Application- and User-Sensitive Privacy Enforcement in Mobile Systems

Abstract

The mobile era is marked by exciting opportunities for utilization of contextual information in computing. Applications from different categories - including commercial and enterprise email, instant messaging, social, banking, insurance and retail - access, process and transmit over the network numerous pieces of sensitive information, such as the user's geographical location, device ID, contacts, calendar events, passwords, and health records, as well as credit-card, social-security, and bank-account numbers. Understanding and managing how an application handles private data is a significant challenge. There are not only multiple sources of such data (including primarily social accounts, user inputs and platform libraries), but also different release targets (such as advertising companies and application servers) and different forms of release (for example, passwords transmitted in the clear, hashed or encrypted). To the end users, and particularly those who are not tech savvy, it is nontrivial to manage these complexities. In response, we have designed Labyrinth, a system for privacy enforcement. The unique features of Labyrinth are (i) an intuitive visual interface for configuration of the privacy policy, which consists of enriched app screen captures annotated with privacy-related information, combined with (ii) a lightweight mechanism to detect and suppress privacy threats that is completely decoupled from the host platform. Labyrinth supports both Android and iOS. In this paper, we describe the Labyrinth architecture and illustrate its flow steps.