Assessing and improving security and privacy for smartphone users

Smartphone and other mobile device usage has increased greatly in the past years. This increased popularity has also led to a changed security and privacy landscape, with more personal devices being outfitted with a plethora of sensors that allow to track our every step, and a vastly larger attack surface than older, more static devices. This allows a variety of actors, including malicious hackers, state-sponsored entities and legitimate service providers, to have access to a large trove of mobile user data. In this dissertation, we assess the current state of privacy and security on smartphones, we create and gauge awareness of smartphone users around these issues, and we provide solutions to enhance security and privacy on mobile devices. To show the ease with which smartphone users' data can be gathered surreptitiously, we describe a mechanism for involuntarily tracking visitors at mass events making use of Wi-Fi technology, and show that this can be implemented at a low cost, allowing location tracking of 29\% of visitors at a major music festival. We show how these techniques can be (ab)used in different scenarios (notably, by using the gathered data to compare different opportunistic routing algorithms that can be used for ad-hoc communication at mass events), and provide an open platform to researchers that can be used to quantify the impact and remediation rate of similar wireless protocol vulnerabilities.To create awareness about these issues, and to explain to smartphone users how they can secure themselves against them, we provide a method to inform mobile device users when using wireless networks, showing privacy-sensitive (but anonymized) information about passers-by on a public display, and using the same setup to inform audiences in talks on security awareness. Results from our user studies also show that specific, personalized scenarios may help to better inform users about security and privacy issues (increasing awareness of 76\% of the participants in one study), and that the increased awareness leads to as much as 81\% of device users willing to put an extra effort into securing their smartphones. Interestingly, we also show in a later study that an increased awareness does not automatically translate to better security practices. Additionally, we perform two studies to measure users' privacy and security behaviors when using their smartphones. For the first study, we look at how aware users are about connections being made by apps on their device, while taking into account the security of both the Wi-Fi networks used and the connections made over these networks. For the second study, we extend the Paco ESM study tool to be able to examine the reasons why Android users install or remove an app at the time this happens, to look at the motivation behind granting or denying a permission right after users make their choice, and to assess how comfortable and aware users are about their decisions at a later point in time. We provide recommendations to different stakeholders (developers, manufacturers, network providers, researchers and mobile device users) on how to improve privacy and security on mobile devices without affecting usability, some of which have already been implemented by operating system manufacturers (as is the case with many improvements made to Wi-Fi privacy in Android O). Some of these recommendations are implemented as a tool that automatically mitigates Wi-Fi attacks for Android smartphones, which is distributed to the general public. In addition, we formulate a proposal to improve transparency in how user data is shared by service providers to third parties.

Publication year:2017

Keywords:mobile security, mobile privacy, computer networks, opportunistic networks

Accessibility:Open