was93.01%. Although, prediction using solely behavioral data fell short of AOFU-APfor Contextuals, it yielded a similar median accuracy for Defaulters; AOFU-APrequired 12 prompts to reach this level of accuracy, whereas our model would nothave resulted in any prompts. This relative success presents the significant obser-vation that behavioral features, observed passively without user involvement, areuseful in learning user privacy preferences. This provides the potential to openentirely new avenues of user learning and reduce the risk of habituation.3.5.3 Inference Based on Contextual CuesOur SVM model with an RBF kernel produced the best accuracy. The resultsin the remainder of this section are trained and tested with five-fold cross vali-dation with random splitting for an SVM model with an RBF kernel using theksvm library in R. In all instances, the training set was bootstrapped with an equalnumber of allow and deny data points to avoid training a biased model. For each72feature group, all hyperparameters were tuned through grid search to achieve high-est accuracy. We used one-hot encoding for categorical variables. We normalizednumerical variables by making each one a z-score relative to its own average. Ta-ble 3.5 shows how the median accuracy changes with different feature groups. Asa minor note, the addition of the mentioned behavioral features to runtime fea-tures performed only marginally better; this could be due to the fact that those twogroups do not complement each other in predictions. In this setup, we assume thatthere is a single model across all the users of Android.By incorporating user involvement in the form of prompts, we can use our ag-gregate features to increase the accuracy for Contextuals, slightly less so for De-faulters. The aggregate features primarily capture how consistent users are for par-ticular combinations (i.e., application:permission:visibility, appli-cationF :permission:visibility),which greatly affects accuracy for Contextuals. Defaulters have high accuracywith just runtime features (R1), as they are likely to stick with a default allowor deny policy regardless of the context surrounding a permission. Thus, evenwithout any aggregate features (which do not impart any new information aboutthis type of user), the model can predict privacy preferences of Defaulters with ahigh degree of accuracy. On the other hand, Contextuals are more likely to varytheir decision for a given permission request. However, as the accuracy numbersin Table 3.5 suggest, this variance is correlated with some contextual cues. Thehigh predictive power of aggregate features indicates that they may be capturingthe contextual cues, used by Contextuals to make decisions, to a greater extent.The fact that both application:permission:visibility and applicationF :permission:visibilityare highly predictive (Appendix B.1) indicates that user responses for these com-binations are consistent. The high consistency could relate to the notion thatthe visibility and the foreground application (applicationF 7) are strong contex-tual cues people use to make their privacy decisions; the only previously studiedcontextual cue was the visibility of the application requesting the sensitive data7Even when the requesting application is running visible to the user, the foreground applicationcould still be different from the requesting application since the only visible cue of the requestingapplication could be a notification in the notification bar.73– which based on our data from the previous field study [117]. We offer a hy-pothesis for why foreground application could be significant: the sensitivity ofthe foreground application (i.e., high-sensitivity applications like banking, low-sensitivity applications like games) might impact how users perceive threats posedby requests. Irrespective of the application requesting the data, users may be likelyto deny the request because of the elevated sense of risk. We discuss this furtherin Section 3.8.The model trained on feature sets R2, A1, and A2 had the best accuracy (andthe fewest privacy violations). For the remainder of the chapter, we will refer tothis model unless otherwise noted. We now compare AOFU-AP (the status quoas of Android 6.0 and above, presented in Table 3.3) and our model (Table 3.5).Across all users, our model reduced the error rate from 15.38% to 7.76%, nearlya two-fold improvement.Mispredictions (errors) in the ML model were split between privacy viola-tions and functionality losses (54% and 46%). Deciding which error type is moreacceptable is subjective and depends on factors like the usability issues surround-ing functionality losses and gravity of privacy violations. However, the (approx-imately) even split between the two error types shows that the ML is not biasedtowards one particular decision (denying vs. allowing a request). Furthermore,the area under the ROC curve (AUC), a metric used to measure the fairness of aclassifier, is also significantly better in the ML model (0.936 as opposed to 0.796for AOFU). This indicates that the ML model is equally good at predicting whento both allow and deny a permission request, while AOFU tends to lean more to-wards one decision. In particular, with the AOFU policy, users would experienceprivacy violations for 10.01% of decisions, compared to just 4.2% with the MLmodel. Privacy violations are likely more costly to the user than functionalityloss: denied data can always be granted at a later time, but disclosed data cannotbe taken back.While increasing the number of prompts improves classifier accuracy, it plateausafter reaching its maximum accuracy, at a point we call the steady state. For some74users, the classifier might not be able to infer their privacy preferences effectively,regardless of the number of prompts. As a metric to measure the effectivenessof the ML model, we measure the confidence of the model in the decisions itmakes, based on prediction class probabilities.8 In cases where the confidence ofthe model is below a certain threshold, the system should use a runtime promptto ask the user to make an explicit decision. Thus, we looked into the prevalenceof low-confidence predictions among the current predictions. With a 95% confi-dence interval, on average across five folds, low-confidence predictions accountedfor less than 10% of all predictions. The remaining high-confidence predictions(90% of all predictions) had an average accuracy of 96.2%, whereas predictionswith low confidence were only predicted with an average accuracy of 72%. §3.6.2goes into this aspect in detail and estimates the rate at which users will see promptsin steady state.The caveat in our ML model is that AOFU-AP only resulted in 12 prompts onaverage per user during the study, while our model averaged 24. The increasedprompting stems from multiple prompts for the same combination of applica-tion:permission:visibility, whereas in AOFU, prompts are shown only once foreach application:permission combination. During the study period, users on aver-age saw 2.28 prompts per unique combination. While multiple prompts per com-bination help the ML model to capture user preferences under different contextualcircumstances, it risks habituation, which may eventually reduce the reliability ofthe user responses.The evaluation setup mentioned in the current section does not have a specificstrategy to select the training set. It randomly splits the data set into the 5 foldsand picks 4 out of 5 as the training set. In a real-world setup, the platform needsa strategy to carefully select the training set so that the platform can learn mostof the user’s privacy preferences with a minimum number of prompts. The nextsection presents an in-depth analysis on possible ways to reduce the number of8To calculate the class probabilities, we used the KSVM library in R. It employs a techniqueproposed by Platt et al. [70] to produce a numerical value for each class’s probability.75prompts needed to train the ML model.3.6 Learning StrategyThis section presents a strategy the platform can follow in the learning phase of anew user. The key objective of the learning strategy should be to learn the user’sprivacy preferences with minimal user involvement (prompts). Once the modelreaches adequate training, we can use model decision confidence to analyze howthe ML model performs for different users and examine the tradeoff between userinvolvement and accuracy. We also utilize the model’s confidence on decisions topresent a strategy that can further reduce model error through selective permissionprompting.3.6.1 BootstrappingThe bootstrapping phase occurs when the ML model is presented with a new userabout whom the model has no prior information. In this section, we analyze howthe accuracy improves as we prompt the user. Since the model presented in §3.5is a single model trained with data from all users, the ML model can still predicta new user’s privacy decisions by leveraging the data collected on other users’preferences.We measured the accuracy of the ML model as if it had to predict each user’sprompt responses using a model trained using other users’ data. Formally, this iscalled leave-one-out cross-validation, where we remove all the prompt responsesfrom a single user. The training set contains all the prompt responses from 130users and the test set is the prompt responses collected from the single remaininguser. The model had a median accuracy of 66.6% (56.2% for Contextuals, 86.4%for Defaulters). Although this approach does not prompt new users, it falls short ofAOFU. This no-prompt model behaves close to random guessing for Contextualsand significantly better for Defaulters. Furthermore, based on our first field studydata, we found that individuals’ privacy preferences varied a lot [117], suggesting76that utilizing other users’ decisions to predict decisions for a new user has limitedeffectiveness, especially for Contextuals; some level of prompting is necessary.There are a few interesting avenues to explore when determining the optimalway to prompt the user in the learning phase. One option would be to followthe same weighted-reservoir sampling algorithm mentioned in §3.2.1. The al-gorithm is weighted by the frequency of each application:permission:visibilitycombination. The most frequent combination will have the highest probabilityof creating a permission prompt and after the given combination reaches a maxi-mum of three prompts, the algorithm will no longer consider that combination forprompting, giving the second most frequent combination the new highest prob-ability. Due to frequency-weighting and multiple prompts per combination, theweighted-reservoir sampling approach requires more prompts to cover a broaderset of combinations. However, AOFU prompts only once per combination withoutfrequency-weighting. This may be a useful strategy initially for a new user sinceit allows the platform to learn about the users’ privacy preferences for a wide arrayof combinations with minimal user interaction.To simulate such an approach, we extend the aforementioned no-prompt model(leave-one-out validation). In the no-prompt model, there was no overlap of usersin the train and test set. In the new approach, the training set includes the datafrom other users as well as the new user’s responses to the first occurrence of eachunique combination of application:permission:visibility. The first occurrence ofeach unique combination simulates the AOFU-APV policy. That is, this model isbootstrapped using data from other users and then adopts the AOFU-APV policyto further learn the current user’s preferences. The experiment was conducted us-ing the same set of features mentioned in §3.5.1 (R2 + A1 + A2 and an SVM witha RBF kernel). The test set only contained prompt responses collected after thelast AOFU prompt to ensure chronological consistency.Figure 3.3 shows how accuracy changes with the varying number of AOFUprompts for Contextuals and Defaulters. For each of the 131 users, we ran theexperiment varying the AOFU prompts from 1 to 12. We chose this upper bound77++ + +++++ + +++x xx x xx x x x x x xoo oo o o o ooo oo0. 2 3 4 5 6 7 8 9 10 11 12Prompt CountAccuracyPopulation+xoContextualsDefaultersOverallFigure 3.3: How the median accuracy varies with the number of seen promptsbecause, on average, a participant saw 12 different unique application:permissioncombinations during the study period—the current permission model in Android.AOFU relies on user prompts for each new combination. The proposed MLmodel, however, has the advantage of leveraging data collected from other usersto predict a combination not seen by the user; it can significantly reduce userinvolvement in the learning phase. After 12 prompts, accuracy reached 96.8%across all users.Each new user starts off with a single model shared by all new users and thenmoves onto a separate model trained with AOFU prompt responses. We analyzeits performance for Defaulters and Contextuals separately, finding that it improvesaccuracy while reducing user involvement in both cases, compared to the statusquo.We first examine how our model performs for Defaulters, 53% of our sample.78Figure 3.3 shows that our model trained with AOFU permission-prompt responsesoutperforms AOFU from the very beginning. The model starts off with 96.6%accuracy (before it reaches close to 100% after 6 prompts), handily exceedingAOFU’s 93.33%. This is a 83.3% reduction in permission prompts comparedto AOFU-AP (the status quo). Even with such a significant reduction in userinvolvement, the new approach cuts the prediction error rate in half.Contextuals needed more prompts to outperform the AOFU policy; the hybridapproach matches AOFU-AP with just 7 prompts, a 42% reduction in prompts.With 12 permission prompts, same as needed for AOFU-AP, the new approachhad reduced the error rate by 43% over AOFU-AP (the status quo). The numberof prompts needed to reach this level of accuracy in the new approach is 25% lessthan what is needed for AOFU-APV. We also observed that as the number ofprompts increased, the AUC of our predictions also similarly increased. Overall,the proposed learning strategy reduced the error rate by 80% after 12 user promptsover AOFU-AP. Given, Defaulters plateau early in their learning cycle (after only6 prompts), the proposed learning strategy, on average, needs 9 prompts to reachits maximum capacity, which is a 25% reduction in user involvement over AOFU-AP.Contextuals have a higher need for user involvement than Defaulters, primar-ily because it is easy to learn about Defaulters, as they are more likely to beconsistent with early decisions. On the other hand, Contextuals vary their deci-sions based on different contextual cues and require more user involvement for themodel to learn the cues used by each user and how do they affect their decisions.Thus, it is important to find a way to differentiate between Defaulters and Con-textuals early in the bootstrapping phase to determine which users require fewerprompts. The analysis of our hybrid approach addresses the concern of a highnumber of permission prompts initially for an ML approach. Over time, accuracycan always be improved with more prompts.Our new hybrid approach of using AOFU-style permission prompts in thebootstrapping phase to train our model can achieve higher accuracy than AOFU,79with significantly fewer prompts. Having a learning strategy (use of AOFU) overrandom selection helped to minimize user involvement (24 vs. 9) while signif-icantly reducing the error rate (7.6% vs. 3.2%) over a random selection of thetraining set.3.6.2 Decision ConfidenceIn the previous section, we looked into how we can optimize the learning phaseby merging AOFU and the ML model to reach higher accuracy with minimaluser prompts. However, for a small set of users, more permission prompts willnot increase accuracy, regardless of user involvement in the bootstrapping phase.This could be due to the fact that a portion of users in our dataset are makingrandom decisions, or that the features that our ML model takes into account arenot predictive of those users’ decision processes. While we do not have the datato support either explanation, we examine how we can measure whether the MLmodel will perform well for a particular user and quantify how often it does not.We present a method to identify difficult-to-predict users and reduce permissionprompting for those users.While running the experiment in §4.2.1, we also measured how confident theML model was for each decision it made. To measure the ML model’s confi-dence, we record the probability for each decision; since it is a binary classifica-tion (deny or allow), the closer the probability is to 0.5, the less confident it is. Wethen chose a class probability threshold above which a decision would be consid-ered a high-confidence decision. In our analysis, we choose a class probabilitythreshold of 0.6, since this value resulted in >96% accuracy for our fully-trainedmodel (≈25 prompts per user) for high-confidence decisions, but this is a tunablethreshold. Thus, in the remainder of our analysis in this chapter, decisions thatthe ML model made with a probability of >0.60 were labeled as high-confidencedecisions, while those made with a probability of <0.60 were labeled as low-confidence decisions.Since the most accurate version of AOFU uses 12 prompts, we also evaluate80the confidence of our model after 12 AOFU-style prompts. This setup is identicalto the bootstrapping approach; the model we evaluate here is trained on responsesfrom other users and the first 12 prompts chosen by AOFU. With this scheme, wefound that 10 users (7.63% of 131 users) had at least one decision predicted withlow confidence. The remaining 92.37% of users had all privacy decisions pre-dicted with high confidence. Among those users whose decisions were predictedwith low confidence, the proportion of low-confidence decisions on average ac-counted for 17.63% (median = 16.67%) out of all their predicted decisions. Witha sensitive permission request once every 15 seconds [117], prompting even for17.63% of predictions is not practical. Users who had low-confidence predictionshad a median accuracy of 60.17%, compared to 98% accuracy for the remainingset of users with only high-confidence predictions. Out of the 10 users who hadlow-confidence predictions, there were no Defaulters. This further supports theobservation in Figure 3.3 that Defaulters require a shorter learning period.In a real-world scenario, after the platform (ML model) prompts the user forthe first 12 AOFU prompts, the platform can measure the confidence of predict-ing unlabeled data (sensitive permission requests for which the platform did notprompt the user). If the proportion of low-confidence predictions is below somethreshold, the ML model can be deemed to have successfully learned user pri-vacy preferences and the platform should keep on using the regular permission-prompting strategy. Otherwise, the platform may choose to limit prompts (i.e.,two per unique application:permission:visibility combination). It should also benoted that rather than having a fixed number of prompts (e.g., 12) to measurethe low-confidence proportion, the platform can keep track of the low-confidenceproportion as it prompts the user according to any heuristic (i.e., unique combi-nations). If the proportion does not decrease with the number of prompts, wecan infer that the ML model is not learning user preferences effectively or theuser is making random decisions, indicating that limiting prompts and acceptinglower accuracy could be a better option for that specific user, to avoid excessiveprompting. However, depending on which group the user is in (Contextual or De-81faulter), the point at which the platform could make the decision to continue orlimit prompting could change. In general, the platform should be able to reachthis deciding point relatively quickly for Defaulters.Among participants with no low-confidence predictions, we had a median er-ror rate of 2% (using the new hybrid approach after 12 AOFU prompts); for thesame set of users, AOFU could only reach a median error rate of 13.3%. How-ever, using AOFU, a user in that set would have needed an average of 15.11prompts to reach that accuracy. Using the ML model, a user would need just 9prompts on average (Defaulters require far fewer prompts, dropping the average);the model only requires 60% of the prompts that AOFU requires. Even with farfewer prompts in the learning phase, the ML model achieves a 84.61% reductionin error rate relative to AOFU.While our model may not perform well for all users, it does seem to workquite well for the majority of users (92.37% of our sample). We provide a wayof quickly identifying users for whom our system does not perform well, andpropose limiting prompts to avoid excessive user burden for those users, at thecost of reduced efficacy. In the worst case, we could simply employ the AOFUmodel for users our system does not work well for, resulting in a multifacetedapproach that is at least as good as the status quo for all users.3.6.3 Online ModelOur proposed system relies on training models on a trusted server, sending it toclient phones (i.e., as a weight vector), and having phones make classifications.By utilizing an online learning model, we can train models incrementally as usersrespond to prompts over time. There are two key advantages to this: (i) this modeladapts to changing user preferences over time; (ii) it distributes the overhead oftraining increasing the practicality of locally training the classifier on the phoneitself.Our scheme requires two components: a feature extraction and storage mech-anism on the phone (a small extension to our existing instrumentation) and a ma-82chine learning pipeline on a trusted server. The phone sends feature vectors tothe server every few prompts, and the server responds with a weight vector repre-senting the newly trained classifier. To bootstrap the process, the server’s modelscan be initialized with a model trained on a few hundred users, such as our sin-gle model across all users. Since each user contributes data points over time, theonline model adapts to changing privacy preferences even if they conflict with pre-vious data. When using this scheme, each model takes less than 10 KB to store.With our current model, each feature and weight vector are at most 3 KB each,resulting in at most 6 KB of data transfer per day.To evaluate the accuracy of our online model, we trained a classifier usingstochastic gradient descent (SGD) with five-fold cross validation on our 4,224-point data set. This served as the bootstrapping phase. We then simulated re-ceiving the remaining data one-at-a-time in timestamp order. Any features thatchanged with time (e.g., running averages for aggregate features, event counts)were computed with each incoming data point, creating a snapshot of featuresas the phone would see it. We then tested accuracy on the chronologically last20% of our dataset. Our SGD classifier had 93.8% accuracy (AUC=0.929). Weattribute the drop in accuracy (compared to our offline model) to the fact that run-ning averages take multiple data points to reach steady-state, causing some earlierpredictions to be incorrect.A natural concern with a trusted server is compromise. To address this con-cern, we do not send any personally-identifiable data to the server, and any fea-tures sent to the server are scaled; they are reported in standard deviations fromthe mean, not in raw values. Furthermore, using an online model with incrementaltraining allows us to periodically train the model on the phone (i.e., nightly, whenthe user is charging her device) to eliminate the need for a trusted server.3.7 Contextual IntegrityContextual integrity is a conceptual framework that helps explain why most per-mission models fail to protect user privacy—they often do not take the context83surrounding privacy decisions into account. In addressing this issue, we proposean ML model that infers when context has changed. We believe that this is animportant first step towards operationalizing the notion of contextual integrity. Inthis section, we explain the observations that we made in §3.5.3 based on thecontextual integrity framework proposed by Barth et al. [20].Contextual integrity provides a conceptual framework to better understandhow users make privacy decisions; we use Barth et al.’s formalized model [20] asa framework in which to view Android permission models. Barth et al. model par-ties as communicating agents (P) knowing information represented as attributes(T ). A knowledge state κ is defined as a subset of P×P×T . We use κ = (p,q, t)to mean that agent p knows attribute t of agent q. Agents play roles (R) in contexts(C).For example, an agent can be a game application, and have the role of a gameprovider in an entertainment context. Knowledge transfer happens when infor-mation is communicated between agents; all communications can be representedthrough a series of traces (κ,(p,r),a), which are combinations of a knowledgestate κ , a role state (p,r), and a communication action a (information sent). Therole an agent plays in a given context helps determine whether an informationflow is acceptable for a user. The relationship between the agent sending the in-formation and the role of the agent ((p,r)) receiving the information must followthese contextual norms.With the Android permission model, the same framework can be applied. Boththe user and the third-party application are communicating agents, and the infor-mation to be transferred is the sensitive data requested by the application. When athird-party application requests permission to access a guarded resource (e.g., lo-cation), knowledge of the guarded resource is transferred from the one agent (i.e.,the user/platform) to another agent (i.e., the third-party application). The extentto which a user expects a given request depends not on the agent (the applicationrequesting the data), but on the role that agent is playing in that context. Thisexplains why the application as a feature itself (i.e., application name) was not84predictive in our models: this feature does not represent the role when determin-ing whether it is unexpected. While it is difficult for the platform to determinethe exact role an application is playing, the visibility of the application hints at itsrole. For instance, when the user is using Google Maps to navigate, it is playinga different role from when Google Maps is running in the background withoutthe user’s knowledge. We believe that this is the reason why the visibility of therequesting application is significant: it helps the user to infer the role played bythe application requesting the permission.The user expects applications in certain roles to access resources dependingon the context in which the request is made. We believe that the foreground ap-plication sets this context. Thus a combination of the role and the context decideswhether an information flow is expected to occur or not. Automatically inferringthe exact context of a request is likely an intractable problem. For our purposes,however, it is possible that we need to only infer when context has changed, orrather, when data is being requested in a context that is no longer acceptable to theuser. Based on our data, we believe that features based on foreground applicationand visibility are most useful for this purpose, from our collected dataset.We now combine all of this into a concrete example within the contextualintegrity framework: If a user is using Google Maps to reach a destination, theapplication can play the role of a navigator in a geolocation context, whereby theuser feels comfortable sharing her location. In contrast, if the same applicationrequests location while running as a service invisible to the user, the user maynot want to provide the same information. Background applications play the roleof “passive listeners” in most contexts; this role as perceived by the user maybe why background applications are likelier to violate privacy expectations andconsequently be denied by users.AOFU primarily focuses on controlling access through rules for application:permissioncombinations. Thus, AOFU neglects the role played by the application (visibil-ity) and relies purely on the agent (the application) and the information subject(permission type). This explains why AOFU is wrong in nearly one-fifth of cases.85Based on Table 3.3, both AOFU-VA (possibly identifying the role played by theapplication) and AOFU-AFPV (possibly identifying the current context becauseof the current foreground application-AF ) have higher accuracy than the otherAOFU combinations. However, as the contextual integrity framework suggests,the permission model has to take both the role and the current context into accountbefore making an accurate decision. AOFU (and other models that neglect con-text) only makes it possible to consider a single aspect, a limitation that does notapply to our model.While the data presented in this work suggest the importance of capturing con-text to better protect user privacy, more work is needed along these lines to fullyunderstand how people use context to make decisions in the Android permissionmodel. Nevertheless, we believe we contribute a significant initial step towardsapplying contextual integrity to improve smartphone privacy by dynamically reg-ulating permissions.3.8 DiscussionThe primary goal of this research was to improve the accuracy of the Androidpermission system so that it more correctly aligns with user privacy preferences.We began with four hypotheses: (i) that the currently deployed AOFU policyfrequently violates user privacy; (ii) that the contextual information it ignores isuseful; (iii) that a ML-based classifier can account for this contextual informationand thus improve on the status quo; and (iv) that passively observable behavioraltraits can be used to infer privacy preferences.To test these hypotheses, we performed the first large-scale study on the effec-tiveness of AOFU permission systems in the wild, which showed that hypotheses(i) and (ii) hold. We further built an ML classifier that took user permission deci-sions along with observations of user behaviors and the context surrounding thosedecisions to show that (iii) and (iv) hold. Our results show that existing systemshave significant room for improvement, and other permission-granting systemsmay benefit from applying our results.863.8.1 Limitations of Permission ModelsOur field study confirms that users care about their privacy and are wary of permis-sion requests that violate their expectations. We observed that 95% of participantschose to block at least one permission request; in fact, the average denial ratewas 60%—a staggering amount given that the AOI model permits all permissionrequests for an installed application.While AOFU improves over the AOI model, it still violates user privacy aroundone in seven times, as users deviate from their initial responses to permissionrequests. This amount is significant because of the high frequency of sensitivepermission requests: a 15% error rate yields thousands of privacy violations peruser—based on the latest dataset, this amounts to a potential privacy violationevery minute. It further shows that AOFU’s correctness assumption—that usersmake binary decisions based only on the application:permission combination—is incorrect. Users take a richer space of information into account when makingdecisions about permission requests.3.8.2 Our ML-Based ModelWe show that ML techniques are effective at learning from both the user’s previ-ous decisions and the current environmental context in order to predict whetherto grant permissions on the user’s behalf. In fact, our techniques achieve betterresults than the methods currently deployed on millions of phones worldwide—while imposing significantly less user burden.Our work incorporates elements of the surrounding context into a machine-learning model. This better approximates user decisions by finding factors rel-evant for users that are not encapsulated by the AOFU model. In fact, our MLmodel reduces the errors made by the AOFU model by 75%. Our ML model’s97% accuracy is a substantial improvement over AOFU’s 85% and AOI’s 25%;the latter two of which comprise the status quo in the Android ecosystem.Our research shows that many users make neither random nor fixed decisions:the environmental context plays a significant role in user decision-making. Au-87tomatically detecting the precise context surrounding a request for sensitive datais an incredibly difficult problem (e.g., inferring how data will be used), and ispotentially intractable. However, to better support user privacy, that problem doesnot need to be solved; instead, we show that systems can be improved by usingenvironmental data to infer when context has changed. We found that the mostpredictive factors in the environmental context were whether the application re-questing the permission is visible, and what the foreground application the useris engaged with. These are both strong contextual cues used by users, insofar asthey allowed us to better predict changes in context. Our results show that MLtechniques have great potential in improving user privacy, by allowing us to inferwhen context has changed, and therefore when users would want data requests tobe brought to their attention.3.8.3 Reducing the User BurdenOur work is also novel in using passively observable data to infer privacy deci-sions: we show that we can predict a user’s preferences without any permissionprompts. Our model trained solely on behavioral traits yields a three-fold im-provement over AOI; for Defaulters—who account for 53% of our sample—it wasas accurate as AOFU-AP. These results demonstrate that we can match the statusquo without any active user involvement (i.e., the need for obtrusive prompts).These results imply that learning privacy preferences may be done entirely pas-sively, which, to our knowledge, has not yet been attempted in this domain. Ourbehavioral feature set provides a promising new direction to guide research increating permission models that minimize user burden.The ML model trained with contextual data and past decisions also signifi-cantly reduced the user burden while achieving higher accuracy than AOFU. Themodel yielded an 81% reduction in prediction errors while reducing user involve-ment by 25%. The significance of this observation is that by reducing the risk ofhabituation, it increases reliability when user input is needed.883.8.4 User- and Permission-Tailored ModelsOur ML-based model incorporates data from all users into a single predictivemodel. It may be the case, however, that a collection of models tailored to par-ticular types of users outperforms our general-purpose model—provided that thecorrect model is used for the particular user and permission. To determine if thisis true, we clustered users into groups based first on their behavioral features, andthen their denial rate, to see if we could build superior cluster-tailored ML mod-els. Having data for only 131 users, however, resulted in clusters too small to carryout an effective analysis. We note that we also created a separate model for eachsensitive permission type, using data only for that permission. Our experimentsdetermined, however, that these models were no better (and often worse) than ourgeneral model. It is possible that such tailored models may be more useful whenour system is implemented at scale.3.8.5 Attacking the ML ModelAttacking the ML model to get access to users’ data without prompting is a legit-imate concern [17, 61, 112]. There are multiple ways an adversary can influencethe proposed permission model: (i) imposing an adversarial ML environment [76];(ii) polluting the training set to bias the model to accept permissions; and (iii) ma-nipulating input features in order to get access without user notification. We as-sume in this work that the platform is not compromised; a compromised platformwill degrade any permission model’s ability to protect resources.A thorough analysis on this topic is outside of our scope. Despite that, welooked at the possibility of manipulating features to get access to resources with-out user consent. None of the behavioral features used in the model can be in-fluenced, since that would require compromising the platform. An adversary cancontrol the runtime features for a given permission request by specifically choos-ing when to request the permission. We generated feature vectors manipulatingevery adversary-controlled value and combination from our dataset, and testedthem on our model. We did not find any conclusive evidence that the adversary89can exploit the ML model by manipulating the input features to get access to re-sources without user consent.As this is not a comprehensive analysis on attack vectors, it is possible thata scenario exists where the adversary is able to access sensitive resources with-out prompting the user first. Our preliminary analysis suggests that such attacksmay be non-trivial, but more work is needed to study and prevent such attacks,particularly examining adversarial ML techniques and feature brittleness.3.8.6 Experimental CaveatWe repeat a caveat about our experimental data: users were free to deny permis-sions without any consequences. We explicitly informed participants in our studythat their decisions to deny permission requests would have no impact on theactual behavior of their applications. This is important to note because if an appli-cation is denied a permission, it may exhibit undefined behavior or lose importantfunctionality. In fact, researchers have noted that many applications crash whenpermissions are denied [44]. If these consequences are imposed on users, theymay decide that the functionality is more important than their privacy decision.If we actually denied permissions, users’ decisions may skew towards a de-creased denial rate. The denial rates in our experiments therefore represent theactual privacy preferences of users and their expectations of reasonable applica-tion behavior—not the result of choosing between application functionality andprivacy. We believe that how people react when choosing between functionalityand privacy preferences is an important research question beyond the scope of thispaper. Such a change, however, will not limit this contribution, since our proposedmodel was effective in guarding resources of the users who are selective in theirdecision making—the proposed classifier reduced the error rate of Contextuals by44%.We believe that there are important unanswered questions about how to solvethe technical hurdles surrounding enforcing restrictive preferences with minimalusability issues. As a first step towards building a platform that does not force90users to choose between their privacy preferences and required functionality, wemust develop an environment where permissions appear—to the application—tobe allowed, but in reality only spurious or artificial data is provided.3.8.7 Types of UsersWe presented a categorization of users based on the significance that the appli-cation’s visibility played towards their individual privacy decisions. We believethat in an actual permission denial setting, the distribution will be different fromwhat was observed in our study. Our categorization’s significance, however, mo-tivates a deeper analysis on understanding the factors that divide Contextuals andDefaulters. While visibility was an important factor in this division, there maybe others that are significant and relevant. More work needs to be done to ex-plore how Contextuals make decisions and which behaviors correlate with theirdecisions.3.8.8 User Interface PanelAny model that predicts user decisions has the risk of making incorrect predic-tions. Making predictions on a user’s behalf, however, is necessary because per-missions are requested by applications with too high a frequency for manual ex-amination. While we do not expect any system to be able to obtain perfect accu-racy, we do expect that our 97% accuracy can be improved upon.One plausible way of improving the accuracy of the permission model is toempower the user to review and make changes on how the ML model makesdecisions through a user feedback panel. This gives users recourse to correctundesirable decisions. The UI panel could also be used to reduce the usabilityissues and functionality loss stemming from permission denial. The panel shouldhelp the user figure out which rule incurred the functionality loss and to changeit accordingly. A user may also use this to adjust their settings as their privacypreferences evolve over time.913.8.9 The Cost of Greater ControlA more restrictive platform means users will have greater control over the databeing shared with third parties. Applications that generate revenue based on userdata, however, could be cut off from their primary revenue source. Such an effectcould disrupt the current eco-system and force app developers to degrade appfunctionality based on the availability of the data. We believe the current eco-system is unfairly biased against users and tighter control will make the user anequal stakeholder. While more work is needed to understand the effects of a morerestrictive platform, we believe it is imperative to let the user have greater controlover their own data.3.8.10 ConclusionsWe have shown a number of important results. Users care about their privacy: theydeny a significant number of requests to access sensitive data. Existing permissionmodels for Android phones still result in significant privacy violations. Usersmay allow permissions some times, while denying them at others, implying thatthere are more factors that go into the decision-making process than simply theapplication name and the permission type. We collected real-world data from 131users and found that application visibility and the current foreground applicationwere important factors in user decisions. We used the data we collected to builda machine-learning model to make automatic permission decisions. One of ourmodels had a comparable error rate to AOFU and benefited from not requiringany user prompting. Another of our models required some user prompts—lessthan is required by AOFU—and achieved a reduction of AOFU’s error rate by81%.92Chapter 4ImplementationIn the previous chapter we trained an offline classifier by using participants’ re-sponses to runtime prompts. While we demonstrated that the ML approach holdspromise: the training data was solely based on participants’ stated privacy pref-erences, without considering the impact it might have on app functionality. Thatis, if participants state they would like to deny an unexpected permission request,but then discover that permission denial impacts app functionality, they may wishto reconsider that decision and grant the permission. Thus, the realtime classifierapproach requires validation through real-world usage, which is the basis for thischapter.We implemented and evaluated the usability of a novel mobile privacy man-agement system that builds heavily on prior prediction work. To resolve the long-standing challenges of mobile privacy management, in the previous chapter weproposed applying machine-learning (ML) to dynamically manage app permis-sions, whereas Tsai et al. [111] proposed a user interface design for that system.Both proposals applied Nissenbaum’s theory of Privacy as Contextual Integrity byenabling users to vary their privacy preferences based on contextual factors [83],but neither has been heretofore implemented and evaluated on real users in situ.We implemented these systems on the Android platform and performed a fieldstudy to evaluate their effectiveness at aligning app privacy behaviors with users’93expectations. The machine-learning (ML) model runs entirely on the device anduses infrequent user prompts to retrain and improve its accuracy over time. Whenthe ML model makes a mistake, the user interface is available to support the userin reviewing and modifying privacy decisions, thereby retraining the ML.We performed a 37-person field study to evaluate this permission system, mea-suring its efficacy and how it interacted with participants and third-party apps.We issued each participant a smartphone running a custom Android OS with ourpermission system that used an online classifier, which participants used as theirprimary phones for a one-week study period. This produced real-world usage datafrom 253 unique apps, which corresponded to more than 1,100 permission deci-sions. Overall, participants denied 24% of permission requests. Our data showthat AOFU matched participant privacy preferences only 80% of the time, whilethe new contextual model matched preferences 95% of the time, reducing the errorrate by 75%.In summary, the contributions of this chapter are as follows:• We implemented the first contextually-aware permission system that per-forms permission denial dynamically, which is an advancement over priorwork that only performed offline learning or did not regulate permissions inrealtime.• We show that AOFU not only lacks context, but it also fails to match users’privacy expectations 25% of the time, substantially hampering its ability toprotect user data.• We show opportunities and practical limitations for future work on moreusable mobile app permission systems.4.1 Related WorkSubstantial previous work has shown the ineffectiveness of mobile phone permis-sion systems. For ask-on-install (AOI) prompts, earlier investigations showed thatusers frequently did not pay attention to prompts or comprehend them. Users also94failed to understand the resources being protected [49, 55, 65, 116]. This lackof understanding hinders users’ ability to address potential risks that arise fromallowing access to sensitive resources; some users were even found wanting ret-ribution when the possible risks were revealed [48]. Another critical flaw withthe AOI model is that the user lacks any sense of context about how applicationsmight exercise the permissions granted to them. For example, users were sur-prised to learn that applications can continue to access those resources even whennot being actively used [64, 108].Prior research has used taint analysis and other information flow tracking tech-niques to understand how applications use sensitive data in the wild [43, 53, 67].While these techniques shed light on how applications access and share sensi-tive data, none gave users a mechanism to indicate their preferences regardingthe access of sensitive data. Other approaches did involve users, but those effortsrequired such a high degree of manual involvement as to overwhelm the averageuser and risk habituation [5, 60, 100].Nissenbaum’s theory of “contextual integrity” suggests that permission mod-els should focus not on sensitive resources, but rather on information flows—fromsource to destination—that are likely to defy the user’s expectations [82]. In an at-tempt to systematize Nissenbaum’s theory, Barth et al. [20] extended the theory tosmartphones. They suggest that it is important to consider the context in which theresource request is made, the role played by the requesting app under the currentcontext, and the type of resource being accessed. To the best of our knowledge,we are the first to perform a field study to understand how users perceive sensitiveresource usage by apps in the wild. We found that users consider the visibilityof the requesting application in deciding whether a particular information flow isacceptable.Machine learning has recently gained traction as a promising approach to pre-dict user privacy decisions. Machine learning can significantly reduce the user’sinvolvement in decision-making and therefore reduce habituation—the problemwhere users see so many notifications that they become desensitized to future re-95quests, thereby making poor decisions. Previous work in this direction developedtechniques to cluster users [72, 73, 97] and built recommender systems [125].Liu et al. clustered users by privacy preferences, then subsequently predicted userpreferences to applications’ future permission requests using the inferred clus-ter [74]. The authors developed a privacy assistant to recommend privacy settingsusers should adopt based on their inferred cluster. The biggest drawback in theseworks, however, is their lack of consideration for the rich signals that contextprovides, which we found to be a significant factor in decision making [117, 118].Access Control Gadgets (ACGs) are a proposed mechanism to more closelyassociate sensitive resource accesses to particular UI elements [78, 94, 95], sousers are more aware when those accesses occur. Examples of this are the “filechooser” and “photo picker” widgets. While such an approach helps the users bebetter aware of resource accesses, it has two main limitations. First, applicationsare known to legitimately access resources when the user is not actually usingthe device, and therefore the user cannot receive any visual cues. Second, basedon our data in the first field study, the frequency of permission requests made bysmartphone apps makes systematic use of ACGs impractical [117].After Android’s switch to the AOFU permission model, research followed thatinvestigates how users perceive it. Bonn et al. looked into understanding whatmotivates users to (i) install an app, (ii) allow or deny an AOFU prompt, and (iii)uninstall an app [25]. Other works investigate the consistency of user decisionsacross application categories under this permission model [7, 8]. Closely relatedare two works that proposed using contextual cues to better predict and protectuser data [84, 118]. In both of these works, contextual cues are used to builda machine-learning-based permission model to increase the accuracy of the sys-tem as compared to the default Android permission model. However, Olejnik etal. [84] only focused on a selected set of applications and resources.964.2 ImplementationWe implemented a complete ML pipeline that includes: mechanisms to allowusers to review and redress their decisions based on Tsai et al. [111]; ways to maskresource denial from apps so that apps continue to run, even when permissions aredenied (unless those permissions were critical to their functionality); and finally,a classifier that takes surrounding contextual signals to predict user preferencesfor each permission request. This means our usability study is a more accurateassessment of how the system behaves in the wild than the previous investigations,which relied on user expectations rather than consequential privacy decisions.4.2.1 A Local SVM ClassifierIn the previous chapter, we implemented an offline model and suggested thiscould be deployed as a remote web-accessible service in order to shift computecosts from the mobile device to a more powerful dedicated server [118]. Wenote, however, that this design requires sending privacy-relevant data beyond thesmartphone, which creates a larger attack surface and increases system costs andcomplexity. It also creates significant security risks if the server responsible formaking decisions is compromised or is trained with spurious data.To mitigate these security and privacy issues, we implemented and integratedthe full SVM classifier into the Android operating system as a system service.We ported the open-source implementation of libsvm to Android 6.0.1 (Marsh-mallow) [30], and built two additional system-level services to interface with theSVM: the SVMTrainManager, which trains the model using user-provided pri-vacy preferences through prompts (See Figure 4.1); and the PermissionService,which uses the SVM to regulate applications accessing permission-protected re-sources and issues a prompt for the user for cases when the model produces low-confidence predictions. The SVMTrainManager notifies the PermissionServicewhen the model is trained and ready for use. These two new services are im-plemented into the core Android operating system, and neither are accessible to97third-party apps. On average, model training takes less than 5 seconds. We instru-mented all Android control flows responsible for sharing sensitive permission-protected data types to pass through this new pipeline.BootstrappingWe deployed our trainable permission system along with a generic model that waspre-trained with the real-world permission decisions of 131 users, collected fromour previous chapter [118]. This ensured that a new user has an initial model formaking privacy decisions. This initial model, however, is inadequate for accu-rately predicting any particular individual user’s preferences, because it simplyhas no knowledge of that particular user. Despite that, we, in the previous chapter,showed that our model only needs 12 additional user-provided permission deci-sions before the model attains peak accuracy. Given this, our system requires thatthe user make 12 decisions early on to train the initial model to that particularuser’s preferences.The initial 12 decisions are selected based on weighted reservoir sampling. Weweigh the combination of application:permission:visibility1 by the frequency thatthese are observed; the most-frequent combinations are the likeliest to produce apermission request prompt (Figure 4.1). The intuition behind this strategy is tofocus more on the frequently occurring permission requests over rarer ones. Weused these same prompts for validating our classifier during the field study.Feature SetOur model considers the name of the application requesting the permission, theapplication in the foreground at the time of the request (if different than the appli-cation making the request), the requested permission type (e.g., Location, Camera,Contacts), and the visibility of the application making the request. In a pilot study(discussed later), our system implemented the full feature set described in the1“application” is the app requesting the permission, “permission” is the requested resourcetype, and “visibility” denotes whether the user is made aware that the app is running on the device.98Figure 4.1: A screenshot of a permission request prompt.previous chapter. This design, however, resulted in a noticeable reduction in de-vice responsiveness as reported by multiple study participants. We subsequentlyremoved the “time of request” feature for the second phase of our study. Theremoval of the time feature from the ML enabled the platform to cache highernumber of ML decisions saving the overhead stemming from running the ML for99each different permission request.4.2.2 Sensitive ResourcesPrevious work by Felt et al. argued that certain permissions should be presentedas runtime prompts, as those permissions guard sensitive resources whose usecases typically impart contextual cues indicating why an app would need thatresource [47]. Beginning with Android 6.0 (Marshmallow), the OS designatedcertain permissions as “dangerous” [54], and prompts the user to grant or denypermission when an app tries to use it for the first time. The user’s response to thisprompt then carries forward to all future uses of that resource by the requestingapplication.Our experimental permission system uses both Felt’s set of recommended per-missions for runtime prompts and Android’s own “dangerous” ones. We did, how-ever, opt to omit a few permissions from the resulting set that we viewed as irrel-evant to most users. The INTERNET and WRITE_SYNC_SETTINGS permissionswere discounted, as we did not expect any participant (all recruited locally) toroam internationally during the 1-week study period. We eliminated the NFC per-mission because previous work demonstrated that very few apps operate on NFCtags. Our system ignores the READ_HISTORY_BOOKMARKS permission, as thisis no longer supported.We extended the frameworks we used in the last two chapters to monitor andregulate all attempts by apps to resources protected by any of the 24 permissionswe monitored. We avoid false positives by monitoring both the requested permis-sion and the returned data type.4.2.3 Permission DenialMaking changes to the permission system carries the risk of app instability, as appsmay not expect to have their resource requests denied [44]. If denying permissionsresults in frequent crashes, then users are likely to become more permissive simplyto improve app stability. We therefore designed our implementation with this100concern in mind: rather than simply withholding sensitive information in the eventof a denied permission, our system supplies apps with well-formed but otherwisenon-private “spoofed” data. This enables apps to continue functioning usefullyunless access to the permission-protected resource is critical to the app’s correctbehavior.For example, if an app requests access to the microphone, but our permissionsystem denies it, the app will still receive a valid audio stream: not an actualsignal from the microphone, but that of a pre-recorded generic sound. (In ourimplementation we used a loop of a whale song). This design allows apps tooperate on valid data while still preserving user privacy.Permission-protected databases (e.g., contact lists and calendars) require finer-grained regulation under our permission system. For instance, an app may havea legitimate need to access the contact list. Under the stock Android permissionsystem, an app is either able to read all contacts or no contacts. We improveupon this by adding a notion of provenance to each entry: every contact list itemcontains a field that records the app that created the entry. If our permission systemdenies an app access to the contact list, the app is still able to write into the contactsdatabase and read back any entries that it previously created. Apps without thesedatabase permissions are effectively placed in a sandbox, in which they can stillcarry out valid operations on their own versions of the data. They neither producean exception nor obtain all the information in the database. We allow full accessto the databases only to apps that are granted the appropriate permission.4.2.4 Contextually Aware Permission ManagerWe recognize that our classifier is bound to make mistakes. Therefore, it is cru-cial to provide a mechanism for users to review and amend decisions made by thepermission model on their behalf. Mobile operating systems have configurationpanels to manage app permissions, but these fail to provide users key informa-tion or options to make informed decisions. However, recent work by Tsai etal. [111] proposed a new interface to solve this problem. The authors evaluated101Figure 4.2: The recent-allowed app activitytheir design using interactive online mock-ups and found that the design signifi-cantly improved user experience over the stock configuration panel. We followedthe authors’ recommendations in the design of our own permission manager im-plementation.We built our contextual permission manager as a system-space app, similar102Figure 4.3: A list of installed apps and their associated permissionsto Android’s Settings app (Figure 4.2, Figure 4.3, Figure 4.4). Our permissionmanager has three main objectives: (i) to display all recent permission requestsand the corresponding “allow” or “deny” decisions from the ML model; (ii) toallow users to review and change app permissions; and (iii) to display all theresources an app can access.103Figure 4.4: Permissions can be always granted, granted only when in use, or nevergranted (bottom).When users set preferences(rules) in the permission manager, before makinga ML decision, platform checks to see if the user has set any rules for the currentrequest; if a match is found, rather than going to the ML, platform will use thecurrent rule to respond to the permission request accordingly. The system does104not use these user-set rules to train the ML model, it is hard to capture the contex-tuality behind these changes so the platform can not create any of the contextualfeatures to train the ML.4.3 Validation MethodologyWe tested our implementation by performing a field study with 37 participants.Our goals were to understand how third-party apps and end-users react to a morerestrictive and selective permission model, as compared to the default AOFUmodel.For a period of one week, each participant used a smartphone (Nexus 5X)running a custom version of the Android OS (a variation of Android 6.0.1) builtwith the new permission system detailed in the previous section. During the studyperiod, all of a participant’s sensitive data was protected by the new contextually-aware permission model.4.3.1 Participant’s Privacy PreferencesWe used the Experience Sampling Method (ESM) to understand how participantswant to control certain sensitive resource accesses [59]. ESM involves repeatedlyquestioning participants in situ about a recently observed event; in our case, theevent is an app requesting access to a sensitive resource. We probabilisticallyasked them about an application’s recent request to access to data on their phone,and how they want to control future similar requests (Figure 4.1). We treatedparticipants’ responses to these ESM prompts as our main dependent variable,which we used to validate the accuracy of the decisions that the classifier wasautomatically making.Each participant during the study period responded to 4 prompts per day, andat most one per hour. The prompting was divided into two phases. The first phasewas the bootstrapping phase, which we described earlier, to train the classifier.The second phase was the validation phase, which was used to measure the accu-105racy of the ML model. In addition to the validation phase prompts, participantsmight also have occasional prompts for low-confidence decisions made by theML; a detailed discussion on low-confidence decisions is provided later. Duringour study period, only 4 participants ever experienced low-confidence prompts.4.3.2 RecruitmentWe recruited participants in two phases: a pilot in May 2017 and the full studyin August 2017. We placed a recruitment ad on Craigslist under “et cetera jobs”and “domestic gigs.”2 The title of the advertisement was “Smartphone ResearchStudy,” and it stated that the study was about how people interact with their smart-phones. We made no mention of security or privacy. Interested participants down-loaded a screening app from the Google Play store, which asked for demographicinformation and and collected their smartphone make and model. We screened outapplicants who were under 18 years of age or used CDMA providers, since ourexperimental phones were only GSM-compatible. We collected data on partici-pants’ installed apps, so that we could pre-install free apps prior to them visitingour laboratory. (We only encountered paid apps for a few participants, and thoseapps were installed once we setup their Google account on the test phone.)We scheduled a time with participants who met the screening requirements todo the initial setup. Overall, 63 people showed up to our laboratory, and of those,61 qualified (2 were rejected because our screening application did not identifysome CDMA carriers). The initial setup took roughly 30 minutes and involvedtransferring their SIM cards, helping them set up their Google and other accounts,and making sure they had all the applications they used. We compensated eachparticipant with a $35 gift card for showing up.During the pilot phase, out of 20 people who were given phones, 14 partici-pants had technical issues with the phone preventing them from using it, leavingonly 6 participants with usable data. During the main phase, out of 42 people whowere given phones, we had the following issues:2Approved by the UC Berkeley IRB under protocol #2013-02-4992106• 4 participants mis-interpreted our ESM prompts so we filtered out theirprompt responses;• 5 participants suffered from a bug in the code that inhibited the validationphase of the ML;• 2 participants performed factory resets on the phone before returning it,which destroyed stored logs.This left 31 participants with usable data from the main phase. We combined the6 participants with usable data from the first phase with the 31 from the secondphase to produce our sample of 37 users, since we did not alter the study betweenphases. All our results are drawn from log data and interview responses fromthose 37 users. Of that population, 21 were female and 16 were male; ages rangedfrom 18 to 59 years old (µ = 34.25, σ = 9.92).After the initial setup, participants used the experimental phones for one weekin lieu of their normal phones. They were allowed to install, use, and uninstallany apps that they wanted. Our logging framework kept track of every protectedresource accessed by an app, along with the contextual data surrounding eachapplication request. All the logged events were stored compressed in the localsystem.4.3.3 Exit InterviewWhen participants returned to our laboratory, we first copied the log data fromthe phones to make sure that they had actually used the phone during the studyperiod. We then administered a semi-structured exit interview, which had fourcomponents:• New Permission Manager UI—We asked participants to show us how theywould use the UI (Figure 4.2, Figure 4.3, Figure 4.4) to block a given ap-plication from accessing background location data, as well as how difficultthey found it. We also checked our data to see how they interacted withthe UI during the study period, and asked them about the circumstances for107those interactions. The objective of this task was to validate the design ob-jectives of the UI, including whether they use it to resolve issues stemmingfrom resource denial.• Permission Prompts—We asked participants questions about permissionprompts they had encountered during the study. We asked why they allowedor denied permission requests and also how they felt about the prompts.We asked them to rate their experience with the prompts across 3 differentcategories: levels of surprise, feelings of control, and to what extent theyfelt the new system had increased transparency. The objective of this sectionwas to understand the impact of the runtime prompts.• Permission Models—We asked participants questions about their perspec-tives on the privacy protections in Android. We asked how much they un-derstood the current system. We then explained our new system, and askedhow they felt about letting ML act on their behalf. The objective of thissection was to understand how much participants actually understood thenew permission model.• Privacy Concerns—Finally, we asked participants how they usually makeprivacy decisions on their mobile devices, how serious they are about pri-vacy, and how much are they willing to pay for privacy. We also askeddemographic questions.Three researchers independently coded 144 responses to the Permission Promptsand Permission Model questions (the other questions involved either direct obser-vations or reporting participants’ responses verbatim without the need for coding).Prior to meeting to achieve consensus, the three coders disagreed on 17 responses,which resulted in an inter-rater agreement of 86.43% and Fleiss’ kappa yielded0.747, indicating substantial agreement.After the exit survey, we answered any remaining questions, and then assistedthem in transferring their SIM cards back into their personal phones. Finally, wecompensated each participant with a $100 gift card.1084.4 ResultsAt the end of the study period, we collected 1,159 privacy decisions (prompt re-sponses) from 37 participants. A total of 133 unique applications caused promptsfor 17 different sensitive permission types. During the study period, 24.23% of allruntime prompts were denied by participants. Most (66%) of these prompts oc-curred when the requesting application was running visibly. Our instrumentationlogged 5.4M sensitive permission requests originating from 253 unique applica-tions for 17 different permission types. On average, a sensitive permission requestoccurred once every 4 seconds.In the remainder of the chapter, we describe the shortcomings of the existingask-on-first-use permission model, both in accuracy and in aligning with users’expectations; we show how our proposed system has vastly greater accuracy ininferring users’ privacy preferences and applying them towards regulating appli-cation permissions; and we show that is does this with minimal impact on appfunctionality. Finally, we present results from the exit interviews regarding partic-ipants’ perceptions about the training prompts and the privacy management userinterface.4.4.1 Status Quo ProblemsIn the “ask-on-first-use” (AOFU) model, the user receives prompts to grant indi-vidual permissions, but only the first time an app requests them. Requesting thesepermissions at runtime allows the user to infer the potential reason for the request,based on what they were doing when the request occurred (i.e., context). AOFU’sshortcoming, however, is that it naïvely reapplies the user’s first-use decision insubsequent scenarios, without adapting to different contexts. In the previous chap-ter (Sec 3.4), we show that failing to account for changing contexts produces higherror rates.We note that, in the previous study, we attempted to measure the accuracyof the AOFU model by merely collecting users’ responses to runtime permission109prompts, without actually enforcing them by denying apps access to data [118].Thus, the accuracy rates reported by that study may not actually be accurate, sinceusers may elect to change their permission-granting preferences, if they result ina loss of application functionality. Thus, we evaluated the performance of theAOFU approach (in current use by Android and iOS) by presenting participantswith permission prompts that actually resulted in the denial of application permis-sions.During the study period, each participant responded to combinations of appli-cation:permission more than once. As AOFU is deterministic, we can simulateit by comparing a user’s first response to a application:permission combinationto future responses to the prompts for the same app and permission. We use thisdata to measure how often AOFU matches the user’s preference in subsequentrequests.Our data show that the AOFU permission model has a median error rate3 of20%: in more than one-fifth of app requests for permission-protected resources,participants changed their initial response for the same application:permissioncombination. Of the 37 participants, 64% had at least one such discrepancy be-tween the first-use and subsequent preferences. This refutes AOFU’s core as-sumption that only few users will deviate from their initial preferences in futurecases. This observation corroborates our previous data. [118], in which 79% of131 participants were shown to deviate from their initial responses in subsequentcases.The errors shown in AOFU, could be either privacy violations or losses offunctionality. A privacy violation occurs when the system grants an app accessto a protected resource, contrary to the user’s preference, had she been prompted.Loss of functionality occurs when the permission system denies access to a pro-tected resource, which the user would have otherwise permitted. We considerprivacy violations to be the more severe type of error, as the user is unable to3The median value is reported because the error rate is not normally distributed among partic-ipants.110take back sensitive information once an app has acquired it and transmitted it toa remote server. However, loss of functionality is still undesirable because thoseerrors might incentivize the user to be overly permissive in order to regain thatfunctionality. From our data, we found that 66.67% of AOFU errors were privacyviolations; the remaining 33.33% were losses in functionality.AOFU User ExpectationsErrors in permission systems could arise from a variety of reasons. Mismatcheduser expectations and lack of comprehension are two critical ones, which couldhamper any permission model’s utility. User comprehension is critical becauseusers may make suboptimal decisions when they do not fully understand permis-sion prompts, hindering the ability of the permission system to protect sensitivesystem resources. Users must be able to comprehend the decision they are makingand the consequences of their choices. Recent work on AOFU has examined themotives behind users’ decisions and how it varies between categories of applica-tions, as well as how people adapt their behavior to the new model [7, 8, 25].In our study, the participants had, on average, 5 years of experience with An-droid. This indicates that most of our participants have experienced both install-time permissions—the permission model prior to Android 6.0, released in 2015—and runtime “ask-on-first-use” permission prompts. The majority of participantssaid they noticed the shift to AOFU prompts, and they were aware that theseprompts are a way to ask the user for consent to share data with an app. A largeminority of participants (≈40%), however, had an inadequate understanding ofhow AOFU works, which could substantially hinder that permission model’s ef-fectiveness in protecting user data.Four out of the 37 participants expressed doubts about the rationale behindthe prompts. Rather than seeing permission prompts as a way for users to reg-ulate access to their sensitive data, these participants viewed these prompts as amechanism to extract more information from them:“When I see prompts, I feel like they want to know something about111me, not that they want to protect anything.” (P21)One possible explanation is that some users grew accustomed to install-timeprompts, and subsequently perceived the change to runtime prompts as a new wayfor Android to collect user data. Although it is impractical to project how preva-lent this sentiment is in the general population, we cannot reject its existence.Hence, more work is needed to measure its impact and explore the potential solu-tions.A third (31.4%) of our participants were not aware that responding to anAOFU prompt results in a blanket approval (or denial) that carries forward toall the app’s future uses of the requested resource. Most participants believed thatresponses were only valid for a certain amount of time, such as just for that ses-sion or just that single request. This misconception significantly hinders AOFU’sability to correctly anticipate the user’s preferences in future occurrences. Again,this observation raises the question of whether users would respond differently ifthey had a more accurate understanding of how AOFU works:“[I] didn’t know that granting a permission carries forward in thefuture until otherwise changed. [I] expected permissions to be forjust that one use.” (P25)It is clear that granting blanket approval to sensitive resources is not what usersexpect all the time. On the other hand, had our participants been asked for theirinput on every permission request, they would have received a prompt once every4 seconds—involving the user more frequently has practical limitations. How,then, can we best project users’ privacy preferences to future scenarios withoutoverwhelming them with prompts?4.4.2 Classifier AccuracyDuring the week-long study period, each participant was subject to two opera-tional phases of the contextual permission system: (a) the initial learning phase,112where participant responses to prompts were used to re-train the SVM classi-fier according to each individual’s preferences, and (b) the steady-state validationphase, where responses to prompts were collected to measure the accuracy of theclassifier’s decisions.As previously discussed in our section on bootstrapping, we use weightedreservoir sampling during the learning phase to prioritize prompting for the mostcommonly observed instances of application:permission:visibility combinations.During the validation phase, participants received the same prompts, triggered byrandom combinations of features. This ensured that we collected validation resultsboth for previously-encountered and new combinations. We placed a maximumlimit of 3 prompts per combination in order to further improve prompt diversityand coverage. After presenting participants with prompts, the instrumentationrecorded the response and the corresponding decision produced by the classifier.Using participant responses to prompts as ground-truth, we measured the classi-fier’s accuracy during the validation phase. From our sample of 37 participants,we had to exclude 6 of them due to a cache coherency bug that was discoveredafter the pilot, which degraded classifier performance. For the remainder of thissection, our results are drawn from the remaining sample of 31, unless otherwisenoted.Taken as a whole, these 31 participants responded to 640 total prompts in thevalidation phase. Our contextual permission model produced a median accuracyof 90%, compared to 80% under AOFU for the same population. The classifierreduced AOFU’s error rate by 50%, with the majority of classifier errors consistingof privacy violations (i.e., access granted when the user would have denied it).Offline LearningWe were curious whether the accuracy of our system could be improved throughthe use of offline learning, which would require much more computing power.Using participant responses to permission prompts, we analyzed how an offlineSVM classifier would perform. We implemented the SVM model using the KSVM113module in R. We performed this analysis on data from all 37 participants, usingleave-one-out cross-validation to evaluate how the offline classifier would performfor each participant.The offline model had a median accuracy of 94.74% across the 37 participants.By comparison, AOFU had a 80% accuracy for the same population. This repre-sents a 75% error reduction in the offline contextual model compared to AOFU.These numbers corroborate prior findings [118]. We stress the significance of thiscorroboration, because the results hold in the presence of actual resource denial,which was not examined in the prior study. This suggests that users will con-tinue to indicate their true preferences in response to prompts, even when thosepreferences are enforced, potentially resulting in unanticipated app behavior.We note the accuracy difference between the SVM classifier we integrated intoAndroid and the R model (90% vs. 94.74%, respectively). This is due to how theAndroid SVM implementation performs the bootstrapping. This issue is not in-herent to integrating an SVM classifier into Android. An updated implementationhas the potential to reach the maximum accuracy observed in the offline model.Decision ConfidenceIn the previous chapter we demonstrated how to use decision confidence to de-termine for which application:permission:visibility combinations users should beprompted in the validation phase(Sec 3.6.2). The rate of decision confidence isalso a measure of the extent to which the classifier has learned the user’s prefer-ences. The authors suggested that if this rate does not decrease over time, thenAOFU will likely be a better system for those users.In addition to the prediction, our classifier also produced a class probability,which we used as the measure of decision confidence. The classifier produced abinary result (i.e., allow or deny) with a cutoff point of 0.5. A decision probabilityclose to the cutoff point is a less confident result than one far from it. We usedthe 95% confidence interval as a threshold to determine which decisions werelow-confidence and which ones were not.114Only 4 of our field study participants experienced low-confidence classifierdecisions that caused a prompt to appear after the bootstrapping period. Each ofthese participants had just one such low-confidence prompt appear. These promptsretrained the classifier, so the lack of any subsequent low-confidence prompts in-dicates that the classifier produced high-confidence predictions for the same ap-plication:permission:visibility combination in future cases.The lack of additional training prompts also suggests that users are less likelyto become habituated to prompting. The 4 participants who each received oneadditional prompt saw a total of 13 prompts (including the 12 prompts duringthe training phase). The remaining 27 participants saw just the 12 training phaseprompts. Had our participants been subject to AOFU instead of our contextualpermission system, they would have received a median of 15 prompts each, witha quarter of the participants receiving more than 17. Instead, we achieved a 75%error reduction (80% vs. 94.74%) and reduced user involvement by 20% (12prompts vs. 15) through the use of classifier-driven permissions, compared toAOFU.4.4.3 Impact on App Functionality (and Stability)Previous research has shown that many applications do not properly handle caseswhere they are denied permission to access a protected resource [44]. One coreobjective of our work was to measure how apps responded to a stricter permissionmodel than AOFU. For example, the system will be unusable if it causes erraticapplication behavior, through the use of dynamically granted permissions.In the field study, our platform instrumentation recorded each application crashand its corresponding exception message. This information allowed us to identifythe possible root cause of the crash and whether it was related to resource denial.We observed 18 different exceptions classes, such as SecurityException,RuntimeException, and NullPointerException. For the remainder of this sec-tion, we will only discuss SecurityExceptions, as this class is directly related toresource denials. Almost all (98.96%) of the recorded SecurityExceptions were115observed on the devices of just two participants. Each of the remaining partici-pants encountered, on average, 18 SecurityExceptions during the study period(i.e., roughly 3 SecurityExceptions per day per participant).Almost all (99.93%) SecurityExceptions were caused when apps attemptedto read subscriber information (i.e., the READ_PHONE_STATE permission, usedto obtain the phone number). In the event of a READ_PHONE_STATE denial, wedesigned our implementation to not supply the app with any phone number data.We had considered supplying a randomly-generated phone number, but decidedagainst it due to potential risks, if the generated number were a valid phone num-ber belonging to someone else.For other denials, we opted to supply apps with generated data to ensure theircontinued operation, without actually exposing private user data. During the studyperiod, the classifier denied 10.34% of all permission requests; more than 2,000denials per participant per day. Our implementation, however, only recorded anaverage of 3 SecurityExceptions per day per participant. This indicates thatpassing synthetic but well-formed data to apps in lieu of actual private user datadoes satisfy app functionality expectations to a great extent.Our results are a positive sign for future permission systems more restrictivethan the current AOFU model: permissions can be more restrictive without forcingthe user to trade off usability for improved privacy protection, as we will show inthe next section. If apps gracefully handle resource denials, then users are free tospecify their privacy preferences without risking functionality issues.4.4.4 User Reactions to PromptsThe use of runtime prompts was initially proposed as a mechanism to obtainbetter-informed consent from users. At the end of the study period, we conductedexit interviews with each participant in order to determine the extent to whichthese assumptions were met.We measured how much participants were surprised to see the prompts duringthe course of the study period (on a scale of 1=“not surprised” to 5=“very sur-116prised”). Participants expressed an average rating of 2.7. Almost half (44%) ofthe participants indicated that the prompts surprised them, and among them, 70%were surprised at the frequency with which the prompts appeared (up to 4 timesper day), though few participants expressed annoyance by that frequency (8.33%).We asked participants to rate how much they felt that they were in control ofresource usage (on a scale of 1=“nothing changed compared to default Android” to5=“very much in control”). On average, our participants rated their experience as3.44. Almost half (44%) of participants felt that they were in control of the systemas a result of the prompts. A small number (14%) still felt helpless, regardless oftheir responses to the prompts. They felt resigned that applications would alwaysobtain their data.Finally, we asked participants how they felt about the transparency providedby the new system compared to their previous Android experiences (on a scale of1=“nothing changed” to 5=“improved system transparency”). On average, partic-ipants rated system transparency in the middle (3). Almost half (47%) of them feltthat the new system was more transparent. A minority (14%) mentioned wantingto know why apps were requesting particular sensitive data types.From these observations, we believe that the new contextual permission sys-tem is a positive step toward improving user awareness. We believe this enablesusers to make better privacy decisions for themselves. Although additional workis needed to address some negative sentiments about the current implementation,this system has shown to be in the right direction overall.4.4.5 User Reactions to ControlsWhenever an automated system makes decisions on a user’s behalf, there is theinevitable risk that the system will make an incorrect decision. In our case thiscan cause apps to be over-priveledged and risk privacy violations, or be under-privledged and risk app failure or reduced functionality. It is important to em-power users so they can easily audit the decisions that were made on their behalfand to amend those decisions that are not aligned with their preferences.117In our implementation, we built a user interface based on prior work by Tsaiet al. [111]. This system allowed our participants to view automated permissionsdecisions made by the classifier, as well as set privacy preferences with respect tocontext (i.e., the visibility of the requesting app). We included this user interfaceas part of the operating system, as a panel within the system settings app.When we on-boarded our participants, we mentioned to them that there wasa new “permission manager” available, but to avoid priming them, we made surenot to emphasize it in any particular way. Our instrumented platform logged everytime participants interacted with our permission manager to understand how theyused it.Fifteen of the 37 participants (40.5%) opened the permission manager duringthe study period. Our implementation logged a total of 169 preference changesacross these participants. Only 6 out of 37 participants (16.2%) changed the set-tings to be more restrictive. Of the adjustments made towards more restrictiveness,the majority were for the GET_ACCOUNTS permission, which prevents apps fromreading the user’s stored credential data (e.g., usernames linked to accounts onthe device, such as for Google, Twitter, etc.). In contrast, the most-common per-mission that participants adjusted to be more permissive was READ_CONTACTS.When asked for their motives behind these changes, the majority of participantssaid that functionality was their main reason for granting more access, and thesensitivity of data for restricting access.We also asked participants to demonstrate how they would change the settingsof a familiar app to only be able to access their location when they are using thatapp. We based this task off of one of the evaluation tasks performed by Tsaiet al. [111], when they performed an online study to evaluate a low-fidelity pro-totype of the design on which we based our user interface. All but two of ourparticipants were able to correctly complete this task using the user interface. Par-ticipants rated the average ease of the task as 1.15 (on a scale from 1=“very easy”to 5=“very hard”). We conclude that participants are able to understand the per-mission interface after having used it for a week, and without special instructions.118The permission manager also enables users to diagnose application crashesthat result from a resource denial (a feature not present in the original design onwhich we based it). In exit interviews, we examined how participants respondedto app crashes in their experiences with the device. The majority of participantsreported that their first step was to restart the app that had crashed. If that wasunsuccessful, they would then restart their phone. This informs the design of afuture system: if an app crashes as a result of a resource denial, the platformshould clearly communicate this to users or otherwise automatically adjust thepermissions on their behalf. This could be communicated through a dialog or inthe notification bar.4.5 DiscussionThe core objective of our 37-person field study was to analyze how a contextually-aware, more-restrictive permission model performs in the wild. We examinedhow participants balanced their privacy preferences with app functionality. Thismeasures the real-world applicability of predicting user privacy decisions with thehelp of contextual cues surrounding each permission request.Consequential DenialOverall, participants denied 24% of all prompted permission requests. This is a60% reduction in denials compared to the results from the previous chapter, whodid not enforce the user’s decision to deny a permission and prompted the userusing only hypothetical language: “given the choice, would you have denied...?”The decreased denial rate we observed is therefore unsurprising given that par-ticipants were now actually making a tradeoff between functionality and privacy,instead of expressing the degree to which privacy is important to them. Our resultsshow that even in the presence of consequential resource denial, contextual cueshelped to predict users’ privacy decisions and better aligned permission settingswith their expectations, as compared to the status quo.119Ask on First UseOur results corroborate our previous two chapters in showing that AOFU’s in-ability to capture the context surrounding users’ decisions is a cause of AOFU’ssignificant error rate. We also found that a significant portion of participants donot have an adequate understanding of how AOFU works, which further lim-its AOFU’s utility: 11 participants did not realize that their prompt responsesfor AOFU are taken as permanent decisions; and 4 participants interpreted theprompts as yet another mechanism for collecting user data instead of as a privacy-protection mechanism. While the actual impact of these inaccurate beliefs is yetto be explored, we believe that these issues need to be fixed in the future, in orderto increase Android’s ability to predict and protect user data effectively.Implementation LimitationsWhile our new permission model reduces the number of mis-predictions com-pared to AOFU by 50%, our offline analysis shows that it has the potential toreduce mis-predictions by 75%. A further examination revealed that the perfor-mance difference is due to the bootstraping of the training dataset in the imple-mentation. We note that difference is not inherent to running a classifier in An-droid, and so simply modifying our implementation to use these improvementswill allow it to achieve the same performance.PurposeWhile our new permission model outperforms AOFU, it still does not explain tothe user why an app needs to use a permission. In our exit interviews, we observedthat 14% of participants expressed the desire to know why apps made a requestin the first place. Previous work has shown that app functionality is a key factorin permission decisions [25]. If users were properly informed of the functionalityrequirement behind a permission request, then they might be better positioned tomake decisions that meet their privacy and functionality expectations.We believe that there are ways to extend contextual permission systems by120incorporating the actual purpose of the request. For example, after introducingAOFU permissions, Android started encouraging app developers to provide thereason behind their permission requests so that the user can include that in thedecision-making process [40]. Tan et al. [107] showed that similar prompts oniOS actually resulted in users being more permissive about granting permissionsto apps. Similarly, prior work has attempted to use static analysis to automaticallyincorporate inferred purpose [71, 74].Resource DenialWhen deploying more-restrictive permission systems, it is important that appscontinue to run without entering into an error state that results from a resourcedenial. Users should be able to select their privacy preferences with minimaldisruption to their experience; apps must not be able to force an ultimatum bysimply not functioning if a permission is denied. Indeed, some participants simplyallow most permission requests because that ensures their apps run properly.The platform, therefore, is responsible to ensure that apps handle resourcedenials gracefully. To their credit, when Android introduced AOFU, it imple-mented some permission denials to appear like a lack of available data or thenon-existence of hardware, instead of throwing a SecurityException. In ourimplementation, we take the extra step of supplying apps with generic but well-formed data in the event of a denial. We observed that our participants tended todeny more permissions as they progressed through the study period (on average20% denial in the learning phase versus a 26% denial rate during the validationphase). Those participants also experienced a low rate of app failures due to re-source denials. In the future, platforms should implement measures to reducefunctionality losses stemming from having stricter privacy preferences. Failing todo so might otherwise compel users to compromise on their privacy preferencesfor the sake of functionality.121Remedying Unexpected BehaviorRegardless of any mitigations to avoid app crashes, it is practical to assume thatapps will crash when they fail to receive expected data under certain circum-stances. One way to remedy this is to give users tools to adjust the behaviorof the permission system, such as being able to be more permissive to certainapplications in certain contexts. This approach, however, assumes that (i) usersaccurately attribute a crash event to a resource denial, which may not always bethe case, and (ii) users are sufficiently technical to identify which resource denialcaused the crash. In our implementation of a new permission manager, we addressthe latter assumption by providing users a timeline of recent decisions made bythe new permission system, which can be used to deduce the cause of a crash.Our exit interviews showed that few participants would think to check the per-mission manager following an application crash, so clearly more work is neededhere. With proposals for more-accurate and more-restrictive permission models,it is necessary to have usable mechanisms to deal with inevitable crashes due toresource denials. The platform should provide mechanisms either to help the userdiagnose and resolve such crashes, or to automatically fix permissions on a tem-porary basis and give the user an option to make the fix permanent.ConclusionThis study shows how applications and users respond to a real-world deploymentof a novel contextually-aware permission model. The new permission systemsignificantly reduced the error rate from that of the prevailing “ask-on-first-use”model first deployed in Android 6.0. While prior work already demonstrated waysto increase the protection provided by new permission models, we believe ourstudy provides opportunities to further improve performance and address practicallimitations in actual implementations.122Chapter 5DiscussionThe primary goal of this thesis is to develop a permission system that is capableof protecting user’s private smartphone data – so that user’s privacy preferencesare better met compared to current systems. Reaching that goal required under-standing how users make privacy decisions, understanding different circumstancesunder which mobile applications access resources, and devise ways a mobile plat-form can align platform protection with user privacy preferences.We started the project with three hypotheses: a) currently deployed permissioncontrols are not efficient in protecting user’s private data, b) users are likely to takeadvantage of finer grained permission controls, and if such options are available,c)the context surrounding the permission decision will play a critical role in user’sprivacy decisions. To test our hypothesis, we conducted two (one-week long)field studies and one (six-week long) longitudinal field study. We have collected6K privacy decisions using Experience Sampling – to collect their in-situ privacypreferences– from more than 200 real-world users and also collected more than200M real-world data points on resource usage and contextual information on howparticipants used the phone during the study period.More than 80% of our participants wanted to block at least one sensitive per-mission request during the study period showing their desire to have finer grainedpermission systems compared to currently deployed Android permission system.123While making privacy decisions (allowing or denying), nearly half of the partic-ipants took the context surrounding each permission request into account – theremaining half, based on the factors we measured, didn’t seem to take the contextinto account. It could also be the case that, we are not fully aware of the actualfactors remaining participants are considering.During the period of the thesis, Android switched from Ask-on-install to Ask-on-first-use reducing the potential error rate from 75% to 15%, measured using thedata collected from the three field studies. While AOFU demonstrated a signifi-cant improvement, it does not fully capture the user decision when it confronts theuser to seek their consent on sharing their private data with an application. AOFUfalsely assumes once a user makes a privacy decision, it lasts forever regardlessof the surrounding context – this false assumption is solely responsible for theerror rate of AOFU. Based on our collected dataset, 70% of participants have atleast changed their initial decision in subsequent cases nullifying the AOFU coreassumption.Based on our collected privacy decisions, we designed and developed a con-textually aware permission system that reduces the user confrontation and signif-icantly increases the protection by taking the surrounding context into account.In the new permission system, once a user makes a privacy decision, the con-text in which the user made the decision is taken into account when it reuses theuser decision in subsequent cases. The new permission model has the potentialto have an 80% lower error rate compared to AOFU. The new permission modelwas first tested as an offline simulation, and then in the real world, interactingwith real-time user decisions and with data-hungry applications. While achievingthe increased protection and reduced user involvement, it also preserves the appfunctionality to a greater extent.5.1 Mismatched PersonasThe threat model of the new permission system is not to protect sensitive data frommalicious applications that exploit security vulnerabilities of the mobile platform.124It is to protect sensitive data from benign applications that access sensitive datawhen it is not expected by the user but through legitimate channels implementedin Android. Majority of the unexpected requests come from benign applicationswith a legitimate functionality. While understanding the motives behind developerpractices is beyond the scope of this work [13, 15], it is an important part of thebigger effort of building a more privacy-friendly ecosystem in mobile.In product development, personas have been a widely used technique wheredevelopers create hypothetical characters based on scenarios to guide the designprocess of the application [34, 90]. While this approach has been a success indesigning an application that is functionally efficient, personas can have a differentimpact on the privacy side of the application. The use of personas helps designersand developers design the application in a way a potential user from the targetedaudience would use it. This entails making assumptions about how their potentialaudience usage of the applications – these assumptions, inadvertently, include howthe potential user would share their data, with the outside world, in the process ofusing the application.How practical is it to assume potential users sharing practices? We show inprevious chapters [117, 118], each participant has a unique way of expecting dataaccesses which corroborates with previous work [2, 72, 103, 119]. ContextualIntegrity also suggests that their expectations are based on their surroundings -none of the one-size-fits-all models worked because of this. It is impractical toenvision each user’s different contexts and the dependent expectations when theapplication is designed – which is what is done by using personas. This explainswhy a majority of users were surprised to see certain data accesses during thestudy which lead them to deny a significant portion of it.As an application developer, it is infeasible to assume each different potentialuser’s contextual privacy expectations under different contexts in which the appli-cation will be used. We believe the best an application developer can do is to letthe user decide what to share and when to share it so that users can make theirown privacy decisions and contextual preferences. Users, however, already have a125plethora of decisions to make in the day to day digital world [86, 93, 105]; so wemust find a way to engage the user without habituating or annoying them whilegetting the required privacy consent. Given the number of applications each useris using, the number of privacy decisions they have to make can quickly get out ofcontrol.From the beginning, to their credit, mobile platforms took care of the burdenof seeking user consent, removing that responsibility from the application devel-opers. Platforms, however, were not efficient at asking the correct question at thecorrect time, which has the serious consequences of not giving enough contextto the user for before forcing them to make a privacy decision. These issues ledusers to make sub-optimal privacy decisions risking the protection of their ownsensitive data.Fixing the developer ecosystem to be more privacy-friendly is a very impor-tant, yet, beyond the scope of this work. More work is needed along the linesof helping developers to make better privacy choices while developing applica-tions. We, however, fix the issues of helping users to make better privacy de-cisions so that when applications request data users can make optimal privacydecisions [1, 2].5.2 Arms RaceRegardless of their design and development methodologies, developers were usedto receive all the resource they requested – in earlier Android versions users wereforced to make an all-or-nothing choice (Ask-on-install), so developers couldsafely assume that an installed application is allowed to access all requested re-sources. Android 6.0 introduced Ask-on-first-use, giving users finer grained ac-cess control – users could just only allow the data types they were comfortablewith sharing with the app while denying the rest. Previous work, however, showedthat applications are unlikely to take resource denial gracefully, leaving the pos-sibility of a critical usability chaos [44]. Furthermore, work has shown that ifapplications start to crash, users are likely to adopt a less restrictive, more permis-126sive privacy policy, trading privacy for the desired usability and functionality [6].With the introduction of AOFU, Google has been warning developers to beprepared to have resource requests denied, and to gracefully handle resource de-nials [39]. No work recent work suggests developers are adapting to the newguidelines, or otherwise. Regardless, platforms need to make sure that users arefree from the burden of worrying about usability issues when they make privacydecisions. If not, the objective of a more restrictive, more user-aligned permissionsystem is lost, much like the previous regime of permission systems.People have looked into ways to feed carefully articulated data to prevent leak-ing sensitive information [21, 29, 60, 124] – none of these techniques were testedin a real-world setup. A closely related work tested on real world applicationsbut do not report a quantitative analysis on it’s impact [84]. Our last field studylook into ways to feed obfuscated data in the event of a resource denial so that ap-plications will continue serving their functionality based on allowed data withoutcrashing. Our data suggest such obfuscated data feeding has been largely success-ful – we only observe a median of 2 application crashes per day per participant.compared to over 2000 resource denials observed for each user during the studyperiod. While two crashes per day are not ideal, we believe this is a correct steptowards making sure users are free to make privacy decisions. 99% of the crashescame from a data resource for which we did not have an obfuscation implemented– this shows a) without data obfuscation applications are likely to create a usabil-ity issue, and b) currently implemented data obfuscation techniques are successfulto a sizable extent.This, however, will be a short-lived success. When more users start to adoptthe finer grain permission systems, applications are likely to get more obfuscateddata. Depending on the nature of the applications, data incentives, and for otherreasons that probably require further research to understand, applications maystart to become more aggressive towards detecting obfuscated data. Therefore,it is imperative that the platform takes measures to not let the applications knowabout resource denial. We, however, believe this is going to be an arms race127between platforms trying to protect user data and applications wanting to get thedesired resources.5.3 Purpose MattersFrom the developer perspective, one way to avoid having an essential resourcedenied, as Google, Apple and previous work explain [37, 40, 107], is to providethe users with a reason for the access request. Tan et al. showed that users aremore likely to be permissive if a reason for the request is present [107]. Duringour first field study [117], participants comprehension of the resource’s necessityfor desired functionality of the app played a major role in their decision to allowor deny a resource request; a more recent work corroborates these findings [25].Furthermore, some of our participants of the last study also mentioned the need toknow the actual reason for a permission request before making a privacy decision.Participants could be making decisions based on ill-informed perceptions i.e., theycould be denying a request that could actually be needed for the core functionalityof the application, assuming they are not related or vice versa.Previous research has looked into inferring the purpose of a given requestbased on crowdsourcing [71], static analysis, and dynamic analyis [69, 115]. Inprevious work, authors were relying on the previously collected data sets, labelsand machine learning techniques to figure out the purpose of each request. Liu looked into incorporating the request’s purpose when informing the users aboutsensitive access requests [74]. The reliance of previously accumulated data couldbe a problem since a) applications are likely to update their code regularly, whichcould make historical data obsolete, and b) techniques such as crowdsourcingcould be subjective to the participants. The new permission model presented,however, in this thesis does not take the (inferred or actual) purposed into accountwhen making the decisions.From the point of view of the users, the reason for a request could be a binaryvalue indicating whether the request is related to the core app code or whether it isa third-party library. Third party libraries usually serve nonfunctional needs such128as analytics, ads, monetization. Previous work has already looked into runtimelibrary detection based on stack analysis [31, 115]. It would be an interestingexploration to examine how users react to permission requests when they haveinformation about the actual source of the request – whether it is the actual codeor a library. It will be an interesting and helpful question to examine how thepurpose affects their contextual preferences. We believe such information can bea useful feature to add to our current contextual permission system which couldfurther increase its accuracy.5.4 User driven PrivacyData privacy is a multi-faceted dilemma faced by different fronts in computerscience. There is a long line of work focusing on the data leakage aspect of it,which belongs to more system side computer science [43, 53, 67, 110]. In adifferent vein than the permission system proposed in this thesis – which focuseson both systems and the user aspect of the problem, information flow tracking,taint analysis, provenance analysis focus on low-level information passing thatoccur between a known source (originating point e.g., location) and a sink (wherethe data flow ends e.g., a socket connection).Taint analysis will provide fine-grained information on how exactly applica-tions are using and/or sharing the requested data. Some of these methods incur asignificant of overheard bearing it from practical usage [43]. Another importantdifference would be not having the user in the pipeline before deciding an infor-mation flow is inappropriate or not. This could risk false positives since not alldata flows leaving the phone are privacy violations – privacy violations only occurif a flow defies user expectations. The work presented in the thesis monitors dataflows from system spaces to the app space. The current instrumentation mediatesbefore an information(a sensitive data) flow occur from system to app space.The thesis of this work is based on having the user playing the central role indeciding what flow is appropriate and what is not. Having a data point leaves aphone does not necessarily defy user expectations. We believe it is essential for129users to have the final say about what is appropriate and what is not. Previouswork [41] and our own last study found that leaving users completely out of theloop might not be the best solution. During that last study, we found participantssaying that they felt inferior to the phone given how applications use data andnot all participants were comfortable with letting the platform make decisions forthem. One way to elevate user confidence is by involving the users in the process(but at the same time not to habituate them).The question of who is well equipped to make the decision is an interest-ing avenue to work on. While the platform has every bit of information, poten-tially, needed to make the decision, the platform doesn’t have the user perspective.While the user owns the data, so far users were not able to make optimal privacydecisions to protect their data. One of the contributions of the new permission sys-tem is to empower users to make informed decisions so that they can better protecttheir own sensitive data. We believe this is an important distinction between themore systems-level taint-tracking system and our new permission system. Mov-ing forward, the correct direction would be to investigate how to merge these twodifferent approaches to better serve users.5.5 ContextualizationOne of the core hypothesis of this work is users make contextual decisions whichwas first put forward by the notion of Contextual Integrity [82]. Over the courseof the project, we found that visibility of the requesting application and the fore-ground application at the time of the request play a critical role in user decisions– we believe these are two contextual factors used by users to make contextualpreferences. Not only these two factors are affecting their decisions, as we showpreviously in the thesis (Chapter 3), users are more likely to be consistent withthese different factors as demonstrated by the high predictive power of these twofactors in the new predictive model.While we identify factors that are likely to be contextual cues used by users tomake privacy decisions, we do not infer the context – automatically inferring the130current context could be an intractable problem. For the purpose of the mentionedproblem statement, what is more important is the identification of tangible factorsand impact of those factors towards users decision. Such knowledge will helpthe platform to detect when the context changes so that platform can change theirdecisions accordingly.In chapter 3, based on the conceptual framework proposed by Barth et al. [20],we explain why visibility and foreground are critical contextual factors. We positthat the visibility of the requesting application could be helping the user to graspthe role played by the requesting application (requesting actor). With the recentadvancement in the discovery of data sharing practices [91, 92, 102], it is plausiblethat the actual data recipient might not be the application requesting the data.If the data flow ends up in a third party server, then the user has an incorrectunderstanding of the data recipient.One approach to extending the current permission systems would be to in-form the user about potential third parties other than the requesting applicationthat might receive the data so that the user is better informed about the actual datarecipient. A recent work shows that users are likely to vary their decision if theyknow who is the actual data recipient is [113]. While previous work has incor-porated potential purpose of a request using offline data [74], no one has yet toincorporate the actual third parties that might receive the data from a request. Webelieve by incorporating such information, the new permission system can achieveeven higher accuracy giving finer-grained information to the user’s decision.We believe, that more work is needed to understand how the context impactuser decisions. There could be more contextual factors than just the visibility andthe foreground application. These new factors could help to further improve theefficiency of the proposed permission system.5.6 ConclusionWe show that by accounting for the surrounding context, mobile platforms canincrease the privacy protection by better aligning the platform protection with131how users expect to control sensitive data if they had an option. Rather thanenforcing a blanket allowance or denial – which risks both privacy violations andunwarranted functionality loss – the platform should devise ways to dynamicallytake decisions based on the surrounding context. Dynamically controlling theaccess entails learning user privacy preferences under different circumstances; weshow that use of machine learning not only helps to understand how users wantto react under different contextual circumstances, but it also, helps to reduce theuser involvement significantly.132Bibliography[1] A. Acquisti. Nudging Privacy: The Behavioral Economics of PersonalInformation. IEEE Security and Privacy, 7(6):82–85, 2009. → pages[2] A. Acquisti and J. Grossklags. Privacy and rationality in individualdecision making. IEEE Security & Privacy, 3(1):26–33,January–February 2005. → pages[3] A. Acquisti, L. Brandimarte, and G. Loewenstein. Privacy and humanbehavior in the age of information. Science, 347(6221):509–514, 2015. →pages[4] Y. Agarwal and M. Hall. Protectmyprivacy: Detecting and mitigatingprivacy leaks on ios devices using crowdsourcing. In Proceeding of the11th Annual International Conference on Mobile Systems, Applications,and Services, MobiSys ’13, pages 97–110, New York, NY, USA, 2013.ACM. ISBN 978-1-4503-1672-9. doi:10.1145/2462456.2464460. URL → pages[5] H. M. Almohri, D. D. Yao, and D. Kafura. Droidbarrier: Know what isexecuting on your android. In Proc. of the 4th ACM Conf. on Data andApplication Security and Privacy, CODASPY ’14, pages 257–264, NewYork, NY, USA, 2014. ACM. ISBN 978-1-4503-2278-2.doi:10.1145/2557547.2557571. URL → pages[6] H. Almuhimedi, F. Schaub, N. Sadeh, I. Adjerid, A. Acquisti, J. Gluck,L. F. Cranor, and Y. Agarwal. Your location has been shared 5,398 times!:A field study on mobile app privacy nudging. In Proc. of the 33rd Annual133ACM Conference on Human Factors in Computing Systems, pages787–796. ACM, 2015. → pages[7] P. Andriotis, M. A. Sasse, and G. Stringhini. Permissions snapshots:Assessing users’ adaptation to the android runtime permission model. In2016 IEEE International Workshop on Information Forensics and Security(WIFS), pages 1–6, Dec 2016. doi:10.1109/WIFS.2016.7823922. →pages[8] P. Andriotis, S. Li, T. Spyridopoulos, and G. Stringhini. A ComparativeStudy of Android Users’ Privacy Preferences Under the RuntimePermission Model, pages 604–622. Springer International Publishing,Cham, 2017. doi:10.1007/978-3-319-58460-7_42. → pages[9] Android Developers. Content Providers.,2014. Accessed: Nov. 12, 2014. → pages[10] Android Developers. Common Intents.,2014. Accessed: November 12, 2014. → pages[11] K. W. Y. Au, Y. F. Zhou, Z. Huang, and D. Lie. Pscout: Analyzing theandroid permission specification. In Proc. of the 2012 ACM Conf. onComputer and Communications Security, CCS ’12, pages 217–228, NewYork, NY, USA, 2012. ACM. ISBN 978-1-4503-1651-4.doi:10.1145/2382196.2382222. URL → pages[12] C. Auerbach and L. B. Silverstein. Qualitative data: An introduction tocoding and analysis. NYU press, 2003. → pages[13] R. Balebako and L. Cranor. Improving app privacy: Nudging appdevelopers to protect user privacy. IEEE Security & Privacy, 12(4):55–58,2014. → pages[14] R. Balebako, J. Jung, W. Lu, L. F. Cranor, and C. Nguyen. "little brotherswatching you": Raising awareness of data leaks on smartphones. InProceedings of the Ninth Symposium on Usable Privacy and Security,SOUPS ’13, pages 12:1–12:11, New York, NY, USA, 2013. ACM. ISBN134978-1-4503-2319-2. doi:10.1145/2501604.2501616. URL → pages[15] R. Balebako, A. Marsh, J. Lin, J. I. Hong, and L. F. Cranor. The privacyand security behaviors of smartphone app developers. 2014. → pages[16] R. Balebako, F. Schaub, I. Adjerid, A. Acquisti, and L. Cranor. Theimpact of timing on the salience of smartphone app privacy notices. InProceedings of the 5th Annual ACM CCS Workshop on Security andPrivacy in Smartphones and Mobile Devices, pages 63–74. ACM, 2015.→ pages[17] M. Barreno, B. Nelson, R. Sears, A. D. Joseph, and J. D. Tygar. Canmachine learning be secure? In Proceedings of the 2006 ACM Symposiumon Information, computer and communications security, pages 16–25.ACM, 2006. → pages[18] D. Barrera, H. G. u. c. Kayacik, P. C. van Oorschot, and A. Somayaji. Amethodology for empirical analysis of permission-based security modelsand its application to android. In Proc. of the ACM Conf. on Comp. andComm. Security, CCS ’10, pages 73–84, New York, NY, USA, 2010.ACM. ISBN 978-1-4503-0245-6.doi: URL → pages[19] D. Barrera, J. Clark, D. McCarney, and P. C. van Oorschot. Understandingand improving app installation security mechanisms through empiricalanalysis of android. In Proceedings of the Second ACM Workshop onSecurity and Privacy in Smartphones and Mobile Devices, SPSM ’12,pages 81–92, New York, NY, USA, 2012. ACM. ISBN978-1-4503-1666-8. doi:10.1145/2381934.2381949. URL → pages[20] A. Barth, A. Datta, J. C. Mitchell, and H. Nissenbaum. Privacy andcontextual integrity: Framework and applications. In Proc. of the 2006IEEE Symposium on Security and Privacy, SP ’06, Washington, DC,USA, 2006. IEEE Computer Society. ISBN 0-7695-2574-1.doi:10.1109/SP.2006.32. URL →pages135[21] A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. Mockdroid: Tradingprivacy for application functionality on smartphones. In Proceedings ofthe 12th Workshop on Mobile Computing Systems and Applications,HotMobile ’11, pages 49–54, New York, NY, USA, 2011. ACM. ISBN978-1-4503-0649-2. doi:10.1145/2184489.2184500. URL → pages[22] I. Bilogrevic, K. Huguenin, B. Agir, M. Jadliwala, and J.-P. Hubaux.Adaptive information-sharing for privacy-aware mobile social networks.In Proceedings of the 2013 ACM International Joint Conference onPervasive and Ubiquitous Computing, UbiComp ’13, pages 657–666,New York, NY, USA, 2013. ACM. ISBN 978-1-4503-1770-2.doi:10.1145/2493432.2493510. URL → pages[23] E. Bodden. Easily instrumenting android applications for securitypurposes. In Proc. of the ACM Conf. on Comp. and Comm. Sec., CCS ’13,pages 1499–1502, NY, NY, USA, 2013. ACM. ISBN 978-1-4503-2477-9.doi:10.1145/2508859.2516759. URL → pages[24] R. Böhme and J. Grossklags. The security cost of cheap user interaction.In Proceedings of the 2011 New Security Paradigms Workshop, pages67–82. ACM, 2011. → pages[25] B. Bonné, S. T. Peddinti, I. Bilogrevic, and N. Taft. Exploring decisionmaking with android’s runtime permission dialogs using in-contextsurveys. In Thirteenth Symposium on Usable Privacy and Security(SOUPS 2017), pages 195–210, Santa Clara, CA, 2017. USENIXAssociation. ISBN 978-1-931971-39-3. URL → pages[26] T. D. Breaux and A. Rao. Formal analysis of privacy requirementsspecifications for multi-tier applications. In 2013 21st IEEE InternationalRequirements Engineering Conference (RE), pages 14–23, July 2013.doi:10.1109/RE.2013.6636701. → pages[27] T. Buchanan, C. Paine, A. N. Joinson, and U.-D. Reips. Development ofmeasures of online privacy concern and protection for use on the internet.136Journal of the American Society for Information Science and Technology,58(2):157–165, 2007. → pages[28] S. Bugiel, S. Heuser, and A.-R. Sadeghi. Flexible and fine-grainedmandatory access control on android for diverse security and privacypolicies. In Proc. of the 22nd USENIX Security Symposium, SEC’13,pages 131–146, Berkeley, CA, USA, 2013. USENIX Association. ISBN978-1-931971-03-4. URL → pages[29] S. Chakraborty, C. Shen, K. R. Raghavan, Y. Shoukry, M. Millar, andM. B. Srivastava. ipshield: A framework for enforcing context-awareprivacy. In NSDI, pages 143–156, 2014. → pages[30] C.-C. Chang and C.-J. Lin. Libsvm – a library for support vectormachines. Accessed: September11, 2017. → pages[31] S. Chitkara, N. Gothoskar, S. Harish, J. I. Hong, and Y. Agarwal. Doesthis app really need my location?: Context-aware privacy management forsmartphones. Proceedings of the ACM on Interactive, Mobile, Wearableand Ubiquitous Technologies, 1(3):42, 2017. → pages[32] E. K. Choe, J. Jung, B. Lee, and K. Fisher. Nudging people away fromprivacy-invasive mobile apps through visual framing. In Human-ComputerInteraction–INTERACT 2013, pages 74–91. Springer, 2013. → pages[33] M. Conti, V. T. N. Nguyen, and B. Crispo. Crepe: Context-related policyenforcement for android. In ISC, volume 10, pages 331–345. Springer,2010. → pages[34] A. Cooper et al. The inmates are running the asylum:[Why high-techproducts drive us crazy and how to restore the sanity]. Sams Indianapolis,IN, USA:, 2004. → pages[35] A. Datta, J. Blocki, N. Christin, H. DeYoung, D. Garg, L. Jia, D. Kaynar,and A. Sinha. Understanding and Protecting Privacy: Formal Semanticsand Principled Audit Mechanisms, pages 1–27. Springer BerlinHeidelberg, Berlin, Heidelberg, 2011. doi:10.1007/978-3-642-25560-1_1.URL → pages137[36] A. Developer. Requesting permissions., .Accessed: March 18, 2017. → pages[37] A. Developer. App programming guide for ios., . Accessed: September 25, 2017. → pages[38] G. Developer. Distribution of android versions., . Accessed:March 15, 2017. → pages[39] G. Developer. Permissions usage notes., .Accessed: September 24, 2017. → pages[40] G. Developer. Requesting permissions at run time., .Accessed: September 16, 2017. → pages[41] W. K. Edwards, E. S. Poole, and J. Stoll. Security automation consideredharmful? In Proceedings of the 2007 Workshop on New SecurityParadigms, pages 33–42. ACM, 2008. → pages[42] S. Egelman, A. P. Felt, and D. Wagner. Choice architecture andsmartphone privacy: There’s a price for that. In The 2012 Workshop on theEconomics of Information Security (WEIS), 2012. → pages[43] W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, andA. N. Sheth. Taintdroid: an information-flow tracking system for realtimeprivacy monitoring on smartphones. In Proceedings of the 9th USENIXConference on Operating Systems Design and Implementation, OSDI’10,pages 1–6, Berkeley, CA, USA, 2010. USENIX Association. URL → pages[44] Z. Fang, W. Han, D. Li, Z. Guo, D. Guo, X. S. Wang, Z. Qian, andH. Chen. revdroid: Code analysis of the side effects after dynamicpermission revocation of android apps. In Proceedings of the 11th ACM138Asia Conference on Computer and Communications Security (ASIACCS2016), Xi’an, China, 2016. ACM. → pages[45] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Androidpermissions demystified. In Proc. of the ACM Conf. on Comp. and Comm.Sec., CCS ’11, pages 627–638, New York, NY, USA, 2011. ACM. ISBN978-1-4503-0948-6. doi: → pages[46] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner. A survey ofmobile malware in the wild. In Proceedings of the 1st ACM workshop onSecurity and privacy in smartphones and mobile devices, pages 3–14.ACM, 2011. → pages[47] A. P. Felt, S. Egelman, M. Finifter, D. Akhawe, and D. Wagner. How toask for permission. In Proc. of the 7th USENIX conference on Hot Topicsin Security, Berkeley, CA, USA, 2012. USENIX Association. URL → pages[48] A. P. Felt, S. Egelman, and D. Wagner. I’ve got 99 problems, but vibrationain’t one: a survey of smartphone users’ concerns. In Proc. of the 2ndACM workshop on Security and Privacy in Smartphones and Mobiledevices, SPSM ’12, pages 33–44, New York, NY, USA, 2012. ACM.ISBN 978-1-4503-1666-8. doi:10.1145/2381934.2381943. URL → pages[49] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner. Androidpermissions: user attention, comprehension, and behavior. In Proc. of theEighth Symposium on Usable Privacy and Security, SOUPS ’12, NewYork, NY, USA, 2012. ACM. ISBN 978-1-4503-1532-6.doi:10.1145/2335356.2335360. URL → pages[50] FTC. Android flashlight app developer settles ftc charges it deceivedconsumers. August 17, 2017. → pages[51] H. Fu and J. Lindqvist. General area or approximate location?: Howpeople understand location permissions. In Proceedings of the 13th139Workshop on Privacy in the Electronic Society, pages 117–120. ACM,2014. → pages[52] H. Fu, Y. Yang, N. Shingte, J. Lindqvist, and M. Gruteser. A field study ofrun-time location access disclosures on android smartphones. Proc.USEC, 14, 2014. → pages[53] C. Gibler, J. Crussell, J. Erickson, and H. Chen. Androidleaks:Automatically detecting potential privacy leaks in android applications ona large scale. In Proc. of the 5th Intl. Conf. on Trust and TrustworthyComputing, TRUST’12, pages 291–307, Berlin, Heidelberg, 2012.Springer-Verlag. ISBN 978-3-642-30920-5.doi:10.1007/978-3-642-30921-2_17. URL → pages[54] Google. Dangerous permissions. Accessed:August 17, 2017. → pages[55] A. Gorla, I. Tavecchia, F. Gross, and A. Zeller. Checking app behavioragainst app descriptions. In Proceedings of the 36th InternationalConference on Software Engineering, ICSE 2014, pages 1025–1035, NewYork, NY, USA, 2014. ACM. ISBN 978-1-4503-2756-5.doi:10.1145/2568225.2568276. URL → pages[56] M. Harbach, M. Hettig, S. Weber, and M. Smith. Using personal examplesto improve risk communication for security & privacy decisions. In Proc.of the 32nd Annual ACM Conf. on Human Factors in Computing Systems,CHI ’14, pages 2647–2656, New York, NY, USA, 2014. ACM. ISBN978-1-4503-2473-1. doi:10.1145/2556288.2556978. URL → pages[57] M. Harbach, E. von Zezschwitz, A. Fichtner, A. De Luca, and M. Smith.It’sa hard lock life: A field study of smartphone (un) locking behavior andrisk perception. In Symposium on Usable Privacy and Security (SOUPS),2014. → pages[58] T. Hastie, R. Tibshirani, J. Friedman, and J. Franklin. The elements ofstatistical learning: data mining, inference and prediction. TheMathematical Intelligencer, 27(2):83–85, 2005. → pages140[59] S. E. Hormuth. The sampling of experiences in situ. Journal ofpersonality, 54(1):262–293, 1986. → pages[60] P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren’tthe droids you’re looking for: retrofitting android to protect data fromimperious applications. In Proc. of the ACM Conf. on Comp. and Comm.Sec., CCS ’11, pages 639–652, New York, NY, USA, 2011. ACM. ISBN978-1-4503-0948-6. doi: → pages[61] L. Huang, A. D. Joseph, B. Nelson, B. I. Rubinstein, and J. Tygar.Adversarial machine learning. In Proceedings of the 4th ACM workshopon Security and artificial intelligence, pages 43–58. ACM, 2011. → pages[62] L. Jedrzejczyk, B. A. Price, A. K. Bandara, and B. Nuseibeh. On theimpact of real-time feedback on users’ behaviour in mobilelocation-sharing applications. In Proceedings of the Sixth Symposium onUsable Privacy and Security, page 14. ACM, 2010. → pages[63] L. K. John, A. Acquisti, and G. Loewenstein. Strangers on a plane:Context-dependent willingness to divulge sensitive information. Journalof consumer research, 37(5):858–873, 2010. → pages[64] J. Jung, S. Han, and D. Wetherall. Short paper: Enhancing mobileapplication permissions with runtime feedback and constraints. InProceedings of the Second ACM Workshop on Security and Privacy inSmartphones and Mobile Devices, SPSM ’12, pages 45–50, New York,NY, USA, 2012. ACM. ISBN 978-1-4503-1666-8.doi:10.1145/2381934.2381944. URL → pages[65] P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, andD. Wetherall. A conundrum of permissions: Installing applications on anandroid smartphone. In Proc. of the 16th Intl. Conf. on FinancialCryptography and Data Sec., FC’12, pages 68–79, Berlin, Heidelberg,2012. Springer-Verlag. ISBN 978-3-642-34637-8.doi:10.1007/978-3-642-34638-5_6. URL → pages141[66] P. G. Kelley, L. F. Cranor, and N. Sadeh. Privacy as part of the appdecision-making process. In Proceedings of the SIGCHI Conference onHuman Factors in Computing Systems, CHI ’13, pages 3393–3402, NewYork, NY, USA, 2013. ACM. ISBN 978-1-4503-1899-0.doi:10.1145/2470654.2466466. URL → pages[67] W. Klieber, L. Flynn, A. Bhosale, L. Jia, and L. Bauer. Android taint flowanalysis for app sets. In Proceedings of the 3rd ACM SIGPLANInternational Workshop on the State of the Art in Java Program Analysis,SOAP ’14, New York, NY, USA, 2014. ISBN 978-1-4503-2919-4.doi:10.1145/2614628.2614633. URL → pages[68] R. Larson and M. Csikszentmihalyi. New directions for naturalisticmethods in the behavioral sciences. In H. Reis, editor, The ExperienceSampling Method, pages 41–56. Jossey-Bass, San Francisco, 1983. →pages[69] Y. Li, Y. Guo, and X. Chen. Peruim: Understanding mobile applicationprivacy with permission-ui mapping. In Proceedings of the 2016 ACMInternational Joint Conference on Pervasive and Ubiquitous Computing,pages 682–693. ACM, 2016. → pages[70] H.-T. Lin, C.-J. Lin, and R. C. Weng. A note on platt’s probabilisticoutputs for support vector machines. Machine learning, 68(3):267–276,2007. → pages[71] J. Lin, N. Sadeh, S. Amini, J. Lindqvist, J. I. Hong, and J. Zhang.Expectation and purpose: understanding users’ mental models of mobileapp privacy through crowdsourcing. In Proc. of the 2012 ACM Conf. onUbiquitous Computing, UbiComp ’12, pages 501–510, New York, NY,USA, 2012. ACM. ISBN 978-1-4503-1224-0.doi:10.1145/2370216.2370290. URL → pages[72] J. Lin, B. Liu, N. Sadeh, and J. I. Hong. Modeling users’ mobile appprivacy preferences: Restoring usability in a sea of permission settings. InSymposium On Usable Privacy and Security (SOUPS 2014), pages142199–212, Menlo Park, CA, 2014. USENIX Association. ISBN978-1-931971-13-3. → pages[73] B. Liu, J. Lin, and N. Sadeh. Reconciling mobile app privacy and usabilityon smartphones: Could user privacy profiles help? In Proceedings of the23rd International Conference on World Wide Web, WWW ’14, pages201–212, New York, NY, USA, 2014. ACM. ISBN 978-1-4503-2744-2.doi:10.1145/2566486.2568035. URL → pages[74] B. Liu, M. S. Andersen, F. Schaub, H. Almuhimedi, S. A. Zhang,N. Sadeh, Y. Agarwal, and A. Acquisti. Follow my recommendations: Apersonalized assistant for mobile app permissions. In Twelfth Symposiumon Usable Privacy and Security (SOUPS 2016), 2016. → pages[75] G. Louppe, L. Wehenkel, A. Sutera, and P. Geurts. Understanding variableimportances in forests of randomized trees. In C. J. C. Burges, L. Bottou,M. Welling, Z. Ghahramani, and K. Q. Weinberger, editors, Advances inNeural Information Processing Systems 26. Curran Associates, Inc., 2013.URL → pages[76] D. Lowd and C. Meek. Adversarial learning. In Proceedings of theeleventh ACM SIGKDD international conference on Knowledge discoveryin data mining, pages 641–647. ACM, 2005. → pages[77] N. K. Malhotra, S. S. Kim, and J. Agarwal. Internet Users’ InformationPrivacy Concerns (IUIPC): The Construct, The Scale, and A CausalModel. Information Systems Research, 15(4):336–355, December 2004.→ pages[78] K. Micinski, D. Votipka, R. Stevens, N. Kofinas, J. S. Foster, and M. L.Mazurek. User interactions and permission use on android. In CHI 2017,2017. → pages[79] S. Mirzamohammadi and A. Amiri Sani. Viola: Trustworthy sensornotifications for enhanced privacy on mobile systems. In Proceedings ofthe 14th Annual International Conference on Mobile Systems,Applications, and Services, pages 263–276. ACM, 2016. → pages143[80] A. Nandugudi, A. Maiti, T. Ki, F. Bulut, M. Demirbas, T. Kosar, C. Qiao,S. Y. Ko, and G. Challen. Phonelab: A large programmable smartphonetestbed. In Proceedings of First International Workshop on Sensing andBig Data Mining, pages 1–6. ACM, 2013. → pages[81] M. Nauman, S. Khan, and X. Zhang. Apex: extending android permissionmodel and enforcement with user-defined runtime constraints. InProceedings of the 5th ACM Symposium on Information, Computer andCommunications Security, ASIACCS ’10, pages 328–332, New York, NY,USA, 2010. ACM. ISBN 978-1-60558-936-7.doi: URL → pages[82] H. Nissenbaum. Privacy as contextual integrity. Washington Law Review,79:119, February 2004. → pages[83] H. Nissenbaum. Privacy in context: Technology, policy, and the integrityof social life. Stanford University Press, 2009. → pages[84] K. Olejnik, I. I. Dacosta Petrocelli, J. C. Soares Machado, K. Huguenin,M. E. Khan, and J.-P. Hubaux. Smarper: Context-aware and automaticruntime-permissions for mobile devices. In Proceedings of the 38th IEEESymposium on Security and Privacy (SP). IEEE, 2017. → pages[85] R. Pandita, X. Xiao, W. Yang, W. Enck, and T. Xie. WHYPER: TowardsAutomating Risk Assessment of Mobile Applications. In Proc. of the22nd USENIX Sec. Symp., SEC’13, pages 527–542, Berkeley, CA, USA,2013. USENIX Association. ISBN 978-1-931971-03-4. URL → pages[86] S. Parkin, K. Krol, I. Becker, and M. A. Sasse. Applying cognitive controlmodes to identify security fatigue hotspots. In Twelfth Symposium onUsable Privacy and Security (SOUPS 2016). USENIX Association, 2016.→ pages[87] Path. We are sorry. September 25, 2017. → pages[88] Path. We are sorry.,February 8 2012. Accessed: February 26, 2016. → pages144[89] G. Petracca, A.-A. Reineh, Y. Sun, J. Grossklags, and T. Jaeger. Aware:Preventing abuse of privacy-sensitive sensors via operation bindings. In26th USENIX Security Symposium 17), pages 379–396. USENIXAssociation, 2017. → pages[90] J. Pruitt and J. Grudin. Personas: Practice and theory. In Proceedings ofthe 2003 Conference on Designing for User Experiences, DUX ’03, pages1–15, New York, NY, USA, 2003. ACM. ISBN 1-58113-728-1.doi:10.1145/997078.997089. URL → pages[91] A. Razaghpanah, N. Vallina-Rodriguez, S. Sundaresan, C. Kreibich,P. Gill, M. Allman, and V. Paxson. Haystack: In situ mobile trafficanalysis in user space. arXiv preprint, 2015. → pages[92] J. Ren, A. Rao, M. Lindorfer, A. Legout, and D. Choffnes. Recon:Revealing and controlling pii leaks in mobile network traffic. InProceedings of the 14th Annual International Conference on MobileSystems, Applications, and Services, pages 361–374. ACM, 2016. →pages[93] K. Renaud. Blaming noncompliance is too convenient: What really causesinformation breaches? IEEE Security & Privacy, 10(3):57–63, 2012. →pages[94] T. Ringer, D. Grossman, and F. Roesner. Audacious: User-driven accesscontrol with unmodified operating systems. In Proceedings of the 2016ACM SIGSAC Conference on Computer and Communications Security,pages 204–216. ACM, 2016. → pages[95] F. Roesner and T. Kohno. Securing embedded user interfaces: Androidand beyond. In Presented as part of the 22nd USENIX SecuritySymposium (USENIX Security 13), pages 97–112, 2013. → pages[96] F. Roesner, T. Kohno, A. Moshchuk, B. Parno, H. J. Wang, and C. Cowan.User-driven access control: Rethinking permission granting in modernoperating systems. In 2012 IEEE Symposium on Security and Privacy,pages 224–238. IEEE, 2012. → pages145[97] J. L. B. L. N. Sadeh and J. I. Hong. Modeling users’ mobile app privacypreferences: Restoring usability in a sea of permission settings. InSymposium on Usable Privacy and Security (SOUPS), 2014. → pages[98] N. Sadeh, J. Hong, L. Cranor, I. Fette, P. Kelley, M. Prabaker, and J. Rao.Understanding and capturing people’s privacy policies in a mobile socialnetworking application. Personal and Ubiquitous Computing, 13(6):401–412, 2009. → pages[99] B. P. Sarma, N. Li, C. Gates, R. Potharaju, C. Nita-Rotaru, and I. Molloy.Android permissions: A perspective combining risks and benefits. InProceedings of the 17th ACM Symposium on Access Control Models andTechnologies, SACMAT ’12, pages 13–22, New York, NY, USA, 2012.ACM. ISBN 978-1-4503-1295-0. doi:10.1145/2295136.2295141. URL → pages[100] B. Shebaro, O. Oluwatimi, D. Midi, and E. Bertino. Identidroid: Androidcan finally wear its anonymous suit. Trans. Data Privacy, 7(1):27–50,Apr. 2014. ISSN 1888-5063. URL → pages[101] I. Shklovski, S. D. Mainwaring, H. H. Skúladóttir, and H. Borgthorsson.Leakiness and creepiness in app space: Perceptions of privacy and mobileapp use. In Proc. of the 32nd Ann. ACM Conf. on Human Factors inComputing Systems, CHI ’14, pages 2347–2356, New York, NY, USA,2014. ACM. ISBN 978-1-4503-2473-1. doi:10.1145/2556288.2557421.URL → pages[102] Y. Song and U. Hengartner. Privacyguard: A vpn-based platform to detectinformation leakage on android devices. In Proceedings of the 5th AnnualACM CCS Workshop on Security and Privacy in Smartphones and MobileDevices, pages 15–26. ACM, 2015. → pages[103] S. Spiekermann, J. Grossklags, and B. Berendt. E-privacy in 2ndgeneration e-commerce: privacy preferences versus actual behavior. InProceedings of the 3rd ACM conference on Electronic Commerce, pages38–47. ACM, 2001. → pages[104] M. Spreitzenbarth, F. Freiling, F. Echtler, T. Schreck, and J. Hoffmann.Mobile-sandbox: Having a deeper look into android applications. In146Proceedings of the 28th Annual ACM Symposium on Applied Computing,SAC ’13, New York, NY, USA, 2013. ACM. ISBN 978-1-4503-1656-9.doi:10.1145/2480362.2480701. URL → pages[105] B. Stanton, M. F. Theofanos, S. S. Prettyman, and S. Furman. Securityfatigue. IT Professional, 18(5):26–32, 2016. → pages[106] R. Stevens, J. Ganz, V. Filkov, P. Devanbu, and H. Chen. Asking for (andabout) permissions used by android apps. In Proc. of the 10th WorkingConf. on Mining Software Repositories, MSR ’13, pages 31–40,Piscataway, NJ, USA, 2013. IEEE Press. ISBN 978-1-4673-2936-1. URL → pages[107] J. Tan, K. Nguyen, M. Theodorides, H. Negron-Arroyo, C. Thompson,S. Egelman, and D. Wagner. The effect of developer-specifiedexplanations for permission requests on smartphone user behavior. InProc. of the SIGCHI Conf. on Human Factors in Computing Systems,2014. → pages[108] C. Thompson, M. Johnson, S. Egelman, D. Wagner, and J. King. Whenit’s better to ask forgiveness than get permission: Designing usable auditmechanisms for mobile permissions. In Proc. of the 2013 Symposium onUsable Privacy and Security (SOUPS), 2013. → pages[109] S. Thurm and Y. I. Kane. Your apps are watching you. The Wall StreetJournal. Accessed: January 21, 2016. → pages[110] O. Tripp and J. Rubin. A bayesian approach to privacy enforcement insmartphones. In 23rd USENIX Security Symposium (USENIX Security14), pages 175–190, San Diego, CA, 2014. USENIX Association. ISBN978-1-931971-15-7. URL → pages[111] L. Tsai, P. Wijesekera, J. Reardon, I. Reyes, S. Egelman, D. Wagner,N. Good, and J.-W. Chen. Turtle guard: Helping android users applycontextual privacy preferences. In Thirteenth Symposium on UsablePrivacy and Security (SOUPS 2017), pages 145–162, Santa Clara, CA,2017. USENIX Association. ISBN 978-1-931971-39-3. → pages147[112] J. Tygar. Adversarial machine learning. IEEE Internet Computing, 15(5):4–6, 2011. → pages[113] M. Van Kleek, I. Liccardi, R. Binns, J. Zhao, D. J. Weitzner, andN. Shadbolt. Better the devil you know: Exposing the data sharingpractices of smartphone apps. In Proceedings of the 2017 CHI Conferenceon Human Factors in Computing Systems, pages 5208–5220. ACM, 2017.→ pages[114] J. S. Vitter. Random sampling with a reservoir. ACM Trans. Math. Softw.,11(1):37–57, Mar. 1985. ISSN 0098-3500. doi:10.1145/3147.3165. URL → pages[115] H. Wang, Y. Li, Y. Guo, Y. Agarwal, and J. I. Hong. Understanding thepurpose of permission use in mobile apps. ACM Transactions onInformation Systems (TOIS), 35(4):43, 2017. → pages[116] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos. Permission evolution inthe android ecosystem. In Proceedings of the 28th Annual ComputerSecurity Applications Conference, ACSAC ’12, pages 31–40, New York,NY, USA, 2012. ACM. ISBN 978-1-4503-1312-4.doi:10.1145/2420950.2420956. URL → pages[117] P. Wijesekera, A. Baokar, A. Hosseini, S. Egelman, D. Wagner, andK. Beznosov. Android permissions remystified: A field study oncontextual integrity. In 24th USENIX Security Symposium (USENIXSecurity 15), pages 499–514, Washington, D.C., Aug. 2015. USENIXAssociation. ISBN 978-1-931971-232. → pages[118] P. Wijesekera, A. Baokar, L. Tsai, J. Reardon, S. Egelman, D. Wagner, andK. Beznosov. The feasibility of dynamically granted permissions:Aligning mobile privacy with user preferences. In 2017 IEEE Symposiumon Security and Privacy (SP), pages 1077–1093, May 2017.doi:10.1109/SP.2017.51. → pages[119] A. Woodruff, V. Pihur, S. Consolvo, L. Brandimarte, and A. Acquisti.Would a privacy fundamentalist sell their dna for $1000...if nothing badhappened as a result? the westin categories, behavioral intentions, andconsequences. In Proceedings of the 2014 Symposium on Usable Privacy148and Security, pages 1–18. USENIX Association, 2014. ISBN978-1-931971-13-3. URL → pages[120] H. Wu, B. P. Knijnenburg, and A. Kobsa. Improving the prediction ofusers’ disclosure behavior by making them disclose more predictably? InSymposium on Usable Privacy and Security (SOUPS), 2014. → pages[121] R. Xu, H. Saïdi, and R. Anderson. Aurasium: Practical policyenforcement for android applications. In Proc. of the 21st USENIX Sec.Symp., Security’12, pages 27–27, Berkeley, CA, USA, 2012. USENIXAssociation. URL →pages[122] K.-P. Yee. Guidelines and strategies for secure interaction design. Securityand Usability: Designing Secure Systems That People Can Use, 247,2005. → pages[123] Y. Zhang, M. Yang, B. Xu, Z. Yang, G. Gu, P. Ning, X. S. Wang, andB. Zang. Vetting undesirable behaviors in android apps with permissionuse analysis. In Proc. of the ACM Conf. on Comp. and Comm. Sec., CCS’13, pages 611–622, New York, NY, USA, 2013. ACM. ISBN978-1-4503-2477-9. doi:10.1145/2508859.2516689. URL → pages[124] Y. Zhou, X. Zhang, X. Jiang, and V. W. Freeh. Taminginformation-stealing smartphone applications (on android). In Trust andTrustworthy Computing, pages 93–107. Springer, 2011. → pages[125] H. Zhu, H. Xiong, Y. Ge, and E. Chen. Mobile app recommendations withsecurity and privacy awareness. In Proc. of the 20th ACM SIGKDDInternational Conference on Knowledge Discovery and Data Mining, NewYork, NY, USA, 2014. ACM. ISBN 978-1-4503-2956-9.doi:10.1145/2623330.2623705. URL → pages149Appendix AResource UsageThis section presents observations made during the first field study. Specifi-cally related to applications accessing resources under varying contextual circum-stances.A.1 Invisible requestsFollowing list shows the set of applications that have requested the most num-ber of permissions while executing invisibly to the user and the most requestedpermission types by each respective application.• Facebook App— ACCESS NETWORK STATE, ACCESS FINE LOCA-TION, ACCESS WIFI STATE ,WAKE LOCK,• Google Location—WAKE LOCK, ACCESS FINE LOCATION, GET AC-COUNTS, ACCESS COARSE LOCATION,• Facebook Messenger—ACCESS NETWORK STATE, ACCESS WIFI STATE,WAKE LOCK, READ PHONE STATE,• Taptu DJ—ACCESS NETWORK STATE, INTERNET, NFC• Google Maps—ACCESS NETWORK STATE, GET ACCOUNTS, WAKELOCK, ACCESS FINE LOCATION,150• Google (Gapps)—WAKE LOCK, ACCESS FINE LOCATION, AUTHEN-TICATE ACCOUNTS, ACCESS NETWORK STATE,• Fouraquare—ACCESS WIFI STATE, WAKE LOCK, ACCESS FINE LO-CATION, INTERNET,• Yahoo Weather—ACCESS FINE LOCATION, ACCESS NETWORK STATE,INTERNET, ACCESS WIFI STATE,• Devexpert Weather—ACCESS NETWORK STATE, INTERNET, ACCESSFINE LOCATION,• Tile Game(Umoni)—ACCESS NETWORK STATE, WAKE LOCK, INTER-NET, ACCESS WIFI STATE,Following is the most frequently requested permission type by applicationswhile running invisibly to the user and the applications who requested the respec-tive permission type most.• ACCESS_NETWORK_STATE— Facebook App, Google Maps, FacebookMessenger, Google (Gapps), Taptu - DJ• WAKE_LOCK—Google (Location), Google (Gapps), Google (GMS), Face-book App, GTalk.• ACCESS_FINE_LOCATION—Google (Location), Google (Gapps), Face-book App, Yahoo Weather, Rhapsody (Music)• GET_ACCOUNTS—Google (Location), Google (Gapps), Google (Login),Google (GM), Google (Vending)• ACCESS_WIFI_STATE—Google (Location), Google (Gapps), Facebook App,Foursqaure, Facebook Messenger• UPDATE_DEVICE_STATS—Google (SystemUI), Google (Location), Google(Gapps)• ACCESS_COARSE_LOCATION—Google (Location), Google (Gapps), Google(News), Facebook App, Google Maps• AUTHENTICATE_ACCOUNTS—Google (Gapps), Google (Login), Twit-ter, Yahoo Mail, Google (GMS)151• READ_SYNC_SETTINGS—Google (GM), Google ( GMS ), android.process.acore,Google (Email), Google (Gapps)• INTERNET—Google (Vending), Google (Gapps), Google (GM), FacebookApp, Google (Location)A.2 Distribution of RequestsThe following graph shows the distribution of requests throughout a given dayaveraged across the data set.5 10 15 200100020003000400050006000Hour of the dayNumber of Requests152A.3 Permission Type BreakdownThis table lists the most frequently used permissions during the study period. (peruser / per day)Permission Type RequestsACCESS_NETWORK_STATE 41077WAKE_LOCK 27030ACCESS_FINE_LOCATION 7400GET_ACCOUNTS 4387UPDATE_DEVICE_STATS 2873ACCESS_WIFI_STATE 2092ACCESS_COARSE_LOCATION 1468AUTHENTICATE_ACCOUNTS 1335READ_SYNC_SETTINGS 836VIBRATE 740INTERNET 739READ_SMS 611READ_PHONE_STATE 345STATUS_BAR 290WRITE_SYNC_SETTINGS 206CHANGE_COMPONENT_ENABLED_STATE 197CHANGE_WIFI_STATE 168READ_CALENDAR 166ACCOUNT_MANAGER 134ACCESS_ALL_DOWNLOADS 127READ_EXTERNAL_STORAGE 126USE_CREDENTIALS 101READ_LOGS 94153A.4 User Application BreakdownThis table shows the applications that most frequently requested access to pro-tected resources during the study period. (per user / per day)Application Name Requestsfacebook.katana 40041google.process.location 32426facebook.orca 24702taptu.streams 6501google.process.gapps 5505tumblr 4251king.farmheroessaga 3862joelapenna.foursquared 2909ch.bitspin.timely 2549umonistudio.tile 2478king.candycrushsaga 2448android.systemui 2376bambuna.podcastaddict 1662handcent.nextsms 1543foursquare.robin 1408qisiemoji.inputmethod 1384devian.tubemate.home 1296lookout 1158154Appendix BDecision PredictionThis section presents how each different feature set was contributing to the finalaccurateness of the respective predictive models.B.1 Information Gain of Contextual FeaturesContextuals Defaulters OverallA1 0.4839 0.6444 0.5717A2 0.4558 0.6395 0.5605Permission 0.0040 0.0038 0.0050Time 0.0487 0.1391 0.0130Visibility 0.0015 0.0007 0.0010Table B.1: Feature Importance of Contextual Features155B.2 Information Gain of Behavioral FeaturesFeature ImportanceAmount of time spent on audio calls 0.327647825Frequency of audio calls 0.321291184Proportion of times screen was timed outinstead of pressing the lock button 0.317631096Number of times PIN was used tounlock the screen. 0.305287288Number of screen unlock attempts 0.299564131Amount of time spent unlocking the screen 0.29930659Proportion of time spent on loud mode 0.163166296Proportion of time spent on silent mode 0.138469725Number of times a website is loaded tothe Chrome browser 0.094996437Out of all visited websites, the proportionof HTTPS-secured websites. 0.071096898Number of times Password was used tounlock the screen 0.067999523Proportion of websites requested locationthrough Chrome 0.028404167Time 0.019799623The number of downloads through Chrome 0.014619351Permission 0.001461635Visibility 0.000162166Table B.2: Feature Importance of Behavioral Features156


Citation Scheme:


Citations by CSL (citeproc-js)

Usage Statistics



Customize your widget with the following options, then copy and paste the code below into the HTML of your page to embed this item in your website.
                            <div id="ubcOpenCollectionsWidgetDisplay">
                            <script id="ubcOpenCollectionsWidget"
                            async >
IIIF logo Our image viewer uses the IIIF 2.0 standard. To load this item in other compatible viewers, use this url:


Related Items