CITP Seminar: Serge Egelman - Taking Responsibility for Someone Else’s Code: Studying the Privacy Behaviors of Mobile Apps at Scale
From CI Center for Information Technology Policy on October 8th, 2020
Modern software development has embraced the concept of “code reuse,” which is the practice of relying on third-party code to avoid “reinventing the wheel” (and rightly so). While this practice saves developers time and effort, it also creates liabilities: the resulting app may behave in ways that the app developer does not anticipate. This can cause very serious issues for privacy compliance: while an app developer did not write all of the code in their app, they are nonetheless responsible for it. In this talk research that has been conducted to automatically examine the privacy behaviors of mobile apps vis-à-vis their compliance with privacy regulations will be presented.
Using analysis tools that were developed and commercialized (as AppCensus, Inc.), dynamic analysis has been performed on hundreds of thousands of the most popular Android apps to examine what data they access, with whom they share it, and how these practices comport with various privacy regulations, app privacy policies, and platform policies. The research indicates that while potential violations abound, many of the issues appear to be due to the (mis)use of third-party software development kits. An account of the most common types of violations that were observed and ways in which app developers can better identify these issues prior to releasing their apps will be presented.
Serge Egelman is the research director of the Usable Security and Privacy group at the International Computer Science Institute (ICSI), which is an independent research institute affiliated with the University of California, Berkeley. He is also CTO and co-founder of AppCensus, Inc., which is a startup that is commercializing his research by performing on-demand privacy analysis of mobile apps for developers, regulators, and watchdog groups. He conducts research to help people make more informed online privacy and security decisions, and is generally interested in consumer protection. This has included improvements to web browser security warnings, authentication on social networking websites, and most recently, privacy on mobile devices.
Seven of his research publications have received awards at the ACM CHI conference, which is the top venue for human-computer interaction research; his research on privacy on mobile platforms has received the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies and the USENIX Security Distinguished Paper Award, has been cited in numerous lawsuits and regulatory actions, as well as featured in the New York Times, Washington Post, Wall Street Journal, Wired, CNET, NBC, and CBS. He received his Ph.D. from Carnegie Mellon University and has previously performed research at Xerox Parc, Microsoft, and NIST.