As this article is being drafted, the SARS-CoV-2/COVID-19 pandemic is causing harm and disruption across the world. Many countries aimed at supporting their contact tracers with the use of digital contact tracing apps in order to manage and control the spread of the virus. Their idea is the automatic registration of meetings between smartphone owners for the quicker processing of infection chains. To date, there are many contact tracing apps that have already been launched and used in 2020. There has been a lot of speculations about the privacy and security aspects of these apps and their potential violation of data protection principles. Therefore, the developers of these apps are constantly criticized because of undermining users’ privacy, neglecting essential privacy and security requirements, and developing apps under time pressure without considering privacy- and security-by-design. In this study, we analyze the privacy and security performance of 28 contact tracing apps available on Android platform from various perspectives, including their code’s privileges, promises made in their privacy policies, and static and dynamic performances. Our methodology is based on the collection of various types of data concerning these 28 apps, namely permission requests, privacy policy texts, run-time resource accesses, and existing security vulnerabilities. Based on the analysis of these data, we quantify and assess the impact of these apps on users’ privacy. We aimed at providing a quick and systematic inspection of the earliest contact tracing apps that have been deployed on multiple continents. Our findings have revealed that the developers of these apps need to take more cautionary steps to ensure code quality and to address security and privacy vulnerabilities. They should more consciously follow legal requirements with respect to apps’ permission declarations, privacy principles, and privacy policy contents.

This paper presents results from a privacy analysis of COVID-19 contact tracing apps developed within the EU. Though these apps have been termed advantageous, concerns regarding privacy have become an issue that has led to their slow adoption. In this empirical study, we perform both static and dynamic analysis to judge apps’ privacy-preserving behavior together with the analysis of the privacy and data protection goals to deduce their transparency and intervenability. From the results, we discover that while the apps aim to be privacy-preserving, not all adhere to this as we observe one tracks users’ location, while the other violates the principle of least privilege, data minimisation and transparency, which puts the users’ at risk by invading their privacy.

This paper investigates how the use of privacy indicators in app stores can influence user behavior, and if the added information can improve consumer transparency. After a pre-study on the design and symbology, a visual privacy indicator was implemented and evaluated in an app market prototype. A total of 82 participants were asked to select a number of task-specific apps. By varying the degrees of participatory background information, we show that impact of a privacy indicator on app selection behavior has statistical significance and such privacy preserving behavior can be invoked by mere presence of the indicator.

Smartphone apps that run on Android devices can access many types of personal information. Such information can be used to identify, profile and track the device users when mapped into digital identity attributes. This article presents a model of identifiability through access to personal data protected by the Android access control mechanism called permissions. We present an abstraction of partial identity attributes related to such personal data, and then show how apps accumulate such attributes in a longitudinal study that was carried out over several months. We found that apps' successive access to permissions accumulates such identity attributes, where different apps show different interest in such attributes.

Beim Herunterladen von Smartphone-Applikationen wird bei den meist genutzten Plattformen kaum über den Datenaustausch und den Datenschutz informiert. Diese Studie zeigt den Einfluss einer im App-Markt implementierten Datenschutzskala auf das Nutzerverhalten. Die hinzugefügten App-spezifischen Informationen zum Datenaustausch und Datenzugriff führten zu einer sachkundigeren Applikationsauswahl bezüglich des Datenschutzes. Insgesamt 82 Teilnehmende wurden gebeten, vorgegebene Aufgaben an einem Smartphone zu erfüllen. Das Auswahlverhalten im einem prototypisierten App-Markt wurde aufgezeichnet und mit Hilfe eines Interviews von den Teilnehmenden reflektiert. Vier Stichproben wurden jeweils verschiedene Bedingungen dargeboten, um den Einfluss auf das Auswahlverhalten näher zu erfassen.

Mobile apps brought unprecedented convenience to everyday life, and nowadays, hardly any interactive service exists without having an interface through an app. The rich functionalities of apps rely on the pervasive capabilities of the mobile device, such as its cameras and other types of sensors. Consequently, apps generate a diverse and large amount of data, which can often be deemed as privacy-sensitive data. As the mobile device is also equipped with several means to transmit the collected data, such as WiFi and 4G, it brings further concerns about individuals' privacy.

Even though mobile operating systems use access control mechanisms to guard system resources and sensors, apps exercise their granted privileges in an opaque manner. Depending on the type of privilege, apps require explicit approval from the user in order to acquire access to them through permissions. Nonetheless, granting permission does not put constraints on the access frequency. Granted privileges allow the app to access users' personal data for a long period of time, typically until the user explicitly revokes the access. Furthermore, available control tools lack monitoring features, and therefore, the user faces hindrances to comprehend the magnitude of personal data access. Such circumstances can erode intervenability from the interface of the phone, lead to incomprehensible handling of personal data, and thus, create privacy risks for the user.

This thesis covers a long-term investigation of apps' data access behavior and makes an effort to shed light on various privacy implications. It also shows that app behavior analysis yields information that has the potential to increase transparency, to enhance privacy protection, to raise awareness regarding consequences of data disclosure, and to assist the user in informed decision-making while selecting apps or services. We introduce models, methods, and demonstrate the data disclosure risks with experimental results. Finally, we show how to communicate privacy risks through the user interface by taking the results of app behavior analyses into account.

Mobile apps brought unprecedented convenience to everyday life, and nowadays, hardly any interactive service exists without having an interface through an app. The rich functionalities of apps rely on the pervasive capabilities of the mobile device. Consequently, apps generate a diverse and large amount of data, which can often be deemed as privacy-sensitive data.

Even though mobile operating systems use access control mechanisms to guard system resources and sensors, apps exercise their granted privileges in an opaque manner. Furthermore, available control tools lack monitoring features, and therefore, the user faces hindrances to comprehend the magnitude of personal data access.

This thesis covers a long-term investigation of apps' data access behavior and makes an effort to shed light on various privacy implications. It also shows that app behavior analysis yields information that has the potential to increase transparency, to enhance privacy protection, to raise awareness regarding consequences of data disclosure, and to assist the user in informed decision-making while selecting apps or services.

As we spend a considerable amount of time on various user interfaces, it often requires to provide consent for grating privileges. This article addresses the opportunity for providing conditional consent which could potentially aid the user in understanding consequences, making informed decisions, and gaining trust in data sharing. We introduce an indecisive state of mind before consenting to policies, that will enable consumers to evaluate data services before fully committing to their data sharing policies. We discuss usability, regulatory, social, individual and economic aspects for inclusion of partial commitment within the context of an user interface for consent management. Then, we look into the possibilities to integrate it within the permission granting mechanism of Android by introducing an additional button in the interface—Maybe. This article also presents a design for such implementation, demonstrates feasibility by showcasing a prototype built on Android platform, and elaborates on a planned user study to determine feasibility, usability, and user expectation.

This paper presents an empirical study on user behavior, decision making, and perception about privacy concern while selecting apps. An app store demo was presented to the user with a minor modification---a privacy indicator for each app. After carrying out several tasks using this modified mobile interface, participants were interviewed to document reasons behind their decisions, thought process, and perception regarding individual privacy. A total of 82 adults volunteered under the pretext of a usability study. A significant influence of the privacy indicator on their app selection behavior was observed, although this influence decreased in case of familiar apps. Furthermore, responses from questionnaires, data from eye-tracking device and documented interviews, with video confrontation showed coherence with respect to the corresponding app selection behavior.

Smartphones mit Android-Betriebssystem haben ein Zugriffskontrollsystem, welches auf Zugriffsrechten – zugeteilt per App – basiert. Damit werden Zugriffe von Android-Anwendungen Dritter auf kritische Ressourcen einschränkt. Einige dieser Rechte – von Google als sogenannte «dangerous permissions» definiert – bedürfen vor ihrer Aktivierung der Zustimmung des Nutzers. Dies geschieht durch ein Anklicken einer Zustimmung nach Start der App. Danach kann die App nach Belieben auf die jeweilige Datenquelle, beispielsweise Standortdaten (GPS), Kamera, Telefonstatus oder Adressbuch, zugreifen. Verlangt eine App Zugriff beispielsweise auf das Adressbuch, so muss vom Nutzer der Adressbuch-Zugriff beim ersten Versuch genehmigt werden. Diese Genehmigung wird dann ohne zeitliche Einschränkung in der App für zukünftige Zugriffe hinterlegt.

Eine Verweigerung der Rechte in den Einstellungen führt oft zu Fehlfunktionen der Apps.

Laufzeitberechtigungen werden auf Gruppenbasis erteilt. Um zum Beispiel Bluetooth verwenden zu können, wie es die Covid App benötigt, muss der Nutzer die Zustimmung zur Gruppe «Standort» geben. Wenn eine Anwendung erneut Laufzeitberechtigungen anfordert, die sich auf dieselbe Berechtigungsgruppe beziehen, werden, sobald eine davon erteilt ist, auch alle anderen erteilt. 

In unserer Forschung stellten wir uns die Aufgabe, die Zugriffsfrequenzen auf datenschutzrelevante Datenquellen zu messen. Ziel war die Quantifizierung des Risikos für den Nutzer und die Schaffung von Transparenz über Datensammlungen sowohl in wissenschaftlicher Perspektive also auch zur Information von Endnutzern. Im Folgenden beschreiben wir Ergebnisse und Vorgehensweise unserer Studien.

This article presents an overview over a study of how Android smartphone apps user the permission-based access control system in order to extract personal data from smart phones. The study profiled app behavior in a longitudinal study. The data was analyzed and projected into different models with the aim to assess potential privacy risk from apps based on their run-time behavior. This article summarizes our findings and insights. 

Smartphone apps have the power to monitor most of people’s private lives. Apps can permeate private spaces, access and map social relationships, monitor whereabouts and chart people’s activities in digital and/or real world. We are therefore interested in how much information a particular app can and intends to retrieve in a smartphone. Privacy-friendliness of smartphone apps is typically measured based on single-source analyses, which in turn, does not provide a comprehensive measurement regarding the actual privacy risks of apps. This paper presents a multi-source method for privacy analysis and data extraction transparency of Android apps. We describe how we generate several data sets derived from privacy policies, app manifestos, user reviews and actual app profiling at run time. To evaluate our method, we present results from a case study carried out on ten popular fitness and exercise apps. Our results revealed interesting differences concerning the potential privacy impact of apps, with some of the apps in the test set violating critical privacy principles. The result of the case study shows large differences that can help make relevant app choices.