ifip summer school 2015 - using authorization logic to capture user policies in mobile ecosystems
TRANSCRIPT
![Page 1: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/1.jpg)
Using Authorization Logic to Capture User Policies in
Mobile EcosystemsJoseph Hallett
![Page 2: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/2.jpg)
Are people picky about what they’ll install?
![Page 3: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/3.jpg)
no! (mostly)
![Page 4: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/4.jpg)
App stores sell apps• How we distribute software on mobile devices
• Lots of choice of apps
• Partially curated by store owners
• Mainly for malware and quality control
• …but some still slips through
• …especially in the third-party stores
![Page 5: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/5.jpg)
Apps access data
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
![Page 6: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/6.jpg)
…but it’s mostly legitimate
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
google maps
facebook messager
amazon’s app store
anything web based (everything)
![Page 7: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/7.jpg)
…but it’s maybe legitimate?
• Location and movements
• Who you speak to and what you text
• What you install
• What you look at on the internet
• Your camera and microphone
local advertising
marketing
analytics
targeted advertising
…spying?
![Page 8: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/8.jpg)
Does anyone care?
![Page 9: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/9.jpg)
yes!
![Page 10: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/10.jpg)
Privacy preferences
• Fantastic paper from SOUPS 2014
• Modelling Users’ Mobile App Privacy Preferences:Restoring Usability in a Sea of Permission SettingsJialiu Lin, Bin Liu, Norman Sadeh, Jason I. Hong
• Figured out why some apps need certain permissions
• Asked users if they were okay with that
![Page 11: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/11.jpg)
Four kinds of users• From the users’ answers they discovered four different
clusters of users
• Conservatives (12%)
• Advanced (18%)
• Fencesitters (48%)
• Unconcerned (22%)
![Page 12: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/12.jpg)
• Unconcerned users didn’t care
• Happy to disclose data to third parties
• Little bit uncomfortable granting account info to social networks
• Fencesitters seemed ambivalent
• Didn’t actively like or dislike anything
• User fatigue?
• Conservatives really care
• Don’t want anyone to have anything for any reason
• Advanced users are concerned but pragmatic
• Okay giving social networks info
• Okay giving coarse information
![Page 13: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/13.jpg)
Users have privacy preferences
• Do they make app choices on the basis of them?
• Can we help them make that decision?
• Can we warn them when they’re making a bad decision?
![Page 14: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/14.jpg)
AppPAL
![Page 15: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/15.jpg)
an authorization logic for picking apps
![Page 16: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/16.jpg)
AppPAL
• Based on SecPAL
• Used for access control in distributed systems
• Written in Java, runs on Android
• Lets principals (users) make judgements about apps
![Page 18: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/18.jpg)
alice saysapk://com.rovio.angrybirds
isRunnable.
speakersubject
predicate
![Page 19: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/19.jpg)
alice says App isRunnable if App meets(conservativePolicy).
![Page 20: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/20.jpg)
alice says App isRunnable if App meets(conservativePolicy).
variablesconditionals
constant
![Page 21: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/21.jpg)
alice says App isRunnable if App meets(workPolicy)
where currentLocation(work) = true, hasPermission(App, location) = true.
![Page 22: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/22.jpg)
constraint
checked at query time
implicit in the app
alice says App isRunnable if App meets(workPolicy)
where currentLocation(work) = true, hasPermission(App, location) = true.
![Page 23: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/23.jpg)
alice says itdepartment can-say App meets(workPolicy).
![Page 24: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/24.jpg)
alice says itdepartment can-say App meets(workPolicy).
delegationdelegatee
![Page 25: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/25.jpg)
alice says itdepartment can-say inf App meets(workPolicy).
strictly speaking either delegation where
further delegation is allowed or…
![Page 26: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/26.jpg)
alice says itdepartment can-say 0 App meets(workPolicy).
…where it is not
![Page 27: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/27.jpg)
alice says ian can-act-as itdepartment.
![Page 28: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/28.jpg)
alice says ian can-act-as itdepartment.
role assignment
![Page 29: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/29.jpg)
alice says apk://com.rovio.angrybirds.space
can-act-as apk://com.rovio.angrybirds
role assignment not limited to
speakers
![Page 30: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/30.jpg)
So do users follow privacy policies?
![Page 31: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/31.jpg)
Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly install apps which satisfy the policy
![Page 32: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/32.jpg)
Plan of attack
• Get data about which users installed which apps
• Express Lin et al.’s privacy policies in AppPAL
• Check what percentage of a user’s apps met the policy
• If a user is following a policy we’ll expect them to mostly install apps which satisfy the policy
this data is hard to get
![Page 33: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/33.jpg)
Carat• Project from UC Berkeley and University of Helsinki
• Measures power usage of the apps on your phone
• Also collects anonymised app installation data for researchers
• Users replaced with an incrementing number
• Apps replaced with hash of package name
![Page 34: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/34.jpg)
Carat
• We identified 4,300 apps out of ~90,000
• Selected 44,000 users for whom we knew at least 20 app installations
• (after taking into account system and common apps like Facebook and Twitter)
![Page 35: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/35.jpg)
Privacy policies in AppPAL
• Approximated the Lin et al. policies as sets of permissions
• If a group of users felt uncomfortable about a permission for any reason we banned it.
• Not as subtle as we’d like but a reasonable approximation.
C A F U
GET_ACCOUNTS ✘ ✘ ✘ ✘
ACCESS_FINE_LOCATION ✘ ✘ ✘
READ_CONTACT ✘ ✘ ✘
READ_PHONE_STATE ✘ ✘
SEND_SMS ✘ ✘
ACCESS_COARSE_LOCATION ✘
![Page 36: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/36.jpg)
Limitations• We’re using an approximation of the policies
• We have only a partial purchase history
• …so we can only test if a sample of a user’s apps meet the policies
• We might not have the same version as the user
• Permissions can increase or decrease; apps change
• …but typically only increase
![Page 37: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/37.jpg)
Results
![Page 38: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/38.jpg)
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFU
![Page 39: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/39.jpg)
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFUAlmost
no one follows a policy all the
time
![Page 40: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/40.jpg)
0
10000
20000
30000
0.00 0.25 0.50 0.75 1.00%age of user’s apps meeting policy
Use
r cou
nt
variableCAFU
…or even some of the
time
![Page 41: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/41.jpg)
C A F U
≥ 50% 179 (0.41%)
206 (0.47%)
696 (1.58%)
2390 (5.43%)
≥ 60% 45 (0.10%)
49 (0.11%)
209 (0.48%)
867 (2.0%)
≥ 70% 18(0.04%)
19 (0.04%)
79 (0.18%)
331 (0.75%)
≥ 80% 15 (0.03%)
16 (0.04%)
49 (0.11%)
151 (0.34%)
≥ 90% 13 (0.03%)
14 (0.03%)
37 (0.08%)
69 (0.16%)
= 100% 13 (0.03%)
14 (0.03%)
37 (0.08%)
67 (0.15%)
![Page 42: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/42.jpg)
C A F U
≥ 50% 179 (0.41%)
206 (0.47%)
696 (1.58%)
2390 (5.43%)
≥ 60% 45 (0.10%)
49 (0.11%)
209 (0.48%)
867 (2.0%)
≥ 70% 18(0.04%)
19 (0.04%)
79 (0.18%)
331 (0.75%)
≥ 80% 15 (0.03%)
16 (0.04%)
49 (0.11%)
151 (0.34%)
≥ 90% 13 (0.03%)
14 (0.03%)
37 (0.08%)
69 (0.16%)
= 100% 13 (0.03%)
14 (0.03%)
37 (0.08%)
67 (0.15%)
but it isn’t zero
![Page 43: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/43.jpg)
What about malware?
![Page 44: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/44.jpg)
0
50
100
150
0.7 0.8 0.9 1.0%age of user’s apps meeting policy
Use
r cou
nt variablenot PUPnot Malware
![Page 45: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/45.jpg)
0
50
100
150
0.7 0.8 0.9 1.0%age of user’s apps meeting policy
Use
r cou
nt variablenot PUPnot Malware
Almost no malware
installed
![Page 46: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/46.jpg)
Do users who follow a policy install less malware?
![Page 47: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/47.jpg)
0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%a
ge
of
ap
ps
me
etin
g ‘N
ot−
PU
P’ p
olic
y
![Page 48: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/48.jpg)
yes!
0.80
0.85
0.90
0.95
1.00
0.00 0.25 0.50 0.75 1.00
%age of apps meeting ‘Advanced’ policy
%a
ge
of
ap
ps
me
etin
g ‘N
ot−
PU
P’ p
olic
y
![Page 49: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/49.jpg)
So what did we learn?
![Page 50: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/50.jpg)
• What people say and what people do are two different things
• Being picky seems to stop you installing rubbish
• AppPAL works great for exploring properties of apps
![Page 51: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/51.jpg)
What is next?
![Page 52: IFIP Summer School 2015 - Using Authorization Logic to Capture User Policies in Mobile Ecosystems](https://reader031.vdocuments.net/reader031/viewer/2022021922/58ed4fd81a28ab7d378b461b/html5/thumbnails/52.jpg)
• On device policy checking
• check your installed apps against a policy
• Building stores with policies
• searching and building stores with policies
• What is causing this disconnect?
• fatigue? lack of awareness? lack of choice?