a location privacy protection framework in android system
TRANSCRIPT
POSTER: LocMask: A Location Privacy ProtectionFramework in Android System
Qiuyu Xiao, Jiayi Chen, Le Yu, HuaxinLi, Haojin Zhu
Shanghai Jiao Tong UniversityShanghai, China
{xiaoqiuyu, edjason, yule5100309221,lihuaxin003, zhu-hj}@sjtu.edu.cn
Muyuan Li, Kui RenUniversity at Buffalo
Buffalo, NY, USA{muyuanli, kuiren}@buffalo.edu
ABSTRACTThe mobile users are facing a serious risk of losing loca-tion privacy (e.g., users’ location information transmittedby open advertisement network, and the reported event ofinvoluntary tracking of mobile users in popular mobile socialapps). In this study, we design and implement LocMask, asystem-level solution that provides location privacy protec-tion in Android system. LocMask achieves the tradeoff ofthe privacy and the utility of location based services by pro-viding the Quality of Protection (QoP) on demand, whichsets different privacy protection levels to different locationsbased on how sensitive these locations are. Motivated by thefact that Top locations (e.g, user’s home or office) are moresensitive than less visiting locations, LocMask provides loca-tion profile management module that records the user’s mo-bility history and ranks the locations in terms of the user’svisiting frequency. With users’ location profiles, LocMaskcan automatically determines the sensitiveness of these loca-tions as well as their corresponding privacy protection level.LocMask is also designed to incorporate various obfuscationtechniques. The effectiveness of LocMask is supported byextensive real-world data based evaluations.
Categories and Subject DescriptorsC.2.0 [Computer-Communication Networks]: General—Security and Protection
KeywordsLocation privacy; Smartphone security; Android
1. INTRODUCTIONAs an important tool in facilitating coordination and com-
munication among people, smart phone together with a widerange of apps forms a revealing montage of people’s life byrecording not just calls made but of medical concerns, polit-ical preferences, romantic involvements, financial resources
Permission to make digital or hard copies of part or all of this work for personal orclassroom use is granted without fee provided that copies are not made or distributedfor profit or commercial advantage, and that copies bear this notice and the full ci-tation on the first page. Copyrights for third-party components of this work must behonored. For all other uses, contact the owner/author(s). Copyright is held by theauthor/owner(s).CCS’14, November 3–7, 2014, Scottsdale, Arizona, USA.ACM 978-1-4503-2957-6/14/11.http://dx.doi.org/10.1145/2660267.2662367 .
and other sensitive information. Among different privacy is-sues, location privacy leakage in smartphone is receiving anincreasing attention. It has been pointed out that 100 repre-sentative ad libraries are used in 52.1% of 100000 apps and27 of the top 50 libraries requesting user’s location data[3].More seriously, most of the ad libraries don’t encrypt theirad requests due to the extra overhead[6]. Thus, the locationinformation of numerous users is public to not only the adproviders but also any network sniffers who can eavesdropad traffic between users and ad providers.
Another typical example of location privacy leakage comesfrom location-based social discovery apps (e.g., Wechat andSkout) which allow the users to discover new friends basedon their proximity testing. A recent research [4] shows thatattackers can exactly geo-locate the victim by only exploit-ing the public information of the users. Recent studieshave shown that four spatial-temporal points are sufficientto identify the individuals in an anonymized mobility dataset[2]. Note that users’ location traces can leak much in-formation about the individuals’ habits, interests, activities,and relationships as pointed out in [5]. And loss of locationprivacy can expose users to unwanted advertisement andlocation-based spams/scams, cause social reputation dam-age or property loss, and make them victims of blackmail oreven physical violence.
In the past years, there are quite a few works proposedfor location privacy protection including: k-anonymity, mix-zone and various obfuscation techniques. However, none ofthe existing works provide a system-level countermeasure forlocation-privacy protection in smart phone systems such asAndroid. In this study, we present LocMask, a system-levelsolution that provides location privacy protection in Androidsystem. LocMask has the following features: 1. Providingthe Quality of Protection (QoP) on demand. It is motivatedby the following fact. On the one hand, the privacy comesat a cost, and will inevitably reduce the utility of LBS ap-plications. On the other hand, for a specific user, differentlocations may potentially require different privacy protec-tion levels. For example, the Top 2 Locations of the user(e.g., home or office) are closely relevant to his identity andthus require a high privacy protection level while the publicregions (e.g, shopping malls or cinema) need a relatively lowprivacy protection. 2. Determining the privacy level basedon automatic location profile management as well as user’spreference. LocMask provides location profile managementmodule that records the user’s mobility history and ranksthe places in terms of the user’s visiting frequency to deter-
1526
mine the sensitiveness of these places as well as their cor-responding privacy protection level. LocMask also providesflexibility for users to determine their privacy level based ontheir personal preferences. 3. Being compatible to the ex-isting obfuscation techniques, LocMask will be compatibleto rather than be a replacement of the existing obfuscationtechniques. In other words, a diversified range of obfuscationtechniques can be adopted in LocMask.
2. FRAMEWORK DESIGN AND IMPLEMEN-TATION
In this section, we will introduce LocMask, a novel loca-tion privacy protection framework in Android, and explainthe strategies behind it.
2.1 Design of LocMaskLocMask aims to provide location privacy protection for
Android users without significantly reducing the Quality ofProtection (QoP) of users. The basic idea of LocMask isassigning different privacy levels to different locations toachieve the balance of the privacy and the utility. To re-duce the load of manually setting the value to each location,we correlate the privacy level of each location to the user’svisiting frequency, which is motivated from the fact that thelocations with a higher visiting frequency are more closelyrelated to the user’s identity and thus more sensitive to thisuser (e.g., Top Locations). In general, LocMask is comprisedof the following modules: Privacy Level Setting Module, Lo-cation Profile Learning Module and Obfuscation Module.
2.1.1 Privacy Level Setting ModuleAs described above, LocMask allows the automatic pri-
vacy level configuration for Android users by correlating theprivacy level with their location profiles. The existing re-searchers show that the human’s mobility is generally pre-dictable and 94% indiviuals’ daily activity is confined to alimited neighborhood of less than 100 km[2]. By obtainingthe location profiles of users, the more frequently visitinglocations will be set to a higher sensitive level, which leadsto a higher privacy protection level and a bigger obfuscationrange. In case that the privacy levels do not fully matchusers’ preferences, LocMask also allows the users to set theprivacy levels for specific locations or apps.
2.1.2 Location Profile Building ModuleOne of the main features of LocMask is to correlate the
privacy protection levels of different locations with users’location profiles, which can naturally differentiate the Toplocations (office or home) from other less sensitive regions(public regions). Location Profile Building Module is de-signed to collect users’ historical trajectory and then buildusers’ location profiles. We model the trajectory of a spe-cific user U as a function mapping a time point in T tothe user’s location in R at that time, i.e., αu : T → R.Thus, if the user traverses k POIs for k different time slots,the real mobility traces of the user u can be denoted asM =<< u, t1, αu(t1) >, . . . , < u, tk, αu(tk) >>. By collect-ing a certain duration of users’ trajectory, Location profilebuilding module will obtain the location list of the users aswell as the possibilities of visiting these locations.
2.1.3 Location Obfuscation ModuleLocMask can support various obfuscation techniques, in-
cluding: distance-based obfuscation, cloaking techniques,and etc [1]. Obfuscation techniques protect a user’s locationprivacy by deliberately degrading the quality of informationabout that user’s location. LocMask provides a general in-terface for each obfuscation mechanism to intercept the orig-inal locations and return the obfuscated results. With thisinterface, each obfuscation technique can be easily imple-mented in Android and existing LBS applications don’t needany modification. Moreover, LocMask can incorporate pri-vacy level mechanism into existing obfuscation techniques,which can achieve a balance of location privacy and the QoPof location-based service.
Figure 1: LocMask Architecture
2.2 Framework ImplementationBased on the strategies discussed above, we designed and
implemented LocMask as a location-privacy preserving mod-ule in Android system. Figure 1 illustrates the baseline ar-chitecture of LocMask, which comprises of four components.
User-specify Interface: Provides an interface for usersto specify their location sharing preferences. User-specifyinterface was implemented as an system application in An-droid as shown in Figure 2. This application can report theLBS apps by scanning the manifest file to findACCESS COA-RSE LOCATION or ACCESS FINE LOCATION permis-sion. The application can also show the geographic positionsin a map. And then users can specify privacy preservinglevel for LBS apps and geographic positions to meet theirrequirements.
Profile Generator: Collects user’s location informationand stores user’s mobility history in the local database. Weimplemented a LocationProfile class in Android framework.This class provides methods to execute clustering algorithmin the mobility data set, and then extract user’s location pro-file. Location profile records user’s Top N locations, whichwill be assigned privacy preserving level according to theirsensitiveness.
Privacy-level Recorder: Saves the privacy preservinglevel for each geographic position and LBS app. There arefour privacy levels in LockMask, which are low, medium,
1527
Figure 2: User-specify Interface
high and very high. Privacy level information is stored asXML file in the SystemDir of Android file system and willbe used to compute obfuscation range in our obfuscatingprocess.Obfuscation Engine: Implements obfuscation techniques
and executes obfuscation process. We add a function, Ob-fuscateLocation(), in LocationManager class. ObfuscateLo-cation() provides the interface for different obfuscation tech-niques. Parameters of this function are the original locationand the package name of query app, which can be used toquery privacy level. We also modified Android location re-questing APIs so that whenever they are invoked by a queryapp, they will call obfuscateLocation() and return the ob-fuscated result to the query app.
2.3 Obfuscation MechanismWe implemented a hybrid obfuscation method for Loc-
Mask. This hybrid method includes two different obfusca-tion techniques. The first obfuscation technique is intro-duced in [1]. There are three basic obfuscation operatorsin this technique, which are radius enlargement, radius re-duction and center shifting. LocMask executes obfuscationby randomly combining these obfuscation operators. Thisobfuscation technique will be selected when privacy level islow or medium (or the LBS has a certain requirement onthe precision).For the privacy level high or very high or LBS only needs
a low requirement on the precision (for example, the loca-tion based advertisements normally have a low requirementfor the precision), LocMask uses a novel obfuscation tech-nique, which let obfuscation results deviate to the publicregion (e.g, shopping malls or cinema). Users don’t want todisclose their real locations in these privacy levels, so Loc-Mask tries to disguise user’s location as public region, whichis less sensitive and informative. This technique is useful fordefending malicious or unwanted location requests.
3. EXPERIMENT AND RESULTSWe conducted a 3-week experiment to test LocMask. 15
volunteers attended this experiment by using the modifiedAndroid system which incorporates LocMask. In the first2 weeks, we gathered each user’s location data to generatelocation profile. We also let users specify their location pre-serving preferences. In the last week, LocMask began toobfuscate each location request according to location profile
and user’s preferences. Figure 3 shows some original andobfuscated locations of a volunteer. Blue points are origi-nal locations. Yellow points are obfuscated results from thefirst obfuscation technique and green points from the secondtechnique as described in 2.3. We can see that LocMask cansuccessfully obfuscate users’ location and protect their loca-tion privacy.
(a) Original data (b) Technique 1 (c) Technique 2
Figure 3: Obfuscation Results
4. CONCLUSIONIn this poster, we present a novel location-privacy pre-
serving framework, LocMask, in Android system. Withoutany change on existing LBS applications, our frameworkcan provide tailored protection for each user. For our fu-ture work, we are planning to incorporate other advancedprivacy-preserving technics into our framework to get bet-ter performance.
ACKNOWLEDGEMENTThis research is partially supported by NSFC (No. 61272444).
5. REFERENCES[1] C. A. Ardagna, M. Cremonini, S. De Capitani di
Vimercati, and P. Samarati. An obfuscation-basedapproach for protecting location privacy. Dependableand Secure Computing, IEEE Transactions on,8(1):13–27, 2011.
[2] Y.-A. de Montjoye, C. A. Hidalgo, M. Verleysen, andV. D. Blondel. Unique in the crowd: The privacybounds of human mobility. 3, 2013.
[3] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi.Unsafe exposure analysis of mobile in-appadvertisements. In Proceedings of the fifth ACMconference on Security and Privacy in Wireless andMobile Networks, page 101́lC112, 2012.
[4] M. Li, H. Zhu, Z. Gao, S. Chen, K. Ren, L. Yu, andS. Hu. All your location are belong to us: Breakingmobile social networks for automated user locationtracking. In MobiHoc, 2014.
[5] B. Schilit, J. Hong, and M. Gruteser. Wireless locationprivacy protection. Computer, 36(12):135–137, 2003.
[6] R. Stevens, C. Gibler, J. Crussell, J. Erickson, andH. Chen. Investigating user privacy in android adlibraries. In Workshop on Mobile Security Technologies(MoST), 2012.
1528