The Team:
- Antonio Altieri (University of Sannio BN IT)
- Fabrizio Giorgione (University of Sannio BN IT)
- Alfredo Nazzaro (University of Sannio BN IT)
- Assunta Oropallo (University of Sannio BN IT)
- Supervisor: Prof. Aaron C. Visaggio (University of Sannio BN IT)
| Mobile devices collect a large volume of personal information that could be used with malicious purposes. In order to increase the awareness of user towards the possibility of data leakage and the importance of protecting personal data stored in smartphones, we developed : “Privacy Guard”. : Privacy Guard is an Android app that evaluates the risks of data privacy relying on the permissions requested by the apps installed on a device. On the basis of our studies on malicious apps that exfiltrate sensitive data, we created a model that identifies which apps have the most dangerous combination of permssions. |
Permissions have been grouped in categories and each permission has been assigned a score, ranging from 1 to 10, to describe its dangerousness.
The permissions have been divided in four categories:
- Hardware permissions: every permission which requests a direct access to a hardware device;
- Data access permissions: every permission which requests a direct access to data stored on the devices;
- Communication permissions: every permission which gives the chance to send information either over a network or to another device.
- System permissions: every permission which can be requested only by system applications.
To compute a value representing applications’ data leakage capabilities the followed formula has been developed:
(1) (Hn*Wh +Dn * Wd) * MAX(C)
- Hn : the normalized sum of hardware permissions’ score requested by an application;
- Dn: the normalized sum of data permissions’ score requested by an application;
- MAX(C): the maximum value among the communication permissions requested by an application;
- Wh: weight assigned to hardware permissions. After empirical considerations, it has been assigned the value 3;
- Wd: weight assigned to data permissions. After empirical considerations, it has been assigned the value 7.
However, (1) to represent data leakage capabilities of applications is not enough: some permissions are far more dangerous if used in combination with other permissions. In order to take this into account, the hardware and data access categories have been divided in sub-categories:
Network access Data Acquisition
Change hardware configuration Personal data access
Non-combinable
The communication permissions have been divided considering range and bandwidth. Every combination of this subcategories was considered, assigning a score, ranging from 1 to 10, to each combination. These values act as a penalty to the base score.
First of all the application shows a message to synthetize the analysis’ results and the list of all the applications with the related data leakage score, while if there are one or more applications that exceed a certain threshold, at the top of screen will be showed a message that indicates the number of applications that exceed this value.
It’s possible to explore the details of each app. Privacy Guard shows the list of all the activated permissions with a brief description. If one application requires a permission particularly suspect, the application shows a warning to explain at the user how that permission can be used for malicious purposes.
It’s possible to explore the details of each app. Privacy Guard shows the list of all the activated permissions with a brief description. If one application requires a permission particularly suspect, the application shows a warning to explain at the user how that permission can be used for malicious purposes.
It’s possible to conduct the analysis only on the user’s application or including all the system’s applications. Privacy Guard is available on the Play Store at https://play.google.com/store/apps/details?id=com.ssr.privacyguard.