Mobile App Privacy Analysis at Scale

Tuesday, January 29, 2019 - 4:00 pm4:30 pm

Serge Egelman, University of California, Berkeley, and International Computer Science Institute (ICSI)


Mobile platforms have enabled third-party app ecosystems that provide users with an endless supply of rich content. At the same time, mobile devices present very serious privacy risks: their ability to capture real-time data about our behaviors and preferences has created a marketplace for user data that most consumers are simply unaware of. In this talk, I will present research that my research group has conducted to automatically examine the privacy behaviors of mobile apps. Using analysis tools that we developed, we have tested over 80,000 of the most popular Android apps to examine what data they access and with whom they share it. I will present data on how mobile apps are tracking and profiling users, how these practices are often against users' expectations and public disclosures, and how app developers may be violating various privacy regulations.

The main takeaway from this talk is that there are many stakeholders who can be doing more to improve privacy on mobile platforms: (1) mobile app developers need to better understand the privacy behaviors of the third-party SDKs that they use, as well as to better communicate their privacy practices to their users; (2) the providers of third-party services (e.g., SDKs) and platforms need to do a better job of enforcing their own terms of service; (3) and regulators need tools that allow them to proactively audit compliance.

Serge Egelman, University of California, Berkeley, and International Computer Science Institute (ICSI)

Serge Egelman is the Research Director of the Usable Security and Privacy group at the International Computer Science Institute (ICSI), which is an independent research institute affiliated with the University of California, Berkeley. He conducts research to help people make more informed online privacy and security decisions, and is generally interested in consumer protection. This has included improvements to web browser security warnings, authentication on social networking websites, and most recently, privacy on mobile devices. Seven of his research publications have received awards at the ACM CHI conference, which is the top venue for human-computer interaction research; his research on privacy on mobile platforms has been cited in numerous lawsuits and regulatory actions. He received his PhD from Carnegie Mellon University.

@conference {226341,
author = {Serge Egelman},
title = {Mobile App Privacy Analysis at Scale},
year = {2019},
address = {Burlingame, CA},
publisher = {USENIX Association},
month = jan

Presentation Video