Tuesday, December 13, 2011

Android apps and advertising: A bit too cozy

A Tech Republic blog entry "Android apps and advertising: A bit too cozy" features the research of TRUST Ph.D. student Adrienne Porter Felt.

Adrienne asked non-computer scientists: “Do you think the advertiser can use the app’s permissions?” Twelve people answered with:

Yes: 5
No: 2
I don’t know: 5

It turns out that the answer is not that simple.

Adrienne's blog entry "Advertising and Android Permissions" states:

"Can an advertiser use an app’s permissions?"

"When you see an advertisement in an application, there are three parties. First, there’s the application itself, which asks the user for permissions. Second, there’s the advertising library, which is shoved into the application and therefore gains access to all of the app’s permissions. Third, the advertising library displays the advertisement itself. The advertisement can’t directly use any of the permissions, but the advertising library might share information with the company that is running the ad. So if you see an REI ad while playing a game, you should know that the invisible ad library gets all of the game’s permissions, and it might share information like your location with REI."

Adrienne is a student of Berkeley Professor David Wagner.


Monday, December 05, 2011

Carrier IQ cell phone monitor software is a nightmare

TRUST Professor Stephen Wicker was quoted in a NetworkWorld article, "Cornell Prof: Carrier IQ affair 'my worst nightmare'". Carrier IQ is software present on various cell phones that provides call quality and other feedback to cell phone companies.

The article quotes Professor Wicker:

"This is my worst nightmare," says Stephen Wicker, a professor of electrical and computer engineering at Cornell. "As a professor who studies electronic security, this is everything that I have been working against for the last 10 years. It is an utterly appalling invasion of privacy with immense potential for manipulation and privacy theft that requires immediate federal intervention.

"Carrier IQ claims that the collected data is 'anonymized.' Let's give this a moment's thought -- about all that it deserves. How hard would it be to 'de-anonymize' a pile of text messages between me and my wife? My mother? My children? Banking IDs with passwords?"

The article was also picked picked in a Slashdot article.