SoK: Privacy on Mobile Devices\x96It\x92s Complicated

Speaker/Bio

Jeff Stewart is an associate staff in Group 59 at MIT Lincoln Laboratory who previously worked on analyzing mobile privacy for DARPA's Brandeis program. Since that time, his current research has shifted to include more low level system security analysis and the security of embedded systems. He received his Master\x92s and Bachelor\x92s degrees from East Stroudsburg University of Pennsylvania in computer science and applied mathematics.

Abstract

(taken from the referenced document)

Modern mobile devices place a wide variety of sensors and services within the personal space of their users. As a result, these devices are capable of transparently monitoring many sensitive aspects of these users\x92 lives (e.g., location, health, or correspondences). Users typically trade access to this data for convenient applications and features, in many cases without a full appreciation of the nature and extent of the information that they are exposing to a variety of third parties. Nevertheless, studies show that users remain concerned about their privacy and vendors have similarly been increasing their utilization of privacy-preserving technologies in these devices. Still, despite significant efforts, these technologies continue to fail in fundamental ways, leaving users\x92 private data exposed.

In this work, we survey the numerous components of mobile devices, giving particular attention to those that collect, process, or protect users\x92 private data. Whereas the individual components have been generally well studied and understood, examining the entire mobile device ecosystem provides significant insights into its overwhelming complexity. The numerous components of this complex ecosystem are frequently built and controlled by different parties with varying interests and incentives. Moreover, most of these parties are unknown to the typical user. The technologies that are employed to protect the users\x92 privacy typically only do so within a small slice of this ecosystem, abstracting away the greater complexity of the system. Our analysis suggests that this abstracted complexity is the major cause of many privacy-related vulnerabilities, and that a fundamentally new, holistic, approach to privacy is needed going forward. We thus highlight various existing technology gaps and propose several promising research directions for addressing and reducing this complexity.

References