Newswise — As mobile applications have grown from collecting basic personal information to knowing intimate details of consumer's lives, computer science researchers at Baldwin Wallace University in Ohio have developed a novel solution to inform mobile device users about the hidden misuse of their personal data. 

The research, which was presented Friday, October 20, 2017 at the IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference (UEMCON) at Columbia University, identifies a way to expose the unauthorized use of personal data and boost the ability of consumers to shield their privacy. 

The researchers, led by Brian Krupp, a professor in the computer science department at Baldwin Wallace, tested their solution on more than 800 popular smartphone apps, ferreting out more than 40 that exploited personal information without the knowledge or permission of users. "A smartphone user's personal data is at constant risk of being misused," said Krupp. "While mobile operating systems provide basic security and privacy controls, they are insufficient, leaving consumers unaware of how applications use the permissions they originally granted." 

"As an example, a weather application requests access to your location to give you a forecast, which is a legitimate use," Krupp explained. "However, behind the scenes and unknown to the user, it will also send that location information to advertiser servers." Weather apps are some of the biggest offenders because they can present a legitimate case for accessing your location, acording to Krupp. “I also thought that LinkedIn transmitting street address information without the user knowing was egregious,” he said.

The solution the BW researchers developed, SPEProxy, notifies consumers of misuse without requiring a modification to their phone. SPE stands for "Security and Privacy Enhanced". The BW approach allows consumers to utilize the solution without requiring a high degree of technical expertise. SPEProxy can be adapted to different devices and operating systems—both iOS and Android—with a simple network configuration setting. 

The BW research team tested the approach on 817 of the top-ranked applications on Google Play and in the iOS App Store. Their evaluation found SPEProxy to be highly effective across 86.55 percent of the apps and confirmed 43 cases of misuse including The Weather Channel, LinkedIn and more. 

“Weather apps are some of the biggest offenders because they can present a legitimate case for accessing your location,” Krupp said. “I also thought that LinkedIn transmitting street address information without the user knowing was egregious.” 

Since presenting their detailed conference presentation, titled "SPEProxy: Enforcing Fine Grained Security and Privacy Controls on Unmodified Mobile Devices," the researchers have started developing a publicly available version of SPEProxy, which currently lives on a Baldwin Wallace University server.

 “If data that consumers share unknowingly falls into the wrong hands, malicious users can know intimate details of our lives and our daily patterns,” said Professor Krupp. “Mobile OS producers need to provide consumers with more awareness and more control.” 

More information on Professor Brian Krupp: https://www.bw.edu/academics/bios/krupp-brian

Meeting Link: IEEE Annual Ubiquitous Computing, Electronics & Mobile Communication Conference October 2017