Researchers from Carnegie Mellon University (CMU) have identified a new technique to improve the security of smartphones. Typically a smartphone user gives permissions to an application to access certain information. Smartphone developers add functionality to their applications by integrating third party libraries. These may be used to deliver ads, provide leaderboards, or create marketing profiles.
For example, Facebook libraries can be accessed for authenticating individuals, Flurry's platform creates marketing profiles from the information, and Google's AdMob library accesses the user's location to deliver targetted ads. CMU researchers have developed an app known as Protect My Privacy that allows users to set permissions for the libraries as well as the applications. The control options are granular, allowing the users to choose which information is accessible to the library, and share only partial information.
The application also allows the user to know whether the application or the third party library is accessing the information. Users can still support developers, for example consuming ads based on their general location instead of the complete address. The Android application works only on rooted devices.
Yuvraj Agarwal, assistant professor of computer science in the Institute for Software Research says "Each of these libraries may be used by multiple apps on your smartphone. Making decisions about what information to share with each library, rather than just what each app should share, dramatically reduces the number of decisions a user has to make to protect privacy. It's also more effective because if a user allows even one app on their device to provide a particular library with access to their sensitive information, that's really all the library needs."
The approach works because the same third party libraries are used by multiple applications. An analysis of 1,300 people using 11,000 Android applications found that the top 100 libraries account for more than 70 percent, and the top 30 libraries accounts for more than half of the instances of access to personal information.