Master Thesis - Improving Smartphone Privacy with a Privacy Proxy

For my master thesis at University of Passau, I analyzed the traffic generated by news and weather apps. Afterwards, I tried to increase smartphone privacy by introducing a privacy proxy.

Abstract

Privacy and privacy-related issues appear regularly in public discussions. Recently, they even pushed providers of mobile operating systems to introduce a new privacy feature which restricts access to an advertising identifier. This feature affects advertising companies which identify users across multiple applications. However, the remaining communication originating from apps is still unaffected by the new feature. Here, data that could have implications on privacy still could be transmitted. Proposed solutions to increase privacy often require deep technical understanding like jailbreaking a smartphone. To offer a privacy enhancing technology to less tech-savvy users, a proxy-based solution is designed and implemented. The privacy proxy acts as a man-in-the-middle and inspects the HTTP traffic sent by smartphones. When privacy-related data is found, this data should be obfuscated by the proxy. An HTTP request could contain data in multiple locations. Three locations are considered by the privacy proxy: headers, the body and URL parameters. Different data may have different implications on privacy. To do justice to this fact, each single data point is manually classified on the potential impact on privacy it may have. Based on said classification, the proxy decides whether to obfuscate the respective data. To evaluate the impact on privacy of the proposed approach, data is collected for six example apps (three each from categories News and Weather). For each app, three modes of operation were compared: without any interference of the proxy, with blocking connections to known tracking- & advertising providers and with said implementation of the obfuscation mechanism. Also, the increase of privacy achieved by incorporating a cache at the privacy proxy was examined. Results show, that indeed the number of potential privacy leaks decreases with the usage of additional mechanisms. However, it was necessary to allow the leak of some data points which were previously considered as privacy impacting in order to retain app functionality.

The thesis can be downloaded here .