Mobile devices have access to personal, potentially sensitive data, and there is a large number of mobile applications and third-party libraries that transmit this information over the network to remote servers (including app developer servers and third party servers). In this paper, we are interested in better understanding of not just the extent of personally identifiable information (PII) exposure, but also its context i.e., functionality of the app, destination server, encryption used, etc.) and the risk perceived by mobile users today. To that end we take two steps. First, we perform a measurement study: we collect a new dataset via manual and automatic testing and capture the exposure of 16 PII types from 400 most popular Android apps. We analyze these exposures and provide insights into the extent and patterns of mobile apps sharing PII, which can be later used for prediction and prevention. Second, we perform a user study with 220 participants on Amazon Mechanical Turk: we summarize the results of the measurement study in categories, present them in a realistic context, and assess users' understanding, concern, and willingness to take action. To the best of our knowledge, our user study is the first to collect and analyze user input in such fine granularity and on actual (not just potential or permitted) privacy exposures on mobile devices. Although many users did not initially understand the full implications of their PII being exposed, after being better informed through the study, they became appreciative and interested in better privacy practices.
翻译:移动设备可以获取个人、潜在敏感数据,而且有大量移动应用程序和第三方图书馆通过网络向远程服务器(包括应用程序开发商服务器和第三方服务器)传送这一信息。 在本文中,我们有兴趣不仅更好地了解个人可识别信息(PII)暴露的程度(PII),而且了解其背景(即应用程序的功能、目的地服务器、使用的加密等)以及移动用户今天所察觉的风险。为此,我们采取两个步骤。首先,我们进行一项测量研究:我们通过人工和自动测试收集新的数据集,从400个最流行安纳机器人软件中获取16种PII类型的信息。我们分析这些暴露情况,并深入了解移动应用程序共享PII(PII)的范围及模式,后者后来可用于预测和预防。第二,我们与220名亚马逊机械土耳其人进行用户研究:我们总结各类计量研究的结果,在现实的背景下介绍这些结果,评估用户的理解、关切和采取行动的意愿。 至于我们的最佳知识是,我们的用户研究,我们对这些接触这些内容进行了更好的初步理解,而不是对移动用户的实际风险进行精确分析。