Suranga Seneviratne

Predicting user traits from a snapshot of apps installed on a smartphone

Third party apps are an integral component of the smartphone ecosystem. In this paper, we investigate how user traits can be inferred by observing only a single snapshot of installed apps. Using supervised learning methods and minimal external information we show that user traits such as religion, relationship status, spoken languages, countries of interest, and whether or not the user is a parent of small children, can be easily predicted. Using data collected from over 200 smartphone users, specifically the list of installed apps and the corresponding ground truth traits of the users, we show that for most traits we can achieve over 90% precision. Our inference method can be used to provide services such as personalized content delivery or recommender systems for users. We also highlight privacy loss that can occur from unrestricted access to the app lists in popular smartphone operating systems.

A measurement study of tracking in paid mobile applications

Smartphone usage is tightly coupled with the use of apps that can be either free or paid. Numerous studies have investigated the tracking libraries associated with free apps. Only a limited number of these have focused on paid apps. As expected, these investigations indicate that tracking is happening to a lesser extent in paid apps, yet there is no conclusive evidence. This paper provides the first large-scale study of paid apps. We analyse top paid apps obtained from four different countries: Australia, Brazil, Germany, and US, and quantify the level of tracking taking place in paid apps in comparison to free apps. Our analysis shows that 60% of the paid apps are connected to trackers that collect personal information compared to 85%--95% in free apps. We further show that approximately 20% of the paid apps are connected to more than three trackers. With tracking being pervasive in both free and paid apps, we then quantify the aggregated privacy leakages associated with individual users. Using the data of user installed apps of over 300 smartphone users, we show that 50% of the users are exposed to more than 25 trackers which can result in significant leakages of privacy.

Your Installed Apps Reveal Your Gender and More

In this paper, we highlight a potential privacy threat in the current smartphone platforms, which allows any third party to collect a snapshot of installed applications without the users consent. This can be exploited by third parties to infer various user attributes similar to what is done through tracking. We show that using only installed apps, users gender, a demographic attribute that is frequently used in targeted advertising, can be instantly predicted with an accuracy around 70%, by training a classifier using established supervised learning techniques.

An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps

Millions of users worldwide resort to mobile VPN clients to either circumvent censorship or to access geo-blocked content, and more generally for privacy and security purposes. In practice, however, users have little if any guarantees about the corresponding security and privacy settings, and perhaps no practical knowledge about the entities accessing their mobile traffic. In this paper we provide a first comprehensive analysis of 283 Android apps that use the Android VPN permission, which we extracted from a corpus of more than 1.4 million apps on the Google Play store. We perform a number of passive and active measurements designed to investigate a wide range of security and privacy features and to study the behavior of each VPN-based app. Our analysis includes investigation of possible malware presence, third-party library embedding, and traffic manipulation, as well as gauging user perception of the security and privacy of such apps. Our experiments reveal several instances of VPN apps that expose users to serious privacy and security vulnerabilities, such as use of insecure VPN tunneling protocols, as well as IPv6 and DNS traffic leakage. We also report on a number of apps actively performing TLS interception. Of particular concern are instances of apps that inject JavaScript programs for tracking, advertising, and for redirecting e-commerce traffic to external partners.

BreathPrint: Breathing Acoustics-based User Authentication

We propose BreathPrint, a new behavioural biometric signature based on audio features derived from an individuals commonplace breathing gestures. Specifically, BreathPrint uses the audio signatures associated with the three individual gestures: sniff, normal, and deep breathing, which are sufficiently different across individuals. Using these three breathing gestures, we develop the processing pipeline that identifies users via the microphone sensor on smartphones and wearable devices. In BreathPrint, a user performs breathing gestures while holding the device very close to their nose. Using off-the-shelf hardware, we experimentally evaluate the BreathPrint prototype with 10 users, observed over seven days. We show that users can be authenticated reliably with an accuracy of over 94% for all the three breathing gestures in intra-sessions and deep breathing gesture provides the best overall balance between true positives (successful authentication) and false positives (resiliency to directed impersonation and replay attacks). Moreover, we show that this breathing sound based biometric is also robust to some typical changes in both physiological and environmental context, and that it can be applied on multiple smartphone platforms. Early results suggest that breathing based biometrics show promise as either to be used as a secondary authentication modality in a multimodal biometric authentication system or as a user disambiguation technique for some daily lifestyle scenarios.

Characterization of early smartwatch apps

Wearable smart devices are already amongst us. Currently, smartwatches are one of the key drivers of the wearable technology and are being used by a large population of consumers. This paper takes a first look at this increasingly popular technology with a systematic characterization of the smartwatch app markets. We conduct a large scale analysis of three popular smartwatch app markets: Android Wear, Samsung, and Apple, and characterize more than 14,000 smartwatch apps in multiple aspects such as prices, number of developers and categories. Our analysis shows that approximately 41% and 30% of the apps in Android Wear and Samsung app markets are Personalization apps that provide watch faces. Further, we provide a generic taxonomy for apps on all three platforms based on their packaging and modes of communication, that allow us to investigate apps with respect to privacy and security. Finally, we study the privacy risks associated with the app usage by identifying third party trackers integrated into these apps and personal information leakage through network traffic analysis. We show that a higher percentage of Apple apps (62%) are connected to third party trackers compared to Samsung (36%) and Android Wear (46%).

Characterizing WiFi connection and its impact on mobile users: practical insights

Smartphones and WiFi networks are becoming pervasive. As a result, new applications and services are being offered to smartphone users through WiFi networks. Some of the more novel applications provide data services to pedestrians as they move through WiFi coverage areas in public loca- tions such as railway stations. One significant factor that will influence the data transfers for users when they are on the move, is the connection set-up time. In this paper we characterize the WiFi connection set-up process. Using data from voluntary Android smartphone users, we show that WiFi connection setup have significant delays, sometimes as high as 10s. Then through a detailed analysis of the con- nection set-up process we show that, contrary to previous findings, this is due to losses of DHCP messages at the WiFi access point. We also show that some of the methods that have been adopted by device manufactures are suboptimal and this can be addressed at the WiFi access point. Finally using this insight we extend a known mathematical model, which will help in the dimensioning of WiFi networks for pedestrian smartphone users.

A deep dive into location-based communities in social discovery networks

Location-based social discovery networks (LBSD) is an emerging category of location-based social networks (LBSN) that are specifically designed to enable users to discover and communicate with nearby people. In this paper, we present the first measurement study of the characteristics and evolution of location-based communities which are based on a social discovery network and geographic proximity. We measure and analyse more than 176K location-based communities with over 1.4 million distinct members of a popular social discovery network and more than 46 million locations. We characterise the evolution of the communities and study the user behaviour in LBSD by analysing the mobility features of users belonging to communities in comparison to non-community members. Using observed spatio-temporal similarity features, we build and evaluate a classifier to predict location-based community membership solely based on user mobility information.

Spam Mobile Apps: Characteristics, Detection, and in the Wild Analysis

The increased popularity of smartphones has attracted a large number of developers to offer various applications for the different smartphone platforms via the respective app markets. One consequence of this popularity is that the app markets are also becoming populated with spam apps. These spam apps reduce the users’ quality of experience and increase the workload of app market operators to identify these apps and remove them. Spam apps can come in many forms such as apps not having a specific functionality, those having unrelated app descriptions or unrelated keywords, or similar apps being made available several times and across diverse categories. Market operators maintain antispam policies and apps are removed through continuous monitoring. Through a systematic crawl of a popular app market and by identifying apps that were removed over a period of time, we propose a method to detect spam apps solely using app metadata available at the time of publication. We first propose a methodology to manually label a sample of removed apps, according to a set of checkpoint heuristics that reveal the reasons behind removal. This analysis suggests that approximately 35% of the apps being removed are very likely to be spam apps. We then map the identified heuristics to several quantifiable features and show how distinguishing these features are for spam apps. We build an Adaptive Boost classifier for early identification of spam apps using only the metadata of the apps. Our classifier achieves an accuracy of over 95% with precision varying between 85% and 95% and recall varying between 38% and 98%. We further show that a limited number of features, in the range of 10--30, generated from app metadata is sufficient to achieve a satisfactory level of performance. On a set of 180,627 apps that were present at the app market during our crawl, our classifier predicts 2.7% of the apps as potential spam. Finally, we perform additional manual verification and show that human reviewers agree with 82% of our classifier predictions.

SSIDs in the wild: Extracting semantic information from WiFi SSIDs

WiFi networks are becoming increasingly ubiquitous. In addition to providing network connectivity, WiFi finds applications in areas such as indoor and outdoor localisation, home automation, and physical analytics. In this paper, we explore the semantics of one key attribute of a WiFi network, SSID name. Using a dataset of approximately 120,000 WiFi access points and their corresponding geo-locations, we use a set of similarity metrics to relate SSID names to known business venues such as cafes, theatres, and shopping centres. Such correlations can be exploited by an adversary who has access to smartphone users preferred networks lists to build an accurate profile of the user and thus can be a potential privacy risk to the users.