Privacy Friendly Apps - Making Developers Aware of Privacy Violations Karola Marky? Andreas Gutmann? Philipp Rack? Melanie Volkamer?‡ ? Technische Universität Darmstadt, Darmstadt, Germany name.surname@secuso.org ‡ Karlstad University, Karlstad, Sweden to be granted by the user. This approval takes place before the app installation (until Android 6.0 ”Marsh- Abstract mallow”1 ) and the user grants all permissions at once. If the permissions are not granted the installation pro- Android devices are widely used on a daily cess is canceled. These permissions are categorized, basis. As those devices can open doors for e.g. the camera permission is required to operate the attackers and companies to privacy sensitive LED light. data, developers have to be aware of poten- Even if no privacy violation is intended, developers tial risks. We introduce the project of Pri- might include more permissions than an app requires vacy Friendly Apps, explain its design prin- for its functionality. Such overprivileged applications ciples and describe some of its resulted apps. bear two risks: (1) Android’s permission request sys- The long-term goal of this project is twofold: tem can be less effective and (2) the impact of bugs (1) raise awareness of developers regarding po- and vulnerabilities increases [Fel11]. Hence, the ap- tential privacy violations posed through un- plication’s permissions could be misused by another necessarily overprivileged apps; (2) compile a application [Ort11]. Also granting more permissions list of common errors and mistakes that lead than required for the functionality might lead to the to unintended privacy violations. mistrust of users. A few app rating mechanisms, e.g. as proposed by 1 Introduction Jialiu et al. [Jia14], determine whether a permission In the past years, mobile devices have become widely is required for an app’s functionality. It is estimated adopted products. Their omnipresence in people’s that at least one third of Android applications request daily routines and their frequent interconnection with more permissions than necessary [Fel11]. Hence, rais- other personal devices provide them potential access ing the awareness of developers regarding potential to a plethora of (privacy sensitive) data. privacy and security violations introduced by unneces- With roughly 80% market share in 2015, Android sary permissions can contribute to mitigating related is the most frequently used mobile operation sys- problems, e.g. by addressing BYOD (bring your own tem [Int15]. Its API contains a set of routines, pro- device) concerns [Mil12]. tocols, and tools for developers to build software ap- Research orthogonal to ours explores how user can plications (apps) and thus is a gateway to potential be guided to more privacy aware app choices and in- misuse and privacy violations. In order to protect stallation decisions. This includes research on user’s privacy sensitive data, Android defines a permission decision making and the derivation of guidelines for system as security model: Before an app is permit- privacy aware app decisions [Kul16] as well as on the ted to access functionality or data, a permission has actual presentation of the permission granting screen in the Google Play Store [Ger15]. Progress in these Copyright c by the paper’s authors. Copying permitted for research directions is likely to shift market demand to- private and academic purposes. This volume is published and wards more privacy friendly apps, which requires cor- copyrighted by its editors. responding knowledge and awareness of developers. In: D. Aspinall, L. Cavallaro, M. N. Seghir, M. Volkamer (eds.): Proceedings of the Workshop on Innovations in Mobile 1 In Android 6 (released in Oct. 2015) and thereafter, per- Privacy and Security IMPS at ESSoS’16, London, UK, 06-April- missions are granted during run-time, which could also lead to 2016, published at http://ceur-ws.org privacy violations. 46 Our contribution is a set of guidelines for Android Publishing in F-Droid offered a good access to the application development to make developers aware of open source community. We have received feature re- potential privacy violations. To test this set univer- quests, issues and comments on Github’s issue tracker sity students will develop apps during their program- regarding some apps. Regarding one application we ming lab. The results are compared in terms of their received recommendations to provide additional pri- potential privacy violations to similar applications in vacy. This recommendation leaded us to carefully re- the Google Play Store. As a positive side effect, we view the camera permission which is required to con- contribute privacy friendly apps to society. We fur- trol a phone’s LED. So adding the apps to this store ther hope that the approach of developing privacy supports us identifying privacy risks by utilising col- friendly apps within student’s programming labs will lective knowledge. be adopted by other educational institutions. 3 Developed Apps 2 Privacy Friendly Apps Several Android apps5 have been or are currently de- The Privacy Friendly Apps project is based on few veloped by students during programming labs. This principles, as described in this section. They are ap- section summarizes four representative apps with re- plied to evaluate common mistakes and violations re- gard to their functionality, required permissions and garding privacy violations. Based on Android’s secu- the average amount of permissions needed by the top rity model for data, we identified permissions as the ten of similar apps6 as displayed in the Google Play biggest threat to privacy sensitive data. Each Privacy Store. Friendly App complies with the following principles: Dicer can be used to roll six-sided dice. Minimal Permissions. Each app uses only those Amount of permissions: 1 permissions actually needed by the app to imple- Average permissions (Play Store): 2.9 ment its functionality. Every use of a permission has to be justified by the developers. This justifi- QR Scanner decodes several QR Code formats as cation should lead developers to reflect about the well as barcodes and supports the user in detect- use of permissions. ing malicious links embedded in QR Codes. Amount of permissions: 2 Open Source Licence. The source code is licenced Average permissions (Play Store): 10.7 under an open source licence (typically GPLv32 ) and published on the open source platform Torchlight uses the LED camera flash light to pro- Github3 . This procedure guarantees that other vide the smart phone with a torchlight. persons familiar with programming can review Amount of permissions: 1 the code. Publishing the source code furthermore Average permissions (Play Store): 6.9 builds trust as privacy violations could be discov- ered by anyone who inspects the code. Sudoku Game. Amount of permissions: 0 No Advertisement or Tracking. Privacy Friendly Average permissions (Play Store): 4.5 Apps refrain from tracking or advertisement. Ad- vertisement and tracking might result in a privacy violation and it’s not intended to encourage stu- 4 Considerations and Early Findings dents to integrate these features gratuitously into We plan to evaluate the development process of Pri- a privacy friendly app. vacy Friendly Apps based on the three principles. We In addition to the Google Play Store and Github intend to learn which guidelines and which type of we try to publish4 resulting apps in the alternative knowledge is useful to raise developers’ awareness. app store F-Droid. This store exclusively contains Therefore, we have designed two questionnaires for open source apps and compiles these directly from the programmers to evaluate their awareness level and source code. Thus, it is assured that the resulting app learning curve. In the future, the developers will matches to the published source code. During this therein report their software development skills in gen- procedure F-Droid examines the app regarding secu- eral and particularly regarding the Android platform. rity and privacy issues. From this self-reported data we hope to gain further insights. 2 http://www.gnu.org/licenses/quick-guide-gplv3.en.html 3 https://github.com/ 5 Corresponding source code can be found at 4 We referred to ”try to publish” because F-Droid carefully https://github.com/SecUSo reviews submitted apps. 6 If available and after manual inspection to ensure similarity. 47 Spreading the idea of letting students of other ed- ditional principles, common mistakes and knowledge ucational institutions develop Privacy Friendly App is gaps. Therefore we also plan to evaluate the student’s another aspect of considerations. As computer science learning curve. The goal is to provide a procedure of students typically have to participate in a program- training developers in awareness, e.g. a guide, flyer or ming lab they could contribute their results to society similar as well as a list of privacy-related problems ex- e.g. in form of a Privacy Friendly App based on the perienced by developers while developing an Android principles listed in Section 2. app. We would like to note that we don’t want to bad- Additionally, the approach of developing Android mouth intended privacy violations if there are justi- apps based on our principles could spread to other ed- fiable reasons, such as to provide a free app based ucational facilities. Computer science students are of- on financing by advertisement. Alternative financing ten required to participate in programming labs. By methods like ”flattering” or donations are out of this developing a privacy friendly application they further- work’s scope. more contribute to society. An early example of knowledge which we plan in in- tegrate into our guidelines is the result of an analysis of References the development process of a Sudoku application. In [Fel11] A. P. Felt, E. Chin, S. Hanna, D. Song, order to play this game without interruptions from the D. Wagner. Android permissions demysti- screen turning off, the phone has to be prevented from fied. Proceedings of the 18th ACM conference sleeping. Therefore, a specific permission can be in- on Computer and communications security, cluded to receive the intended effect. This permission, 627–638, 2011. ACM. however, can be circumvented by adding a flag in a specific part of the code. This circumvention is a part [Ger15] P. Gerber, M. Volkamer, K. Renaud. Usabil- of the official Android documentation but frequently ity versus privacy instead of usable privacy: overseen by developers. The frequent use of the ”pre- Google’s balancing act between usability and vent phone from sleep” permission might be based on privacy. ACM SIGCAS Computers and So- insufficient or missing documentation on online plat- ciety, 45(1), 16–21, 2015. ACM. forms. Therefore we assume that many current and [Int15] International Data Corporation. Smart- future developers are not aware thereof and thus we phone OS Market Share, 2015 Q2. want to include this information it in our upcoming http://www.idc.com/prodserv/smartphone- guidelines. os-market-share.jsp, 2015. Accessed 28-01- 16. 5 Conclusion and Future Work [Jia14] L. Jialiu, B. Liu, N. Sadeh, J. Hong. Mod- In this paper, we have listed few principles for Pri- eling users’ mobile app privacy preferences: vacy Friendly Apps and roughly described how we let Restoring usability in a sea of permission set- students develop apps based on them. Our Privacy tings. Symposium On Usable Privacy and Se- Friendly Apps developed in compliance with them re- curity (SOUPS 2014), 199–212, 2014. quire less permissions than the corresponding Google Play Store’s top ten similar apps (see Table 1). [Kul16] O. Kulyk, P. Gerber, M. El Hanafi, B. Rein- heimer, K. Renaud, M. Volkamer. Encourag- Table 1: Required permissions and the average amount ing Privacy-Aware Smartphone App Instal- of permissions from Play Store’s top ten needed for lation: Finding out what the Technically- each app. Adept Do? NDSS Workshop on Usable Se- Application Amount of Average curity (USEC), 2016. permissions permissions [Mil12] K. W. Miller, J. Voas, and G. F. Hurlburt. Dicer 1 2.9 BYOD: Security and privacy considerations. QR Scanner 2 10.7 It Professional (5), 53-55, 2012. Torchlight 1 6.9 Sudoku 0 4.5 [Ort11] C. Orthacker, P. Teufl, S. Kraxberger, G. Lackner, M. Gissing, A. Marsalek, J. Lei- Suggested future work is to derive further princi- betseder, O. Prevenhueber. Android secu- ples and provide guidance for privacy aware Android rity permissions–can we trust them? Se- development. We plan to analyse data from Github curity and Privacy in Mobile Information (source code, issues and comments)7 to identify ad- and Communication Systems, 40–51, 2011. 7 Including applications not developed in cooperation with us. Springer. 48