Jump to ContentJump to Main Navigation
Show Summary Details
More options …

Proceedings on Privacy Enhancing Technologies

4 Issues per year

Open Access
See all formats and pricing
More options …

SoK: Privacy on Mobile Devices – It’s Complicated

Chad Spensky / Jeffrey Stewart / Arkady Yerukhimovich / Richard Shay / Ari Trachtenberg / Rick Housley / Robert K. Cunningham
Published Online: 2016-05-06 | DOI: https://doi.org/10.1515/popets-2016-0018


Modern mobile devices place a wide variety of sensors and services within the personal space of their users. As a result, these devices are capable of transparently monitoring many sensitive aspects of these users’ lives (e.g., location, health, or correspondences). Users typically trade access to this data for convenient applications and features, in many cases without a full appreciation of the nature and extent of the information that they are exposing to a variety of third parties. Nevertheless, studies show that users remain concerned about their privacy and vendors have similarly been increasing their utilization of privacy-preserving technologies in these devices. Still, despite significant efforts, these technologies continue to fail in fundamental ways, leaving users’ private data exposed.

In this work, we survey the numerous components of mobile devices, giving particular attention to those that collect, process, or protect users’ private data. Whereas the individual components have been generally well studied and understood, examining the entire mobile device ecosystem provides significant insights into its overwhelming complexity. The numerous components of this complex ecosystem are frequently built and controlled by different parties with varying interests and incentives. Moreover, most of these parties are unknown to the typical user. The technologies that are employed to protect the users’ privacy typically only do so within a small slice of this ecosystem, abstracting away the greater complexity of the system. Our analysis suggests that this abstracted complexity is the major cause of many privacy-related vulnerabilities, and that a fundamentally new, holistic, approach to privacy is needed going forward. We thus highlight various existing technology gaps and propose several promising research directions for addressing and reducing this complexity.

Keywords: privacy-preserving technologies; mobile; Android; iOS


  • [1] I. Leontiadis, C. Efstratiou, M. Picone, and C. Mascolo, “Don’t kill my ads!: balancing privacy in an ad-supported mobile application market,” in MobiSys 2012.Google Scholar

  • [2] B. Ur, P. G. Leon, L. F. Cranor, R. Shay, and Y. Wang, “Smart, useful, scary, creepy: perceptions of online behavioral advertising,” in SOUPS 2012.Google Scholar

  • [3] Z. Xu, K. Bai, and S. Zhu, “Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors,” in WiSec 2012.Google Scholar

  • [4] L. Cai and H. Chen, “Touchlogger: Inferring keystrokes on touch screen from smartphone motion.” in HotSec 2011.Google Scholar

  • [5] P. Marquardt, A. Verma, H. Carter, and P. Traynor, “(sp)iphone: decoding vibrations from nearby keyboards using mobile phone accelerometers,” in CCS 2011.Google Scholar

  • [6] J. Krumm and E. Horvitz, “LOCADIO: Inferring motion and location from Wi-Fi signal strengths,” in MobiQuitous 2004.Google Scholar

  • [7] J. Han, E. Owusu, L. T. Nguyen, A. Perrig, and J. Zhang, “Accomplice: Location inference using accelerometers on smartphones,” in COMSNETS 2012.Google Scholar

  • [8] Y. Michalevsky, G. Nakibly, A. Schulman, and D. Boneh, “PowerSpy: Location tracking using mobile device power analysis,” in USENIX Sec. Symp. USENIX Association, 2015.Google Scholar

  • [9] M. Azizyan, I. Constandache, and R. Roy Choudhury, “Surroundsense: mobile phone localization via ambience fingerprinting,” in MobiCom 2009.Google Scholar

  • [10] Y. Michalevsky, D. Boneh, and G. Nakibly, “Gyrophone: Recognizing speech from gyroscope signals,” in USENIX Sec. Symp. USENIX Association, 2014.Google Scholar

  • [11] L. Sun, D. Zhang, B. Li, B. Guo, and S. Li, “Activity recognition on an accelerometer embedded mobile phone with varying positions and orientations,” in Ubiquitous intelligence and computing. Springer, 2010, pp. 548-562.Google Scholar

  • [12] Qualcomm, “Haven sec. platform,” https://www.qualcomm.com/products/snapdragon/security.Google Scholar

  • [13] TrustKernel Team, Shanghai Pingbo Info Tech Co., Ltd., “Trustkernel,” https://www.trustkernel.com/.Google Scholar

  • [14] J. Bennett, “Devices with trustonic tee,” https://www.trustonic.com/news-events/blog/devices-trustonic-tee, 08 2015.Google Scholar

  • [15] S. Demetriou, W. Merrill, W. Yang, A. Zhang, and C. A. Gunter, “Free for all! assessing user data exposure to advertising libraries on android,” in NDSS 2016.Google Scholar

  • [16] I. Polakis, G. Argyros, T. Petsios, S. Sivakorn, and A. D. Keromytis, “Where’s wally?: Precise user discovery attacks in location proximity services,” in CCS 2015.Google Scholar

  • [17] C. Patsakis, A. Zigomitros, and A. Solanas, “Analysis of privacy and security exposure in mobile dating applications,” in MSPN 2015.Google Scholar

  • [18] R. McCormick, “Hack leaks hundreds of nude celebrity photos,” http://www.theverge.com/2014/9/1/6092089/nude-celebrity-hack, Sep. 2014.Google Scholar

  • [19] B. Krebs, “The target breach, by the numbers,” Krebs on Security, vol. 6, 2014.Google Scholar

  • [20] “Newly disclosed N.S.A. files detail partnerships with AT&T and Verizon,” The New York Times, 2015.Google Scholar

  • [21] K. M. Sullivan, “But doctor, I still have both feet! Remedial problems faced by victims of medical identity theft,” American Journal of Law & Medicine, vol. 35, no. 4, 2009.Google Scholar

  • [22] C. Apgar, G. Apple, L. Ayers, M. Berntsen, R. Busch, J. Childress, E. Curtis, N. Davis, M. Dawson, B. Hjort et al., “Mitigating medical identity theft,” Journal of American Health Information Management Association, vol. 79, no. 7, p. 63, 2008.Google Scholar

  • [23] C. J. Hoofnagle and J. M. Urban, “Alan Westin’s privacy homo economicus,” Wake Forest Law Review, 2014.Google Scholar

  • [24] M. Madden and L. Rainie, “Americans’ attitudes about privacy, sec. and surveillance,” http://www.pewinternet.org/2015/05/20/americans-attitudes-about-privacy-securityand-surveillance/, May 2015.Google Scholar

  • [25] J. L. Boyles, A. Smith, and M. Madden, “Apps and privacy: More than half of app users have uninstalled or decided to not install an app due to concerns about their personal information,” http://www.pewinternet.org/2012/09/05/main-findings-7/, Sep. 2015.Google Scholar

  • [26] Apple, “We’ve given you tools to manage your privacy,” http://www.apple.com/privacy/manage-your-privacy/, Retrieved Nov. 2015.Google Scholar

  • [27] J. Han, Q. Yan, D. Gao, J. Zhou, and R. Deng, “Comparing mobile privacy protection through cross-platform applications,” in NDSS 2013.Google Scholar

  • [28] A. Shaik, R. Borgaonkar, N. Asokan, V. Niemi, and J.-P. Seifert, “Practical attacks against privacy and availability in 4G/LTE mobile communication systems,” in NDSS 2016.Google Scholar

  • [29] A. P. Felt, E. Ha, S. Egelman, A. Haney, E. Chin, and D. Wagner, “Android permissions: User attention, comprehension, and behavior,” in SOUPS 2012.Google Scholar

  • [30] C. Xenakis and C. Ntantogian, “Attacking the baseband modem of mobile phones to breach the users’ privacy and network security,” in CyCon 2015.Google Scholar

  • [31] Y. Zhou and X. Jiang, “Dissecting android malware: Characterization and evolution,” in Proc. 2012 Symp. on Sec. and Privacy. IEEE, 2012.Google Scholar

  • [32] L. Li, A. Bartel, T. F. D. A. Bissyande, J. Klein, Y. Le Traon, S. Arzt, S. Rasthofer, E. Bodden, D. Octeau, and P. McDaniel, “IccTA: Detecting inter-component privacy leaks in android apps,” in ICSE 2015.Google Scholar

  • [33] M. C. Grace, W. Zhou, X. Jiang, and A.-R. Sadeghi, “Unsafe exposure analysis of mobile in-app advertisements,” in WiSec 2012.Google Scholar

  • [34] P. McDaniel, “Bloatware comes to the smartphone,” IEEE Sec. & Privacy 2012.Google Scholar

  • [35] W. Park, “Mobile phone addiction,” Mobile Communications, 2005.Google Scholar

  • [36] C. Amrutkar, P. Traynor, and P. C. van Oorschot, “An empirical evaluation of security indicators in mobile web browsers,” Transactions on Mobile Comp., vol. 14, no. 5, 2015.Google Scholar

  • [37] I. Paul, “Google’s new, highly targeted app ads react to how you use android apps,” http://www.pcworld.com/article/2147001/google-starts-using-your-android-appbehavior-to-deliver-highly-targeted-app-ads.html, 2015.Google Scholar

  • [38] Motorola, “X8 mobile computing system,” http://www.motorola.com/us/X8-Mobile-Computing-System/x8-mobile-computing-system.html.Google Scholar

  • [39] Apple, “iPhone 6s Technology,” http://www.apple.com/iphone-6s/technology/.Google Scholar

  • [40] R. Krten, “Google android - IPC at the lowest levels,” http://www.embedded.com/print/4083262, June 2008.Google Scholar

  • [41] W. Rankl and W. Effing, “Smart card security,” Smart Card Handbook, 4th Edition, pp. 667-734, 2010.Google Scholar

  • [42] K. Koscher and E. Butler, “simhacks,” http://simhacks.github.io/.Google Scholar

  • [43] ETSI, “Smart Cards; Card Application Toolket (Release 13),” March 2015.Google Scholar

  • [44] Apple, “iOS Security: iOS 9.0 or later,” https://www.apple.com/business/docs/iOS_Security_Guide.pdf, 2015.Google Scholar

  • [45] Google, “Google history,” https://history.google.com/.Google Scholar

  • [46] C. Matyszczyk, “TMI? Some fitbit users’ sex stats on Google search,” http://www.cnet.com/news/tmi-somefitbit-users-sex-stats-on-google-search/, Retrieved Nov. 2015.Google Scholar

  • [47] S. Son, D. Kim, and V. Shmatikov, “What mobile ads know about mobile users,” NDSS 2016.Google Scholar

  • [48] Gemalto, “Gemalto presents the findings of its investigations into the alleged hacking of sim card encryption keys by britain’s government communications headquarters and the U.S. National Security Agency,” 2 2015.Google Scholar

  • [49] J. Zhang, F. Yuan, and Q. Xu, “DeTrust: Defeating hardware trust verification with stealthy implicitly-triggered hardware trojans,” in CCS 2014.Google Scholar

  • [50] S. Wei and M. Potkonjak, “The undetectable and unprovable hardware trojan horse,” in DAC 2013.Google Scholar

  • [51] T. Bray, “Exercising our remote application removal feature,” http://android-developers.blogspot.com/2010/06/exercising-our-remote-application.html, June 2010.Google Scholar

  • [52] C. Beaumont, “Apple’s Jobs confirms iPhone ‘kill switch’,” http://www.telegraph.co.uk/technology/3358134/Apples-Jobs-confirms-iPhone-kill-switch.html, Aug. 2008.Google Scholar

  • [53] Google, “What data does Google collect?” https://privacy.google.com/data-we-collect.html.Google Scholar

  • [54] Trustonic, “Trustonic,” https://www.trustonic.com/.PubMedGoogle Scholar

  • [55] Samsung, “Samsung knox,” http://www.samsungknox.com/, Nov. 2015.Google Scholar

  • [56] R. Welton, “Remote code execution as system user on samsung phones,” https://www.nowsecure.com/blog/2015/06/16/remote-code-execution-as-system-user-onsamsung-phones/, June 2015.Google Scholar

  • [57] ETSI, “3G security; Lawful Interception; Stage 2 (3GPP TS 43.033 version 12.0.0 Release 12),” Oct. 2014.Google Scholar

  • [58] S. Gemplus, Oberthur, “Over-the-air (OTA) technology,” ftp://www.3gpp.org/tsg_sa/WG3_Security/TSGS3_30_Povoa/Docs/PDF/S3-030534.pdf, Oct. 2010.Google Scholar

  • [59] J. Zang, K. Dummit, J. Graves, P. Lisker, and L. Sweeney, “Who knows what about me? A survey of behind the scenes personal data sharing to third parties by mobile apps,” http://techscience.org/a/2015103001/, 2015.Google Scholar

  • [60] V. Woods and R. van der Meulen, “Gartner says emerging markets drove worldwide smartphone sales to 15.5 percent growth in third quarter of 2015,” http://www.gartner.com/newsroom/id/3169417, 2015.Google Scholar

  • [61] J.-E. Ekberg, K. Kostiainen, and N. Asokan, “Trusted execution environments on mobile devices,” in CCS 2013.Google Scholar

  • [62] ARM, “ARM Sec. Technology: Building a Secure System using TrustZone Technology,” 2009.Google Scholar

  • [63] H. Lockheimer, “Hi, I’m Hiroshi Lockheimer, here at Google with the team that build Nexus 5X & 6P...Ask Us Anything!” https://www.reddit.com/r/IAmA/comments/3mzrl9/hi_im_hiroshi_lockheimer_here_at_google_with_the/cvjj167, Oct. 2015.Google Scholar

  • [64] “Full disk encryption,” https://source.android.com/security/encryption/, 2015.Google Scholar

  • [65] M. Broz, “dm-crypt: Linux kernel device-mapper crypto target,” https://gitlab.com/cryptsetup/cryptsetup/wikis/DMCrypt, 2015.Google Scholar

  • [66] J. Bonneau, “A technical perspective on the apple iphone case,” https://www.eff.org/deeplinks/2016/02/technicalperspective-apple-iphone-case, 2 2016.Google Scholar

  • [67] Statistica, “Number of apps available in leading app stores as of july 2015,” http://www.statista.com/statistics/276623/number-of-apps-available-in-leading-app-stores/, July 2015.Google Scholar

  • [68] A. P. Felt, M. Finifter, E. Chin, S. Hanna, and D. Wagner, “A survey of mobile malware in the wild,” in SPSM 2011.Google Scholar

  • [69] Y. Zhou, Z. Wang, W. Zhou, and X. Jiang, “Hey, you, get off of my market: Detecting malicious apps in official and alternative android markets.” in NDSS 2012.Google Scholar

  • [70] “Mobile Phone Spy Software,” http://www.mobistealth.com/mobile-phone-spy-software, 2015.Google Scholar

  • [71] M. Lindorfer, M. Neugschwandtner, L. Weichselbaum, Y. Fratantonio, V. van der Veen, and C. Platzer, “ANDRUBIS-1,000,000 apps later: A view on current android malware behaviors,” in BADGERS 2014.Google Scholar

  • [72] Claud Xiao, “YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs,” http://researchcenter.paloaltonetworks.com/2015/10/yispecter, 2015.Google Scholar

  • [73] Google, “Google play,” https://play.google.com/.Google Scholar

  • [74] Amazon, “Amazon appstore,” http://www.amazon.com/mobile-apps/b?node=2350149011.Google Scholar

  • [75] F. Cai, H. Chen, Y. Wu, and Y. Zhang, “Appcracker: Widespread vulnerabilities in user and session authentication in mobile apps,” in MoST 2015.Google Scholar

  • [76] Google, “Google play developer program policies,” https://play.google.com/about/developer-content-policy.html, 2015.Google Scholar

  • [77] Kim, Eunice, “Creating better user experiences on google play,” http://android-developers.blogspot.ro/2015/03/creating-better-user-experiences-on.html, 2015.Google Scholar

  • [78] Google, “Android security 2014 year in review,” https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf, 2014.Google Scholar

  • [79] Cluley, Graham, “The Hacking Team Android malware app that waltzed past Google Play’s security checks,” https://heatsoftware.com/security-blog/10368/the-hackingteam-android-malware-app-that-waltzed-past-\googleplays-security-checks/, 2015.Google Scholar

  • [80] J. Han, S. M. Kywe, Q. Yan, F. Bao, R. Deng, D. Gao, Y. Li, and J. Zhou, “Launching Generic Attacks on iOS with Approved Third-Party Appl.” in Applied Cryptography and Network Sec. Springer, 2013, pp. 272-289.Google Scholar

  • [81] T. Wang, K. Lu, L. Lu, S. Chung, and W. Lee, “Jekyll on ios: When benign apps become evil,” in USENIX Sec. Symp. USENIX Association, 2013 Google Scholar

  • [82] M. Bucicoiu, L. Davi, R. Deaconescu, and A.-R. Sadeghi, “XiOS: Extended application sandboxing on iOS,” in ASIACCS 2015.Google Scholar

  • [83] Z. Deng, B. Saltaformaggio, X. Zhang, and D. Xu, “iRiS: Vetting private API abuse in iOS applications,” in CCS 2015.Google Scholar

  • [84] “System and kernel security,” https://source.android.com/devices/tech/security/overview/kernel-security.html, 2015.Google Scholar

  • [85] “Security-Enhanced Linux in Android,” https://source.android.com/security/selinux/, 2015.Google Scholar

  • [86] D. Blazakis, “The apple sandbox,” in Black Hat DC, 2011.Google Scholar

  • [87] D. A. Dai Zovi, “Apple iOS 4 security evaluation,” https:// www.trailofbits.com/resources/ios4_security_evaluation_paper.pdf.Google Scholar

  • [88] S. Esser, “iOS8 Containers, Sandboxes and Entitlements,” in Ruxcon, 2014.Google Scholar

  • [89] R. N. M. Watson, “New approaches to operating system security extensibility,” University of Cambridge, Computer Laboratory, Tech. Rep. UCAM-CL-TR-818, Apr. 2012.Google Scholar

  • [90] A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner, “Android permissions demystified,” in CCS 2011.Google Scholar

  • [91] P. G. Kelley, S. Consolvo, L. F. Cranor, J. Jung, N. Sadeh, and D. Wetherall, “A conundrum of permissions: installing applications on an android smartphone,” in Proc. Financial Cryptography and Data Sec. Springer, 2012, pp. 68-79.Google Scholar

  • [92] J. Lin, S. Amini, J. I. Hong, N. Sadeh, J. Lindqvist, and J. Zhang, “Expectation and purpose: understanding users’ mental models of mobile app privacy through crowdsourcing,” in Ubicomp 2012.Google Scholar

  • [93] “Android 6.0 marshmallow,” https://www.android.com/versions/marshmallow-6-0/, 2015.Google Scholar

  • [94] Apple Inc., “About privacy and Location Services for iOS 8 and iOS 9,” https://support.apple.com/en-us/HT203033, 2015.Google Scholar

  • [95] --, “Entitlement Key Reference,” https://developer.apple.com/library/ios/documentation/Miscellaneous/Reference/EntitlementKeyReference/Chapters/AboutEntitlements.html, 2014.Google Scholar

  • [96] “Using networking securely,” https://developer.apple.com/library/prerelease/ios/documentation/NetworkingInternetWeb/Conceptual/NetworkingOverview/SecureNetworking/SecureNetworking.html, 2015.Google Scholar

  • [97] “Security with https and ssl,” http://developer.android.com/training/articles/security-ssl.html, 2015.Google Scholar

  • [98] “Security enhancements in android 5.0,” https://source.android.com/security/enhancements/enhancements50.html, 2015.Google Scholar

  • [99] “What’s new in iOS: iOS 9.0,” https://developer.apple.com/library/prerelease/ios/releasenotes/General/WhatsNewIniOS/Articles/iOS9.html#//apple_ref/doc/uid/TP40016198-DontLinkElementID_13/, 2015.Google Scholar

  • [100] “App Store Review Guidelines,” https://developer.apple.com/app-store/review/guidelines/, 2015.Google Scholar

  • [101] “Google Play Developer Distribution Agreement,” https://play.google.com/about/developer-distribution-agreement.html, 2015.Google Scholar

  • [102] L. Jia, J. Aljuraidan, E. Fragkaki, L. Bauer, M. Stroucken, K. Fukushima, S. Kiyomoto, and Y. Miyake, “Run-time enforcement of information-flow properties on android,” in Computer Security - ESORICS 2013. Springer, 2013, pp. 775-792.Google Scholar

  • [103] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones,” TOCS 2014.Google Scholar

  • [104] T. Müller and M. Spreitzenbarth, “Frost,” in Applied Cryptography and Network Security. Springer, 2013, pp. 373-388.Google Scholar

  • [105] J. Zdziarski, “Identifying back doors, attack points, and surveillance mechanisms in iOS devices,” Digital Investigation, vol. 11, no. 1, pp. 3-19, 2014.Google Scholar

  • [106] U. D. of Justice, “Pakistani man indicted for selling stealthgenie spyware app,” https://www.fbi.gov/washingtondc/press-releases/2014/pakistani-man-indictedfor-selling-stealthgenie-spyware-app, Sep. 2014.Google Scholar

  • [107] P. Coogan, “Android rats branch out with dendroid,” http://www.symantec.com/connect/blogs/android-rats-branchout-dendroid, March 2014.Google Scholar

  • [108] T. Chen, I. Ullah, M. A. Kaafar, and R. Boreli, “Information leakage through mobile analytics services,” in HotMobile 2014.Google Scholar

  • [109] D. F. Kune, J. Koelndorfer, N. Hopper, and Y. Kim, “Location leaks on the GSM air interface,” in NDSS 2012, 2012.Google Scholar

  • [110] D. Richardson, “XcodeGhost iOS malware: The list of affected apps and what you should do,” http://blog.lookout.com/blog/2015/09/21/xcodeghost-apps/, Sep. 2015.Google Scholar

  • [111] M. Zheng, H. Xue, Y. Zhang, T. Wei, and J. C. Lui, “Enpublic apps: Security threats using iOS enterprise and developer certificates,” in ASIACCS 2015.Google Scholar

  • [112] P. Paganini, “Snooping Samsung S6 calls with bogus base stations,” http://securityaffairs.co/wordpress/41923/hacking/snooping-samsung-s6.html, Nov. 2015.Google Scholar

  • [113] R.-P. Weinmann, “Baseband attacks: Remote exploitation of memory corruptions in cellular protocol stacks.” in WOOT. USENIX Association, 2012.Google Scholar

  • [114] G. Qin, C. Patsakis, and M. Bouroche, “Playing hide and seek with mobile dating applications,” in ICT Sys. Sec. and Privacy Protection. Springer, 2014, pp. 185-196.Google Scholar

  • [115] C. Miller, D. Blazakis, D. DaiZovi, S. Esser, V. Iozzo, and R.-P. Weinmann, iOS Hacker’s Handbook. John Wiley & Sons, 2012.Google Scholar

  • [116] D. Rosenberg, “Reflections on trusting trustzone,” in Blackhat, 2014.Google Scholar

  • [117] D. Shen, “Attacking your trusted core: Exploiting trustzone on android,” in Blackhat, 2015.Google Scholar

  • [118] laginimaineb, “Full trustzone exploit for msm8974,” http://bits-please.blogspot.com/2015/08/full-trustzone-exploitfor-msm8974.html, 2015.Google Scholar

  • [119] K. Nohl, “Rooting Sim Cards,” in BlackHat Briefings, Las Vegas NV, July 2013.Google Scholar

  • [120] J. R. Rao, P. Rohatgi, H. Scherzer, and S. Tinguely, “Partitioning attacks: or how to rapidly clone some GSM cards,” in Symp. on Sec. and Privacy. IEEE, 2002.Google Scholar

  • [121] J. Hubbard, K. Weimer, and Y. Chen, “A study of SSL proxy attacks on Android and iOS mobile applications,” in CCNC 2014.Google Scholar

  • [122] S. Fahl, M. Harbach, T. Muders, L. Baumgärtner, B. Freisleben, and M. Smith, “Why eve and mallory love android: An analysis of android SSL (in)security,” in CCS Google Scholar

  • [123] S. Narain, A. Sanatinia, and G. Noubir, “Single-stroke language-agnostic keylogging using stereo-microphones and domain specific machine learning,” in WiSec 2014.Google Scholar

  • [124] R. Raguram, A. M. White, D. Goswami, F. Monrose, and J.-M. Frahm, “iSpy: automatic reconstruction of typed input from compromising reflections,” in CCS 2011.Google Scholar

  • [125] Y. Xu, J. Heinly, A. M. White, F. Monrose, and J.-M. Frahm, “Seeing double: Reconstructing obscured typed input from repeated compromising reflections,” in CCS 2013.Google Scholar

  • [126] R.-P. Weinmann, “New challenges in baseband exploitation: The hexagon architecture,” CODEGATE 2014.Google Scholar

  • [127] iPhone DevTeam, “Evolution of the iPhone Baseband and Unlocks,” http://old.sebug.net/paper/Meeting-Documents/hitbsecconf2012ams/D1T2%20-%20MuscleNerd%20-%20Evolution%20of%20iPhone%20Baseband%20and%20Unlocks.pdf, May 2012.Google Scholar

  • [128] O. Dunkelman, N. Keller, and A. Shamir, “A practical-time attack on the A5/3 cryptosystem used in third generation GSM telephony,” IACR Cryptology ePrint Archive, vol. 2010, p. 13, 2010.Google Scholar

  • [129] S. Beaupre, “Trustnone,” http://theroot.ninja/disclosures/TRUSTNONE_1.0-11282015.pdf, 2015.Google Scholar

  • [130] Y. Gilad, A. Herzberg, and A. Trachtenberg, “Securing smartphones: A μtcb approach,” Pervasive Comp., vol. 13, no. 4, pp. 72-79, 2014.Google Scholar

  • [131] H. Chen, Y. Mao, X. Wang, D. Zhou, N. Zeldovich, and M. F. Kaashoek, “Linux kernel vulnerabilities: State-of-theart defenses and open problems,” in APSys 2011.Google Scholar

  • [132] C. Spensky and H. Hu, “LL-SmartCard,” https://github.com/mit-ll/LL-Smartcard.Google Scholar

  • [133] G. Wilkinson, “Digital terrestrial tracking: The future of surveillance,” 2014.Google Scholar

  • [134] Eckhart, Trevor, “Carrier IQ part 2,” https://www.youtube.com/watch?v=T17XQI_AYNo, 2011.Google Scholar

  • [135] N. Lee, “Smartphones and privacy,” in Facebook Nation. Springer, 2014, pp. 71-84.Google Scholar

  • [136] “CVE-2014-8346.” Available from MITRE, CVE-ID CVE-2014-8346., Oct. 10 2014.Google Scholar

  • [137] G. Data, “G data mobile malware report: Threat report q2/2015,” https://public.gdatasoftware.com/Presse/Publikationen/Malware_Reports/G_DATA_MobileMWR_Q2_2015_EN.pdf, 2015.Google Scholar

  • [138] D. Gilbert, “Amazon selling 40 dollar android tablets that come with pre-installed malware,” http://www.ibtimes.com/amazon-selling-40-android-tablets-come-pre-installedmalware-2181424, 2015.Google Scholar

  • [139] P. Kocialkowski, “Samsung galaxy back-door,” http://redmine.replicant.us/projects/replicant/wiki/SamsungGalaxyBackdoor, Februrary 2014.Google Scholar

  • [140] D. R. Thomas, A. R. Beresford, and A. Rice, “Security metrics for the android ecosystem,” in SPSM 2015.Google Scholar

  • [141] “System permissions,” http://developer.android.com/guide/topics/security/permissions.html, 2015.Google Scholar

  • [142] SourceDNA, “iOS apps caught using private APIs,” https://sourcedna.com/blog/20151018/ios-apps-using-privateapis. html, 2015.Google Scholar

  • [143] Z. Chen, A. Mettler, P. Gilbert, and Y. Kang, “iBackDoor: High-Risk Code Hits iOS Apps,” https://www.fireeye.com/blog/threat-research/2015/11/ibackdoor_high-risk.html, 2015.Google Scholar

  • [144] C. Xiao, “WIRELURKER: A new era in iOS and OS X malware,” https://www.paloaltonetworks.com/content/dam/paloaltonetworks-com/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf, 2015.Google Scholar

  • [145] J. Stewart, A. Trachtenberg, and A. Yerukhimovich, “Look ma, no permissions! accessing private data on android,” In Submission, 2016.Google Scholar

  • [146] A. M. White, A. R. Matthews, K. Z. Snow, and F. Monrose, “Phonotactic reconstruction of encrypted VoIP conversations: Hookt on fon-iks,” in Proc. Symp. on Sec. and Privacy. IEEE, 2011.Google Scholar

  • [147] C. V. Wright, L. Ballard, F. Monrose, and G. M. Masson, “Language identification of encrypted VoIP traffic: Alejandra y roberto or alice and bob?” in USENIX Sec. Symp. USENIX Association, 2007.Google Scholar

  • [148] C. V. Wright, L. Ballard, S. E. Coull, F. Monrose, and G. M. Masson, “Uncovering spoken phrases in encrypted voice over IP conversations,” TISSEC 2010.Google Scholar

  • [149] K. P. Dyer, S. E. Coull, T. Ristenpart, and T. Shrimpton, “Peek-a-boo, i still see you: Why efficient traffic analysis countermeasures fail,” in Symp. on Sec. and Privacy.IEEE, 2012.Google Scholar

  • [150] R. Stevens, J. Ganz, V. Filkov, P. Devanbu, and H. Chen, “Asking for (and about) permissions used by android apps,” in MSR 2013.Google Scholar

  • [151] X. Wei, L. Gomez, I. Neamtiu, and M. Faloutsos, “Permission evolution in the android ecosystem,” in ACSAC 2012.Google Scholar

  • [152] T. Book, A. Pridgen, and D. S. Wallach, “Longitudinal analysis of android ad library permissions,” in MoST 2013.Google Scholar

  • [153] M. Egele, C. Kruegel, E. Kirda, and G. Vigna, “PiOS: Detecting privacy leaks in iOS applications,” in NDSS 2011.Google Scholar

  • [154] C. Carmony, “dm_dump,” https://github.com/c1fe/dm_dump/, 2014.Google Scholar

  • [155] D. Sounthiraraj, J. Sahs, G. Greenwood, Z. Lin, and L. Khan, “SMV-Hunter: Large scale, automated detection of SSL/TLS man-in-the-middle vulnerabilities in android apps,” in NDSS 2014.Google Scholar

  • [156] M. Egele, D. Brumley, Y. Fratantonio, and C. Kruegel, “An empirical study of cryptographic misuse in android applications,” in CCS 2013, New York, NY, USA.Google Scholar

  • [157] Y. Li, Y. Zhang, J. Li, and D. Gu, “iCryptoTracer: Dynamic analysis on misuse of cryptography functions in iOS Applications,” in Network and System Sec. Springer, 2014, pp. 349-362.Google Scholar

  • [158] S. Fahl, M. Harbach, H. Perl, M. Koetter, and M. Smith, “Rethinking SSL development in an appified world,” in CCS 2013.Google Scholar

  • [159] M. Georgiev, S. Iyengar, S. Jana, R. Anubhai, D. Boneh, and V. Shmatikov, “The most dangerous code in the world: validating SSL certificates in non-browser software,” in CCS 2012.Google Scholar

  • [160] L. Onwuzurike and E. De Cristofaro, “Danger is my middle name: experimenting with SSL vulnerabilities in android apps,” in WiSec 2015.Google Scholar

  • [161] N. Vallina-Rodriguez, J. Amann, C. Kreibich, N. Weaver, and V. Paxson, “A tangled mass: The android root certificate stores,” in CoNEXT 2014. Google Scholar

  • [162] B. Reaves, N. Scaife, A. Bates, P. Traynor, and K. R. Butler, “Mo(bile) money, mo(bile) problems: analysis of branchless banking applications in the developing world,” in USENIX Sec. Symp. USENIX Association, 2015.Google Scholar

  • [163] M. Oltrogge, Y. Acar, S. Dechand, M. Smith, and S. Fahl, “To pin or not to pin? Helping app developers bullet proof their TLS connections,” in USENIX Sec. Symp. USENIX Association, 2015.Google Scholar

  • [164] “Mallodroid,” https://github.com/sfahl/mallodroid, 2015.Google Scholar

  • [165] “Smv-hunter,” https://github.com/utds3lab/SMVHunter, 2015.Google Scholar

  • [166] J. P. Kincaid, R. P. Fishburne Jr, R. L. Rogers, and B. S. Chissom, “Derivation of new readability formulas (automated readability index, fog count and flesch reading ease formula) for navy enlisted personnel,” Naval Technical Training Command, Tech. Rep., 1975.Google Scholar

  • [167] C. Gentry, “Fully homomorphic encryption using ideal lattices,” in STOC 2009.Google Scholar

  • [168] A. C. Yao, “Protocols for secure computations (extended abstract),” in FOCS 1982.Google Scholar

  • [169] M. Ben-Or, S. Goldwasser, and A. Wigderson, “Completeness theorems for non-cryptographic fault-tolerant distributed computation (extended abstract),” in STOC 1988.Google Scholar

  • [170] D. Boneh, A. Sahai, and B. Waters, “Functional encryption: Definitions and challenges,” in TCC 2011.Google Scholar

  • [171] D. W. Archer, D. Bogdanov, B. Pinkas, and P. Pullonen, “Maturity and performance of programmable secure computation,” IACR Cryptology ePrint Archive, vol. 2015, p. 1039, 2015.Google Scholar

  • [172] S. Yakoubov, V. Gadepally, N. Schear, E. Shen, and A. Yerukhimovich, “A survey of cryptographic approaches to securing big-data analytics in the cloud,” in HPEC 2014.Google Scholar

  • [173] J. Yang, K. Yessenov, and A. Solar-Lezama, “A language for automatically enforcing privacy policies,” in SIGPLAN Notices, vol. 47, no. 1. ACM, 2012, pp. 85-96.Google Scholar

  • [174] A. Ruef and C. Rohlf, “Programming language theoretic sec. in the real world: A mirage or the future?” in Cyber Warfare. Springer, 2015, pp. 307-321.Google Scholar

  • [175] H. K. Harton, M. Sitaraman, and J. Krone, “Formal program verification,” Wiley Encyclopedia of Comp. Science and Engineering, 2008.Google Scholar

  • [176] A. A. de Amorim, N. Collins, A. DeHon, D. Demange, C. Hritcu, D. Pichardie, B. C. Pierce, R. Pollack, and A. Tolmach, “A verified information-flow architecture,” in POPL 2014.Google Scholar

  • [177] H. Wang, J. Hong, and Y. Guo, “Using text mining to infer the purpose of permission use in mobile apps,” in UbiComp 2015.Google Scholar

  • [178] Y. Agarwal and M. Hall, “ProtectMyPrivacy: detecting and mitigating privacy leaks on iOS devices using crowdsourcing,” in MobiSys 2013.Google Scholar

  • [179] P. Pearce, A. P. Felt, G. Nunez, and D. Wagner, in ASIACCS 2012.Google Scholar

  • [180] S. Shekhar, M. Dietz, and D. S. Wallach, “Adsplit: Separating smartphone advertising from applications,” in USENIX Sec. Symp. USENIX Association, 2012.Google Scholar

  • [181] X. Zhang, A. Ahlawat, and W. Du, “Aframe: isolating advertisements from mobile applications in android,” in ACSAC 2013.Google Scholar

  • [182] H. Kawabata, T. Isohara, K. Takemori, A. Kubota, J.-i. Kani, H. Agematsu, and M. Nishigaki, “Sanadbox: Sandboxing third party advertising libraries in a mobile application,” in ICC 2013.Google Scholar

  • [183] S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” https://bitcoin.org/bitcoin.pdf, 2011.Google Scholar

  • [184] R. Kumaresan, T. Moran, and I. Bentov, “How to use bitcoin to play decentralized poker,” in CCS 2015.Google Scholar

About the article

Received: 2015-11-30

Revised: 2016-03-01

Accepted: 2016-03-02

Published Online: 2016-05-06

Published in Print: 2016-07-01

Citation Information: Proceedings on Privacy Enhancing Technologies, Volume 2016, Issue 3, Pages 96–116, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2016-0018.

Export Citation

© 2016. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 License. BY-NC-ND 4.0

Citing Articles

Here you can find all Crossref-listed publications in which this article is cited. If you would like to receive automatic email messages as soon as this article is cited in other publications, simply activate the “Citation Alert” on the top of this page.

Achilleas Papageorgiou, Michael Strigkos, Eugenia Politou, Efthimios Alepis, Agusti Solanas, and Constantinos Patsakis
IEEE Access, 2018, Volume 6, Page 9390
David Eckhoff and Isabel Wagner
IEEE Communications Surveys & Tutorials, 2018, Volume 20, Number 1, Page 489
Eugenia Politou, Efthimios Alepis, and Constantinos Patsakis
Computer Science Review, 2017

Comments (0)

Please log in or register to comment.
Log in