Usability

When Apps Attack: Protecting Your Privacy

A team of researchers at Carnegie Mellon’s Human Computer Interaction Institute are in the business of protecting your privacy. While not full-fledged body guards, these researchers are on a mission to protect smartphone app users. Working under the code name CHIMPS which stands for Computer Human Interaction: Mobile Privacy Security, this team has birthed PrivacyGrade.org, a website that grades privacy invasion of smartphone apps. The team is breaking new ground by alerting users to the potential dangers of downloading apps on their smart phone devices.

Figure 1 PopTech 2013 review of PrivacyGrade.org

Most users expect to maintain a level of privacy when downloading certain applications. If you utilize a shopping app, you expect to search for items and make a purchase. You don’t expect that this popular and accessible app may be pilfering your personal information. Surprise! Many of these apps are highly intrusive and advanced. They can and will usurp highly personal and sensitive information. Imagine the horror of your texts, e-mails, or banking information being leaked due to a simple game download.
After analyzing thousands of apps in a broad range of categories, CHIMPS discovered that a large number of these popular apps are wittingly acquiring your personal footprint without your knowledge. In an effort to learn more about this growing problem, the team decided to give each app a privacy grade. Based on these grades, users can determine if the download is worth the risk.

Grading Protocol
Researchers developed a privacy model to gage user expectations and app behavior. When violations occur, it is rated as a “penalty to an app’s overall privacy grade.” Each app is assigned a letter grade between A and D based on the following criteria:

• What users expect vs. what actually occurs during app usage
• Analysis of data collection obtained from app usage
• Data usage for the app’s purpose vs. advertising
• Traits of the libraries being incorporated into the apps
• User feedback regarding privacy expectations of an app

PG1
Image 2: PrivacyGrade.org Homepage

How do you use PrivacyGrade?
Users should visit PrivacyGrade.org and click on the browse apps tab. Apps are broken down into a wide number of categories including but not limited to Arcade, Books & Reference, Lifestyle and Shopping among many others. Privacy grades can be obtained by filtering or sorting in a number of ways: privacy rating, privacy grade, app type, most used sensitive permissions, or popularity. In addition to learning about privacy grades, the website provides detailed data that explains what permissions the app wants access to, what these
permissions do and why the app is requesting this valuable information. There are also helpful pointers that show users how to turn off location features to prevent invasions.

CHIMPS has listed the most popular tested apps as GMail, Google Maps, YouTube, GooglePlay, Google and What’s App Messenger. All received a grade of A. Take Gmail for instance. It received high marks based on the fact that data collection is used internally for every sensitive permission. Any accessed information should be used internally and for the stated purposes initially outlined by the app.
BrowseAPP page
Image 3: Browse Apps for privacy grading information

Tech Attache has provided some beneficial tips to keep you safe from attacking apps:
1. Investigate the third party libraries and tools you use to be sure you understand what data you are collecting
2. Be sure that your app is collecting/using data that a typical user would expect you to use
3. Make sure your privacy policy is upfront and easy to read about how you collect and use data