Elevating privacy protection in mobile apps

Privacy in mobile apps is not perfect. To remedy this situation, scientists have created an innovative technique that raises the level of privacy protection in mobile apps.

The project that has culminated in this development is called TRUST aWARE. The IMDEA Networks Institute of Spain has participated in the project together with various partners.

TRUST aWARE has addressed the growing challenges of privacy and security in consumer-oriented software. This project, which has had a significant contribution from the institute’s Internet Analytics Group (IAG), has focused on the problem of access and use of sensitive personal data by mobile applications, often without users being aware of how their data is used, shared or protected.

To mitigate this problem, IMDEA Networks, in partnership with the Universidad Carlos III de Madrid (UC3M) in Spain, has developed a hybrid analysis technique that combines static and dynamic analysis channels capable of monitoring and analyzing application behavior in real time, identifying potential privacy risks such as data leaks of personally identifiable information (PII).

“In addition, the project has explored the privacy expectations of citizens across Europe and across different age groups, developed novel Natural Language Processing (NLP) tools to assess the transparency and compliance of consent forms and policies, and provided mechanisms for users to exercise their digital rights. At the same time, scalable content analysis mechanisms have been created to detect and rate harmful and inappropriate content, such as adult content distributed through advertising networks to minors,” explains Narseo Vallina, Professor at IMDEA Networks.

All the results, as well as patents and vulnerability patches for major smart product vendors, attest to the pioneering research conducted in this project. “We have also published many datasets and tools as open source solutions so that they can be adopted by the research community and industry, thus enabling the transfer of knowledge to society,” comments Aniketh Girish, PhD student at IMDEA Networks.

Privacy in modern mobile phone apps is not as protected as one might wish. (Illustration: Amazings / NCYT)

IMDEA Networks researchers have played an integral role in the TRUST aWARE project, leading the development of the mobile dynamic analysis pipeline, including network monitoring, runtime monitoring, SDK detection (a mechanism for identifying third-party components in the software supply chain), and PII leak tracking.

“The results of the project have influenced the adoption of stricter privacy measures also by Android and IoT vendors, and have contributed to improved regulations in this regard. They will therefore benefit society by accurately and comprehensively studying security and privacy risks, transparency and regulatory compliance of software. By assessing transparency and compliance, the project enables auditing of software as a service for authorities, developers and certification bodies, helping to mitigate risks at an early stage,” says Girish.

TRUST aWARE includes the development of advanced technologies and a novel tool, which are being patented (for example, the SDK detection technique invented by IMDEA Networks). These tools have set new standards for mobile application security and privacy, triggering patches and revealing new security issues.

The project has also opened new lines of research. These include the analysis of location data and its use in mass surveillance strategies, the characterization of sensitive personal data collected by mobile applications and smart devices related to health, and the investigation of vulnerabilities and privacy risks within the Android browsing ecosystem, called WebViews. (Source: IMDEA Networks)