New study assesses privacy protections on smartphones

Lincoln Laboratory and the RAND Corporation examine the technology and federal regulations aimed at securing personal data on smartphones.

by Kylie Foy| Technical Communications Group

Everything we do with our smartphones paints a detailed picture of who we are. From the calls we make, images we snap, and places we visit, our devices hold a trove of personal data. Applications rely on accessing personal data to work properly, and we grant permission. Google Maps, for example, asks that we allow it to track our location, and Instagram relies on accessing our images. Yet, many apps are collecting far more private data than users might be aware of. So how are smartphones protecting our privacy, and what can federal policymakers do to enforce the regulations they are developing to secure consumers' information?

Many apps are collecting far more private data than users might be aware of.

These were just two questions driving a recent study conducted by MIT Lincoln Laboratory staff and RAND Corporation researchers. Commissioned by the Defense Advanced Research Projects Agency (DARPA), the study assessed smartphone users' privacy from both technical and regulatory perspectives. On the technical side, Laboratory staff—Arkady Yerukhimovich, Robert Cunningham, Richard Housley, Richard Shay, Chad Spensky, and Jeffrey Stewart, along with Ari Trachtenberg, a professor from Boston University—ran experiments on two major smartphone platforms: Google's Android and Apple's iOS. RAND researchers Rebecca Balebako, Anne Boustead, Karlyn Stanley, William Welser, and Zev Winkelman conducted a review of the major federal regulations protecting user privacy.

The joint Lincoln Laboratory and RAND team found that although privacy-preserving technologies are improving, users' privacy concerns are not wholly addressed. To bridge this gap, this team created a toolset to help policymakers understand how regulations line up with current technology and to guide directions for future research.

From the makers of the devices, to the operating systems, to app developers: all these parties have access to some of the users’ personal data and there is little the user can do to keep their data private.

"A major difficulty in crafting policy to protect user privacy is a lack of understanding of what is and is not protected by existing and potential technology," said Yerukhimovich of the Laboratory's Secure Resilient Systems and Technology Group, who is the first author of the paper "Can Smartphones and Privacy Coexist?" which details the study. "We hope that our study can serve as a first step toward bridging this divide and building an understanding of how to design policy in concert with technical capabilities."

Lincoln Laboratory researchers first wanted to understand how the differences between iOS and Android business models affect users' privacy. Apple's business model focuses on the sale of its iOS-embedded hardware. Google tailors Android to work on third-party hardware, and derives the majority of its revenue from advertisers, who rely on data gathered about users. Both collect data about how the phone is used. "This data collection raises privacy concerns," said Yerukhimovich. "Many apps sell data to third-party advertisers who can then use these data to build detailed profiles of users without their consent." The study also reviewed each platform's privacy-protecting practices, including permissions models, that control what information an app is allowed to collect. They noted that iOS and, more recently, Android are adopting "runtime" permissions, which require users to accept the permission requests of an app each time it is used.

Shay pointed out another consideration when examining the protections offered by smartphones. "Your iPhone doesn't just come from Apple. There are hardware and software components from many vendors. Through either carelessness or malicious intent, any of these vendors could compromise user privacy. The situation can be even worse for Android devices because the provider often adds its own proprietary software atop Google's software."

Laboratory staff conducted several experiments to evaluate user privacy, first investigating how much private data can be accessed by Android apps that request no permissions at the time of download. "These experiments required building tools that could poke for private data while avoiding or withstanding the systems' protections," Yerukhimovich said. The experiments also generated large amounts of data that required automated tools to identify any actual privacy leaks.

The team found a number of privacy leaks. For example, some apps could identify lists of packages installed on a device that can be used to fingerprint a device—a way for advertisers to assign a unique identification to the phone or user to track activity. Applications can also learn how much data the phone is sending or receiving over time. This information can be used to identify the language, and even detect specific spoken phrases, of conversations shared over commonly used Voice over Internet Protocol (VoIP) applications.

The Laboratory researchers conducted another experiment analyzing 50 banking apps on iOS and Android to understand how well these apps use cryptography to protect users' information. While most banks are properly encrypting data, the researchers found that a small number of banking apps did not correctly implement certificate validation, making these apps vulnerable to man-in-the-middle attackers who could steal private data by impersonating a banking server. However, even with apps that properly validate certificates, users are still vulnerable to attackers who can subvert the certificate authority. The researchers noted that few banking apps are choosing to use a stronger certification technique to give extra protection to their users.

Moreover, the experiments showed that some apps may be transmitting more information than is necessary for their functions, for example, a user's location.
"What surprised us overall is how much personal data are still accessible on mobile devices and how many different parties have access to the data. From the makers of the devices, to the operating systems, to app developers: all these parties have access to some of the users' personal data, and there is little the users can do to keep their data private," Yerukhimovich said.

While it is difficult for users to know how to keep their data private, federal regulations are in place to protect users' privacy. RAND researchers reviewed these policies, focusing on the U.S. Federal Trade Commission's Fair Information Practice Principles, which address maintaining fairness, privacy, and security in handling electronic information.

"While regulation can protect some aspects of smartphone user privacy, U.S. federal protections are not comprehensive. Both technological and regulatory protections are needed, but privacy regulation and technological tools aren't conceived on the same dimensions," said Rebecca Balebako, a RAND researcher. "The difficulty is understanding where technology and regulation overlap, and where there are gaps in protections."

“We hope that our study can serve as a first step toward bridging this divide and building an understanding of how to design policy in concert with technical capabilities.”

Pairing the RAND study with the Laboratory's technical review, the joint research team created a matrix-based analytical tool that highlights strengths and gaps in privacy protection. They used the tool to highlight one example of a gap: regulation requires app developers to allow parents a choice of what data are collected about their children, and while runtime permissions allow users to choose what data are collected about themselves and their children, the runtime permissions do not require parental consent for anyone to continue using the app—so a child could accept the permissions request. The tool aims to help policymakers and app developers gain insight into such gaps so that future regulations and technology improvements can address these vulnerabilities.

The findings of this study have been briefed to researchers on the Defense Advanced Research Projects Agency's Brandeis program, who are building new technology to protect the privacy of data available to a variety of devices, including mobile. "Much research is still needed to understand how users can take back control of their data without losing the functionality that they desire," Yerukhimovich said.

Posted February 2017

top of page