Problem Summary

Ensuring user privacy and data protection in mobile applications is complex. The challenges stem from various factors, including inadequate control and visibility for users over how apps and services access their data. This complexity arises from several issues not being fully addressed, such as managing access by third-party libraries, controlling detailed permission granting, and offering options for partial consent.

Rationale

Mobile applications face significant privacy control gaps, including limited visibility over third-party library access, binary consent options, and a lack of detailed user controls. These challenges necessitate the development of more sophisticated, user-centric mechanisms for managing privacy. By integrating contextual privacy controls, privacy by design principles, and user-friendly interfaces, users can be empowered to adjust their permissions dynamically, make informed decisions, and better protect their personal data.

Solution

To develop user-centred mechanisms for managing privacy in mobile applications. These mechanisms provide granular control over app permissions and data sharing, offer partial consent options, and use intuitive, privacy-by-design interfaces. Together, they enhance user autonomy and visibility over how apps and third-party libraries access and use personal data, addressing privacy concerns dynamically and effectively.

Chitkara et al. [1] introduced ProtectMyPrivacy (PmP) for Android, focusing on distinguishing between app-native and third-party library data accesses. As a key feature, it provides contextual control over data sharing to minimise the decisions required, thus minimising user decision fatigue. PmP leverages Android's permissions system and the Xposed framework for runtime monitoring and control, allowing actions like allowing, denying, or faking data access. PmP's backend collects user decisions and app behaviours, enhancing privacy management through contextual understanding. The app minimises user decision fatigue by managing accesses from common third-party libraries, reducing unnecessary data exposure.

Bock, Chowdhury, and Momen [2] introduced a mobile application that incorporates a "Maybe" button, offering users a novel partial consent feature for data access permissions. This approach allows users to grant temporary access to their data, enhancing privacy controls by enabling users to reassess permissions over time. Implemented on Android, this solution explores user acceptance and the practicality of conditional access, aiming to balance functionality and privacy. By allowing users to navigate the often binary choice of consent, the app provides a nuanced option to manage privacy preferences dynamically, reflecting a more realistic approach to personal data management and control.

Ataei, Degbelo, and Kray [3] introduced a user interface (UI) designed for managing location privacy settings. This UI is grounded in privacy theory, privacy by design principles, and general UI design principles. It allows users to control when, with whom, and where their location information is shared through intuitive visual controls and icons. The interface emphasises fine-grained privacy management, enabling users to set time-based, distance-based, and relational privacy controls. Integrating these controls directly into a location-based service (LBS) application aims to enhance user autonomy and privacy, making it straightforward for users to manage their location privacy preferences directly from their mobile devices.

Aydin et al. [4] presented a privacy-enhancing framework for Android applications called VisiDroid, focusing on user control over personal data shared with advertising and analytics libraries. It operates in three phases: offline analysis to track data flows and UI contexts, visual configuration allowing users to set privacy preferences on a per-widget basis, and code instrumentation to enforce these preferences by anonymising data before it's sent out. This last step ensures that the user's privacy preferences are enforced by substituting actual data with anonymised values right before they are sent out in ad or analytics requests. The approach aims to minimise potential side effects on app functionality that might arise from modifying the data used by these requests.

Quay-de la Vallee, Selby, and Krishnamurthi et al. [5] proposed a permission management assistant that aids users in managing permissions post-installation. To save users' time and attention, the PerMission Assistant sorts installed apps by their worst-rated permissions, helping users address the most concerning issues first. It guides users to manage app permissions through their device settings, as it cannot directly adjust other apps' settings for security reasons of the operating system.

Fawaz and Shin [6] proposed a solution for enhancing location privacy on Android smartphones. The authors introduce a system that leverages cloaking and obfuscation techniques to protect users' location data from unauthorised tracking, profiling, and identification. This system allows users to maintain the functionality of location-based services while significantly reducing the risk of privacy breaches. The proposed solution operates in real-time, dynamically adjusting the level of location privacy based on the context and user preferences. It intelligently decides when and how to cloak or obfuscate location data, ensuring minimal disruption to app functionality. The system is designed to be user-friendly, providing a seamless experience without requiring extensive user intervention.

Platforms: mobile devices

Example

Overview of PmP app [1]. (See enlarged)

Interface of the prototype app using partial consent as in [2]. (See enlarged)

The user interface for managing location privacy settings, from left: (a) Main UI; (b) UI for whom to share; (c) Adjusting time restriction; (d) Visualised feedback on an activated time restriction [3]. (See enlarged)

The VisiDroid configuration interface [4]. (See enlarged)

The Permission Assistant home page [5]. (See enlarged)

Left: When the app first accesses the location, LP-Guardian prompts the user to set the app's anonymisation rule with two options: 'Do nothing' or 'Hide Me.' Choosing 'Hide Me' activates the appropriate anonymisation mechanism. Right: When an app attempts to access the location from a new place, LP-Guardian prompts the user for a decision [6] (See enlarged)

• Offers users better insights into how their data is accessed and used, potentially increasing privacy awareness. The solution has been deployed and evaluated with real users, demonstrating its practicality and effectiveness in reducing privacy leaks to third-party libraries. Additionally, by focusing on popular third-party libraries common across many apps, PmP reduces the number of privacy decisions users have to make, simplifying the user experience. It provides granular control over privacy-sensitive data, distinguishing between app and library accesses [1].
• The "Maybe" button introduces a nuanced approach to permission granting. It allows users more control over their data by providing temporary access to apps and enhancing privacy management. Many participants in a user study expressed interest in using the "Maybe" button on their private devices, indicating a demand for more flexible privacy controls beyond the binary allow/deny options. It was most frequently used for permissions like memory and contacts, highlighting its potential effectiveness for managing access to more sensitive data types. Participants also valued control and privacy protection over user-friendliness, indicating a strong preference for privacy-enhancing features, even if they might complicate the user experience slightly. The study also found that the majority of participants did not perceive recurring requests for partial consent as annoying, suggesting that users are open to more frequent interaction if it means better privacy control [2].
• In a user study, the UI for fine-grained control of location privacy settings was well-received, meeting users' expectations for managing location privacy. Users expressed a strong desire to control whom they share their location with, especially unknown companies [3].

• Despite its advantages, 80.6% of participants did not use the "Maybe" button, indicating challenges in adoption and a need for more user education. The default one-day setting might have influenced its use, indicating that customisable duration options could improve its utility [2].
• Solutions like PmP require devices that have undergone a 'rooting' process (a process that allows administrator permissions to be obtained on the device), limiting their use to technically experienced users and presenting security risks [1]. Others, like the Permission Assistant, cannot directly edit other apps’ settings due to security restrictions from the operating system, requiring users to adjust permissions through the device settings manually [5].
• Time- and space-based sharing restrictions were used less frequently than expected, indicating a need to improve their presentation or user understanding. Additionally, the lab setting and hypothetical scenarios may not fully reflect real-world behaviour, limiting the findings' generalisability [3].