Sensibility Testbed: Automated IRB Policy Enforcement in Mobile Research Apps

Authors:
Yanyan Zhuang

University of Colorado, Colorado Springs, Colorado Springs, CO, USA

University of Colorado, Colorado Springs, Colorado Springs, CO, USA
View Profile

,
Albert Rafetseder

New York University, New York , NY, USA

New York University, New York , NY, USA
View Profile

,
Yu Hu

New York University, New York , NY, USA

New York University, New York , NY, USA
View Profile

,
Yuan Tian

University of Virginia, Charlottesville, VA, USA

University of Virginia, Charlottesville, VA, USA
View Profile

,
Justin Cappos

New York University, New York , NY, USA

New York University, New York , NY, USA
View Profile

HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & ApplicationsFebruary 2018Pages 113–118https://doi.org/10.1145/3177102.3177120

Published:12 February 2018Publication History

HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications

Pages 113–118

ABSTRACT

Due to their omnipresence, mobile devices such as smartphones could be tremendously valuable to researchers. However, since research projects can extract data about device owners that could be personal or sensitive, there are substantial privacy concerns. Currently, the only regulation to protect user privacy for research projects is through Institutional Review Boards (IRBs) from researchers' institutions. However, there is no guarantee that researchers will follow the IRB protocol. Even worse, researchers without security expertise might build apps that are vulnerable to attacks.

In this work, we present a platform, Sensibility Testbed, for automated enforcement of the privacy policies set by IRBs. Our platform enforces such policies when a researcher runs code on mobile devices. The enforcement mechanism is a set of obfuscation layers in a secure sandbox, that can be customized for any level of IRB compliance, and can be augmented by policies set by the device owner.

References

Justin Cappos, Armon Dadgar, Jeff Rasley, Justin Samuel, Ivan Beschastnikh, Cosmin Barsan, Arvind Krishnamurthy, and Thomas Anderson 2010. Retaining sandbox containment despite bugs in privileged memory-safe code Proceedings of the 17th ACM conference on Computer and communications security. ACM, 212--223. Google ScholarDigital Library
Supriyo Chakraborty, Chenguang Shen, Kasturi Rangan Raghavan, Yasser Shoukry, Matt Millar, and Mani Srivastava 2014. ipShield: a framework for enforcing context-aware privacy 11th USENIX Symposium on Networked Systems Design and Implementation (NSDI 14). USENIX Association, 143--156. Google ScholarDigital Library
William Enck, Peter Gilbert, Seungyeop Han, Vasant Tendulkar, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth 2014. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), Vol. 32, 2 (2014), 5. Google ScholarDigital Library
Marco Gruteser and Dirk Grunwald 2003. Anonymous usage of location-based services through spatial and temporal cloaking Proceedings of the 1st international conference on Mobile systems, applications and services. ACM, 31--42. Google ScholarDigital Library
Shashank Holavanalli, Don Manuel, Vishwas Nanjundaswamy, Brian Rosenberg, Feng Shen, Steven Y. Ko, and Lukasz Ziarek 2013. Flow permissions for android. In Automated Software Engineering (ASE), 2013 IEEE/ACM 28th International Conference on. IEEE, 652--657. Google ScholarDigital Library
Apu Kapadia, Nikos Triandopoulos, Cory Cornelius, Daniel Peebles, and David Kotz. 2008. AnonySense: Opportunistic and privacy-preserving context collection. Pervasive Computing. Springer, 280--297. Google ScholarDigital Library
Chucri A. Kardous and Peter B. Shaw 2014. Evaluation of smartphone sound measurement applicationsa). The Journal of the Acoustical Society of America, Vol. 135, 4 (2014), EL186--EL192.Google ScholarCross Ref
Emiliano Miluzzo, Alexander Varshavsky, Suhrid Balakrishnan, and Romit Roy Choudhury. 2012. Tapprints: your finger taps have fingerprints. In Proceedings of the 10th international conference on Mobile systems, applications, and services. ACM, 323--336. Google ScholarDigital Library
Mohamed F. Mokbel, Chi-Yin Chow, and Walid G. Aref. 2006. The new Casper: query processing for location services without compromising privacy Proceedings of the 32nd international conference on Very large data bases. VLDB Endowment, 763--774. Google ScholarDigital Library
Anandatirtha Nandugudi, Anudipa Maiti, Taeyeon Ki, Fatih Bulut, Murat Demirbas, Tevfik Kosar, Chunming Qiao, Steven Y. Ko, and Geoffrey Challen. 2013. Phonelab: A large programmable smartphone testbed. Proceedings of First International Workshop on Sensing and Big Data Mining. ACM, 1--6. Google ScholarDigital Library
Michael Reininger, Seth Miller, Yanyan Zhuang, and Justin Cappos 2015. A First Look at Vehicle Data Collection via Smartphone Sensors Sensors Applications Symposium (SAS), 2015 IEEE. IEEE.Google Scholar
Zhi Xu, Kun Bai, and Sencun Zhu 2012. Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors Proceedings of the fifth ACM conference on Security and Privacy in Wireless and Mobile Networks. ACM, 113--124. Google ScholarDigital Library
Yanyan Zhuang, Jianping Pan, Yuanqian Luo, and Lin Cai. 2011. Time and location-critical emergency message dissemination for vehicular ad-hoc networks. Selected Areas in Communications, IEEE Journal on, Vol. 29, 1 (2011), 187--196. Google ScholarDigital Library
Sebastian Zimmeck, Ziqi Wang, Lieyong Zou, Roger Iyengar, Bin Liu, Florian Schaub, Shomir Wilson, Norman Sadeh, Steven M. Bellovin, and Joel Reidenberg 2017. Automated analysis of privacy requirements for mobile apps Proceedings of the Network and Distributed System Security (NDSS) Symposium, Vol. Vol. 2017.Google Scholar

Index Terms

Sensibility Testbed: Automated IRB Policy Enforcement in Mobile Research Apps
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Privacy protections

Recommendations

A posteriori compliance control
SACMAT '07: Proceedings of the 12th ACM symposium on Access control models and technologies

While preventative policy enforcement mechanisms can provide theoretical guarantees that policy is correctly enforced, they have limitations in practice. They are inflexible when unanticipated circumstances arise, and most are either inflexible with ...
Read More
Privacy policy enforcement in enterprises with identity management solutions
PST '06: Proceedings of the 2006 International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services

People are usually asked by enterprises and other organizations to disclose their personal information to access web services and engage in business interactions. Enterprises need this information to enable their business processes. This is unlikely to ...
Read More
Attitudes Towards the Use of COVID-19 Apps and Its Associated Factors
HCI for Cybersecurity, Privacy and Trust
Abstract
Since early 2020, the COVID-19 pandemic has been significantly changing people’s daily lives as social activities are limited to slow down the spread of the novel coronavirus. New technologies, especially mobiles apps, have been widely applied to ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications
February 2018
130 pages
ISBN:9781450356305
DOI:10.1145/3177102
General Chair:
Minkyong Kim
Samsung Electronics, USA
,
Program Chair:
Aruna Balasubramanian
Stony Brook, NY, USA
Copyright © 2018 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 12 February 2018
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
policy enforcement
privacy protections
Qualifiers
- research-article
Conference

Acceptance Rates
HotMobile '18 Paper Acceptance Rate19of65submissions,29%Overall Acceptance Rate96of345submissions,28%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 3
  Total Citations
  View Citations
- 280
  Total Downloads
- Downloads (Last 12 months)41
- Downloads (Last 6 weeks)9
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ePub

View this article in ePub.

View ePub

Sensibility Testbed: Automated IRB Policy Enforcement in Mobile Research Apps

HotMobile '18: Proceedings of the 19th International Workshop on Mobile Computing Systems & Applications

ABSTRACT

References

Cited By

Index Terms

Recommendations

A posteriori compliance control

Privacy policy enforcement in enterprises with identity management solutions

Attitudes Towards the Use of COVID-19 Apps and Its Associated Factors