Over a third of the world's population owns a smartphone. As generic computing devices that support a large and heterogeneous collection of mobile applications (apps), smartphones provide a plethora of functionalities and services to billions of users. But the use of these mobile apps and services often introduces privacy risks for users. First, app developers often fail to take into account the fact that as smartphones are generic computing devices, they do not provide adequate privacy and security guarantees for certain types of apps (e.g., those that collect and process sensitive data). As a result, new security and privacy threats are introduced by such apps. Second, due to the lack of privacy by design, apps often over-collect information about users, and can misuse the collected data. Our goal in this thesis is to identify privacy risks in mobile apps and services, and to design privacy-enhancing technologies to mitigate the identified threats. To broaden the impact of our research efforts, we focus on popular apps and services that are currently used by millions of users, and potentially by billions in the future. These include three use-cases: (mobile-health) mHealth apps, ride-hailing services, and activity-tracking services.
First, in the case of mHealth apps, we find that the Android operating system allows apps to easily fingerprint and identify other apps installed on the same phone. This causes privacy problems for mHealth apps, because the presence of an mHealth app can already reveal the medical conditions of its users. We investigate the apps' ability to fingerprint other apps and present HideMyApp, a practical system for hiding the presence of sensitive apps on Android. HideMyApp works on stock Android, and no firmware modification or root privilege is required.
Second, in ride-hailing services (e.g., Uber), to use the services, riders have to share their pick-up and drop-off locations with service providers. Consequently, the service providers can infer sensitive information about riders' activities (e.g., their visits to health clinics). Therefore, we propose ORide, a privacy-preserving ride-hailing service that efficiently supports the anonymous matching of riders and drivers. Also, ORide still supports functionalities that are often considered as important as privacy, including accountability, payment and reputation-rating operations.
Third, in activity-tracking services (e.g., RunKeeper), users report their location-based activities to service providers and obtain rewards based on their performance. However, from the location traces, the service providers can infer sensitive information about the users, e.g., their home/work addresses. Also, to obtain better rewards, the users might try to falsely report their activities to the service providers. Therefore, we propose SecureRun, a solution that enables service providers to compute accurate activity summaries of the users, while guaranteeing the users' location privacy vis-a-vis the service providers.
In short, in this thesis, we identify privacy risks in popular mobile apps and services. We show that it is possible to provide them with added privacy, while preserving their rich functionality and usability. We are confident that the contributions presented in this thesis will inspire more future work on protecting users' privacy, not only in the context of mobile apps and services, but also in many other contexts brought about by new technological advances.
EPFL2019
