Nowadays there is a great rise of devices (most of which are personal) equipped with resources that generate lots of data while sensing the surrounding environment, interacting with the user, communicating with external resources, etc.
Examples of such devices are the smartphones or tablets: presently, every smartphone or tablet has 6 to 8 physical sensors onboard (here referred as “physical resources”) and almost a hundred of virtual ones (“virtual resources”). The physical resources are, for instance, the accelerometer, the GPS receiver, the NFC transmission module, etc. The virtual resources are, for instance, the personal account management software, the Bluetooth connection manager, etc. (most of the virtual resources are software). This is not only true for mobile phones since, with the advent of device-independent Operative Systems (like Android), there are kinds of devices with similar capabilities and other novel resources: it is the case of connected TVs, new generation cameras, car interactive equipment, etc.
The above mentioned devices host third-party services and applications that have access to the onboard resources of the devices: these generate an unprecedented amount of data that, since most of the devices are pervasive and personal, can be critical from a privacy point of view.
In the paper by Adrienne Porter Felt, Kate Greenwood, David Wagner, “The Effectiveness of Application Permissions”, University of California, Berkeley, USENIX Conference on Web Application Development (WebApps) 2011, 956 android applications have been analyzed. The authors observed that 93% of free applications (total of 856) and 82% of paid applications (total of 100) have at least one dangerous permission. Dangerous permissions include actions that could cost the user money or leak private information. In particular, the authors show that Internet permission is heavily used, and in most applications, this permission could be used to store personal information from the users.
In the paper by W. Enck, P. Gilbert, B. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphone”, the authors analyze if and which type of personal data an application stores. They developed a kernel plugin to analyze the data sent to a server by all applications having the Internet connection permission along with other permission such as camera, location, etc. The authors found 358 free applications that required Internet connection permission along with other permissions and they analyzed 20 out of them. Among the latter, two sent Phone Information to Content Servers, seven sent Device ID to Content Servers and 15 sent Location to Advertisement Servers. Thus the authors demonstrated that a large amount of applications could send personal data for different purposes.
In the paper by Adrienne Porter Felt, Elizabeth Ha, Serge Egelman, Ariel Haney, Erika Chin, and David Wagner “Android Permissions: User Attention, Comprehension, and Behavior”, the user attention and understanding during installation of applications is analyzed. Only 17% of participants paid attention to permissions during installation. Only 3% of Internet survey respondents could correctly answer all three questions of permission comprehension. This indicates that current Android permissions warnings do not help most users to make correct security decisions. During this test, only 20% of users were able to provide details about why they did not have an application installed. Moreover, the participants demonstrated very low comprehension of permissions granting during installation.
WO 2012/109512 discloses systems and methods for regulating access to resources at application run-time. A permissions application is invoked. The permissions application accesses an information store comprising a plurality of permissions. Each permission is associated with a corresponding resource in a plurality of device resources. The information store specifies which applications have permission to access which device resources. An application is executed on the device and makes a request for a resource while the application is executing. Responsive to the request, the permissions application determines whether the application has runtime access permission to use the resource. When the application has run-time access permission to use the resource, it is granted run-time access to the resource. When the application does not have run-time access permission to use the resource, it is not granted run-time access to the resource but is permitted to continue executing on the device without the requested resource.