April 18, 2011 | by Andrew Kameka
There’s an Android security scare happening at least once a month. Most of these are overblown, rehashed non-issues, but there are legit concerns about Android malware and privacy leaks. Researchers at North Carolina State University have developed software designed to shield Android users from concerns about apps stealing their private data.
The Taming Information-Stealing Smartphone Applications (TISSA) is a security prototype developed to give Android phone owners more control over which data is accessible to apps. TISSA can show that an app requests “Location” data, and users can respond by setting it to Trusted, Anonymized, Bogus, or Empty.
A privacy setting is applied for each permission request, so device owners can accept that an app wants to know their location but still reject access to the call log. The developer may offer a perfectly good reason to request such information, but that’s exactly what it is – a request. TISSA gives users the option to deny access. These are the four privacy options set forth by TISSA:
- Trusted – Users accept that the app is not abusing data and TISSA doesn’t provide any restrictions.
- Anonymized – Users may be suspicious or simply want to be cautious, so TISSA can send random data with general information. So a weather app can get your location information within 10 miles, but not within 10 feet.
- Bogus – Flat-out lies to the app. It sends phony information, which is an ideal way of protecting your Contacts and Call Log.
- Empty – TISSA will tell the app that the information does not exist, so a suspicious app looking for contact log will think that you haven’t made any calls.
“There are a lot of concerns about potential leaks of personal information from smartphones,” says Dr. Xuxian Jiang, an assistant professor of computer science at NC State who co-authored a paper describing the research. Jiang added that the research team is still mulling how it can make the security options available to Android users, but a software update could be sent over-the-air to incorporate into Android. A paper titled “TISSA (on Android)” will be released at a security conference in June and offer more information.
WHAT DOES THIS MEAN FOR REGULAR FOLKS?
At the moment, TISSA is just a concept of what can be done. It is not official from Google and will likely require some customizing before anyone outside of the research project is able to load this onto a phone. Google currently offers a take-it-or-leave-it stance on apps in the Android Market; a user is told up-front what security permissions each app requests, but all must be accepted or the app cannot be used at all.
It would probably be against Google’s interests to allow users to send phony information that could harm the growing mobile ads ecosystem, but Google might recognize the value in ending these privacy issues once and for all. TISSA could provide an additional layer of security that allows users to pick and choose how much personal information they will surrender to developers.