| With the rapid development of mobile internet in recent years,smart terminals and applications running on them collect a large amount of personal information to provide the users with a variety of functions and services.While enjoying the convenience brought by mobile terminals,the users also face the risk of privacy leakage.To protect user private data from being leaked,mainstream platforms(including Android and iOS)currently adopt the permission-based access control system.Only under the user's grant can the application obtain the access permission of sensitive data.However,the access control mechanism is static,and coarse-grained.Moreover,the users can hardly understand the application intention of sensitive data usage,lack decision-making ability and are unable to provide effective data control.The study of privacy data protection technologies has still been widely concerned.Researchers have proposed a number of privacy data protection technologies for mobile applications.Since the privacy breach behaviors of malicious attackers are becoming increasingly secret,and security problems in mobile application ecosystem emerge one after another,the existing measures are struggling to meet new privacy leakage challenges.At present research communities think that the privacy leakage of mobile applications is mainly due to the behaviors that do not meet the users'expectation or are even harmful.For instance,the application secretly accesses the user's location and sends it to a remote server;the application requests the access to sensitive information from the user,not only to implement the declared function,but also continuously collect personal information in the background without the user's consent.The implementation of privacy data usage behaviors based on user expectation,can improve the reasonability and transparency of data usage.It is an effective measure to reduce privacy leakage.The goal of this dissertation is to thoroughly analyze the privacy leakage problems of the mobile application ecosystem at all levels on the basis of existing research work,so as to propose privacy data protection work consistent with the users' expectation from the user,application and system layer.At the user layer,aiming at the problems of ordinary users'insufficient understanding for application permissions and weak decision-making ability,starting with two common scenarios,i.e.taking screenshots and choosing application markets,this dissertation proposes the research method of mobile users' perceptions and usage behaviors for screenshot privacy,and analyzes the impact of private information on mobile users'application market choice.Finally,we give the analysis results of mobile users' privacy perceptions,attitudes and usage behaviors.At the application layer,for the problems of the excessive permission requests from developers and opaque application data usage behaviors,this dissertation proposes a privacy-oriented mobile application context awareness framework,to help developers implement context-aware functions while revealing the granularity,purpose and context information of privacy data usage,thus reducing the users and auditors' concerns about privacy breach.At the system layer,since the permission-based access control system is unable to provide dynamic and fine-grained data management,this dissertation proposes a real-time access control system based on user intention,to pop up permission requests for the behaviors that do not meet the users' intentions at runtime.Meanwhile,the user experience and system performance optimization strategies are realized,to make up for the shortcomings of the existing method.To be specific,the work and the contribution of this dissertation mainly include:1.Analysis method of privacy protection intention for mobile usersThis dissertation focuses on the privacy protection intention of mobile users,and starts with two specific scenarios:taking screenshots and making application market selection choices.It proposes the research method of mobile users' privacy perceptions and usage behaviors for screenshot private information,also analyzes the impact of private information on mobile users' application market choice,and finally gives the findings of mobile users' privacy protection awareness.Aiming at the over exposure problem of screenshot privacy under the current coarse-grained permission-based access control mechanism,the research on the mobile users' perceptions and usage behaviors for screenshot privacy proposes an analysis method for user privacy protection intention combing qualitative analysis and quantitative analysis.For the first time,it gives the conclusions of mobile phone users' perceptions,attitudes,and behaviors for screenshot privacy.Specifically,through designing a questionnaire,the study comes to the qualitative conclusions not known before,including the screenshot context,the private information type contained in screenshots,sharing behaviors,protection measures and so on.On this basis,the survey questionnaire is refined and distributed over a customized application,so as to calculate the results of a large-scale quantitative analysis and at the same time count the screenshot behaviors of the users on real phones in the application background.The study finds that the users' mobile phone screenshots contain a large variety of private information,but they have not realized the privacy leakage possibility under the permission-based access control system,and most users ignore the screenshot leakage risks.Aiming at the diversity and difference of available application markets for Chinese mobile phone users,the impact of private information on mobile users' application market choice gives the main influencing factors of Chinese users' application market choices by designing and collecting survey questionnaires,especially whether the presence of private information plays a decisive role in the users' choices.The study finds that Chinese users are more inclined to choose the markets that are easy to use and with a wide range of applications.Although they show varying degrees of concerns about privacy breaches,there is a gap between privacy perceptions and actual adoption behaviors.2.Mobile application context-aware framework for privacy securitySome applications can collect private information without the user's consent.To balance the usability and security of private data,this dissertation starts with mobile application context acquisition,and proposes a mobile application context-aware framework for privacy security aiming at the over-exposed data,non-transparent usage contexts and purposes in the context acquisition.The framework only provides developers with coarse-grained data for context acquisition through data preprocessing,enabling the greater isolation between raw data and the developers,and returns whether the context happens or not.The framework provides a unified query interface.The developers only need to form a query statement with the built-in functions to implement context-aware functions,greatly reducing the programming difficulty.At the same time,the form of the unified query interface is helpful to generate a privacy description statement for the APPs developed with the framework,so as to describe the granularity,context,and purpose of privacy data usage and improve the data transparency and the user's management capability.Until now,the proposed framework has implemented an Android open-source application programming interface.The developers can use it directly or improve it to support more mobile application contexts.Meanwhile,the corresponding static analyzer has also been realized to generate privacy description,reducing the privacy leakage concerns of mobile users and audits about application context-aware functions.3.Real-time access control system based on user intentionThe permission-based access control system requires the applications to request the corresponding permissions from the users when installing or using sensitive data for the first time,but it is difficult for ordinary users to understand the application intention.Many users even ignore the permission prompt directly and authorize all the permission requests for the functions.Once authorized,the application can access sensitive resources in any context.There is no further access control for application abnormal behaviors,and the user's data access control lacks effectiveness.This dissertation proposes and implements a real-time access control system based on user intention.Firstly,it uses the existing work to obtain the user intention of UI widget permissions(i.e.,permitted and denied permissions),and then propagates the user intention to the sensitive permission calls within the UI handler through dynamic analysis,thus associating the user intention and actual calls.Secondly,the system aggregates multiple abnormal permissions within a UI widget to remove repeated and unnecessary permission warnings,so as to reduce interruptions to the user.Finally,if a UI permission that does not meet with user intention is actually invoked,the system will pop up a permission warning dialog for the user to take access control,to grant or deny the UI widget's access to sensitive information.The experiment proves that the developed system can take effective access control for the widget abnormal permissions at runtime.The number of popping up the dialogs will not disturb the user's normal application usage,and the system overhead for the application startup,running and function jump is within a reasonable range. |
PDF Full Text Request