research-article

Public Access

Sensibility Testbed: Automated IRB Policy Enforcement in Mobile Research Apps

Authors:

Yanyan Zhuang,

Albert Rafetseder,

Yu Hu,

Yuan Tian,

Justin CapposAuthors Info & Claims

HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications

Pages 113 - 118

https://doi.org/10.1145/3177102.3177120

Published: 12 February 2018 Publication History

All formats PDF

Abstract

Due to their omnipresence, mobile devices such as smartphones could be tremendously valuable to researchers. However, since research projects can extract data about device owners that could be personal or sensitive, there are substantial privacy concerns. Currently, the only regulation to protect user privacy for research projects is through Institutional Review Boards (IRBs) from researchers' institutions. However, there is no guarantee that researchers will follow the IRB protocol. Even worse, researchers without security expertise might build apps that are vulnerable to attacks.

In this work, we present a platform, Sensibility Testbed, for automated enforcement of the privacy policies set by IRBs. Our platform enforces such policies when a researcher runs code on mobile devices. The enforcement mechanism is a set of obfuscation layers in a secure sandbox, that can be customized for any level of IRB compliance, and can be augmented by policies set by the device owner.

References

[1]

Justin Cappos, Armon Dadgar, Jeff Rasley, Justin Samuel, Ivan Beschastnikh, Cosmin Barsan, Arvind Krishnamurthy, and Thomas Anderson 2010. Retaining sandbox containment despite bugs in privileged memory-safe code Proceedings of the 17th ACM conference on Computer and communications security. ACM, 212--223.

Digital Library

Google Scholar

[2]

Supriyo Chakraborty, Chenguang Shen, Kasturi Rangan Raghavan, Yasser Shoukry, Matt Millar, and Mani Srivastava 2014. ipShield: a framework for enforcing context-aware privacy 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14). USENIX Association, 143--156.

Digital Library

Google Scholar

[3]

William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), Vol. 32, 2 (2014), 5.

Digital Library

Google Scholar

[4]

Marco Gruteser and Dirk Grunwald 2003. Anonymous usage of location-based services through spatial and temporal cloaking Proceedings of the 1st international conference on Mobile systems, applications and services. ACM, 31--42.

Digital Library

Google Scholar

[5]

Shashank Holavanalli, Don Manuel, Vishwas Nanjundaswamy, Brian Rosenberg, Feng Shen, Steven Y. Ko, and Lukasz Ziarek 2013. Flow permissions for android. In Automated Software Engineering (ASE), 2013 IEEE/ACM 28th International Conference on. IEEE, 652--657.

Digital Library

Google Scholar

[6]

Apu Kapadia, Nikos Triandopoulos, Cory Cornelius, Daniel Peebles, and David Kotz. 2008. AnonySense: Opportunistic and privacy-preserving context collection. Pervasive Computing. Springer, 280--297.

Digital Library

Google Scholar

[7]

Chucri A. Kardous and Peter B. Shaw 2014. Evaluation of smartphone sound measurement applicationsa). The Journal of the Acoustical Society of America, Vol. 135, 4 (2014), EL186--EL192.

Crossref

Google Scholar

[8]

Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: your finger taps have fingerprints. In Proceedings of the 10th international conference on Mobile systems, applications, and services. ACM, 323--336.

Digital Library

Google Scholar

[9]

Mohamed F. Mokbel, Chi-Yin Chow, and Walid G. Aref. 2006. The new Casper: query processing for location services without compromising privacy Proceedings of the 32nd international conference on Very large data bases. VLDB Endowment, 763--774.

Digital Library

Google Scholar

[10]

Anandatirtha Nandugudi, Anudipa Maiti, Taeyeon Ki, Fatih Bulut, Murat Demirbas, Tevfik Kosar, Chunming Qiao, Steven Y. Ko, and Geoffrey Challen. 2013. Phonelab: A large programmable smartphone testbed. Proceedings of First International Workshop on Sensing and Big Data Mining. ACM, 1--6.

Digital Library

Google Scholar

[11]

Michael Reininger, Seth Miller, Yanyan Zhuang, and Justin Cappos 2015. A First Look at Vehicle Data Collection via Smartphone Sensors Sensors Applications Symposium (SAS), 2015 IEEE. IEEE.

Google Scholar

[12]

Zhi Xu, Kun Bai, and Sencun Zhu 2012. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM, 113--124.

Digital Library

Google Scholar

[13]

Yanyan Zhuang, Jianping Pan, Yuanqian Luo, and Lin Cai. 2011. Time and location-critical emergency message dissemination for vehicular ad-hoc networks. Selected Areas in Communications, IEEE Journal on, Vol. 29, 1 (2011), 187--196.

Digital Library

Google Scholar

[14]

Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg 2017. Automated analysis of privacy requirements for mobile apps Proceedings of the Network and Distributed System Security (NDSS) Symposium, Vol. Vol. 2017.

Google Scholar

Cited By

View all

Zimmeck SStory PSmullen DRavichander AWang ZReidenberg JCameron Russell NSadeh N(2019)MAPS: Scaling Privacy Compliance Analysis to a Million AppsProceedings on Privacy Enhancing Technologies10.2478/popets-2019-00372019:3(66-86)Online publication date: 12-Jul-2019
https://doi.org/10.2478/popets-2019-0037
Cappos JZhuang YRafetseder ABeschastnikh I(2018)Tsumiki: A Meta-Platform for Building Your Own TestbedIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2018.284624229:12(2863-2881)Online publication date: 1-Dec-2018
https://doi.org/10.1109/TPDS.2018.2846242
Zhuang YRafetseder AWeiss RCappos J(2018)Four years experience: Making sensibility testbed work for SAS2018 IEEE Sensors Applications Symposium (SAS)10.1109/SAS.2018.8336779(1-6)Online publication date: Mar-2018
https://doi.org/10.1109/SAS.2018.8336779

Index Terms

Sensibility Testbed: Automated IRB Policy Enforcement in Mobile Research Apps
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections

Recommendations

A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

While preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...
Privacy policy enforcement in enterprises with identity management solutions
PST '06: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services

People are usually asked by enterprises and other organizations to disclose their personal information to access web services and engage in business interactions. Enterprises need this information to enable their business processes. This is unlikely to ...
A persistent data tracking mechanism for user-centric identity governance

Identity governance is an emerging concept for fine-grained conditional disclosure of identity information and enforcement of corresponding data handling policies. Although numerous technologies underlying identity management have been developed, people ...

Comments

Information & Contributors

Information

Published In

HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications

February 2018

130 pages

ISBN:9781450356305

DOI:10.1145/3177102

General Chair:
Minkyong Kim
Samsung Electronics, USA
,
Program Chair:
Aruna Balasubramanian
Stony Brook, NY, USA

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 12 February 2018

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Conference

HotMobile '18

Sponsor:

SIGMOBILE

HotMobile '18: The 19th International Workshop on Mobile Computing Systems and Applications

February 12 - 13, 2018

Arizona, Tempe, USA

Acceptance Rates

HotMobile '18 Paper Acceptance Rate 19 of 65 submissions, 29%;

Overall Acceptance Rate 96 of 345 submissions, 28%

Upcoming Conference

HOTMOBILE '25

Sponsor:
sigmobile

The 26th International Workshop on Mobile Computing Systems and Applications

February 26 - 27, 2025

La Quinta , CA , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
318
Total Downloads

Downloads (Last 12 months)64
Downloads (Last 6 weeks)7

Reflects downloads up to 10 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Zimmeck SStory PSmullen DRavichander AWang ZReidenberg JCameron Russell NSadeh N(2019)MAPS: Scaling Privacy Compliance Analysis to a Million AppsProceedings on Privacy Enhancing Technologies10.2478/popets-2019-00372019:3(66-86)Online publication date: 12-Jul-2019
https://doi.org/10.2478/popets-2019-0037
Cappos JZhuang YRafetseder ABeschastnikh I(2018)Tsumiki: A Meta-Platform for Building Your Own TestbedIEEE Transactions on Parallel and Distributed Systems10.1109/TPDS.2018.284624229:12(2863-2881)Online publication date: 1-Dec-2018
https://doi.org/10.1109/TPDS.2018.2846242
Zhuang YRafetseder AWeiss RCappos J(2018)Four years experience: Making sensibility testbed work for SAS2018 IEEE Sensors Applications Symposium (SAS)10.1109/SAS.2018.8336779(1-6)Online publication date: Mar-2018
https://doi.org/10.1109/SAS.2018.8336779

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

EPUB

View this article in ePub.

ePub

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Index Terms

Recommendations

A posteriori compliance control

Privacy policy enforcement in enterprises with identity management solutions

A persistent data tracking mechanism for user-centric identity governance