Research Highlight: Using Crowdsourcing to Find Unusual Behaviors of Smartphone Apps

As many of you might know already, in addition to being the CTO and a co-founder of Wombat Security I'm also a faculty member at Carnegie Mellon University. This post highlights some of the research that I am doing at CMU. One of my research thrusts is smartphone privacy and security, looking at unexpected behaviors of smartphone apps. This work has been featured in the New York Times, MIT Tech Review, Pittsburgh Tribune Review, CBS Morning Show, Salon, and more. Here’s a brief summary of the work.

Our team has been analyzing Android apps for unusual behaviors, using crowdsourcing techniques to find differences between what people expect an app to do and what an app does in reality. For example, very few people expect Angry Birds to use location data, but in reality it does. This large gap in people’s understanding suggests a potential privacy problem. On the other hand, no one is surprised that Google Maps uses location data, which means that people already have a form of informed consent.

We use crowdsourcing to find these gaps in people’s understanding. Crowdsourcing is a way of farming out small micro-tasks to a pool of workers, typically tasks that are easy for people to do but hard for computers. Example micro-tasks include “find all the words in this picture” or “find the name of the building manager on this web page”.

We created some micro-tasks to probe people’s expectations about an app’s behavior, for example asking if they would expect this app to use their device’s unique ID, current location, or contact list. We found a lot of unexpected behaviors, such as a flashlight app wanting device ID, a lot of games that want location information, and music sharing apps that want access to your contact list.

You can see more detailed info on my personal blog.