CAREER: Enhancing Mobile Application Security through Contextual Integrity and User Awareness

As mobile applications (i.e., apps) have become an integral part of daily life, their increasing access to users' sensitive data (e.g., location and contacts) raises serious security concerns. Mainstream smartphone platforms (e.g., Android and iOS) adopt permission-based access-control mechanisms, but such mechanisms fail to consider the context in which permission requests arise and do not explain how and why the app uses sensitive data, causing users to make uninformed decisions.

The goal of this project is to develop a context- and user-aware security framework that enables (G1) contextual integrity by notifying users only when sensitive data is used in the ways that cannot be justified by the contexts and the apps’ intentions, and (G2) user awareness by generating natural-language (NL) descriptions that explain the sensitive data uses.

The research will have four major tasks. First, the research team will develop a context- and intention-aware model that represents the correlation between the contexts/intentions and the sensitive behaviors in the code, where the contexts and intentions are expressed mainly by unstructured information (i.e., images and text) in the Graphical User Interfaces (GUIs).

Second, the team will develop novel program-analysis techniques that associate the contexts and the intentions in GUIs to the sensitive behaviors in the code, which enables the construction of a large-scale high-quality training data. Third, the team will develop a neural machine-translation model that takes as input the contextual information provided by GUI contexts and the vocabulary provided by privacy policies, and synthesizes descriptions for sensitive behaviors in the code.

Finally, the team will develop a lightweight instrumentation system that integrates the results of the detected undesired behaviors and the synthesized descriptions. The success of this project will enhance the security of society at large by leading to more secure mobile apps, and the proposed techniques will provide new insights for the cooperation of program analysis and machine learning.

New techniques and tools developed in this project will be integrated into undergraduate and graduate education and used to raise public awareness of the importance of mobile-app security.

This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.