Mitigating Location Privacy Attacks on Mobile Devices using Dynamic App Sandboxing

Authors: Sashank Narain (College of Computer and Information Science, Northeastern University, Boston, MA, USA), Guevara Noubir (College of Computer and Information Science, Northeastern University, Boston, MA, USA)

Volume: 2019
Issue: 2
Pages: 66–87
DOI: https://doi.org/10.2478/popets-2019-0020

Download PDF

Abstract: We present the design, implementation and evaluation of a system, called MATRIX, developed to protect the privacy of mobile device users from location inference and sensor side-channel attacks. MATRIX gives users control and visibility over location and sensor (e.g., Accelerometers and Gyroscopes) accesses by mobile apps. It implements a PrivoScope service that audits all location and sensor accesses by apps on the device and generates real-time notifications and graphs for visualizing these accesses; and a Synthetic Location service to enable users to provide obfuscated or synthetic location trajectories or sensor traces to apps they find useful, but do not trust with their private information. The services are designed to be extensible and easy for users, hiding all of the underlying complexity from them. MATRIX also implements a Location Provider component that generates realistic privacy-preserving synthetic identities and trajectories for users by incorporating traffic information using historical data from Google Maps Directions API, and accelerations using statistical information from user driving experiments. These mobility patterns are generated by modeling/solving user schedule using a randomized linear program and modeling/solving for user driving behavior using a quadratic program. We extensively evaluated MATRIX using user studies, popular location-driven apps and machine learning techniques, and demonstrate that it is portable to most Android devices globally, is reliable, has low-overhead, and generates synthetic trajectories that are difficult to differentiate from real mobility trajectories by an adversary.

Keywords: Location Privacy Protection, Anonymity, Android Audit Framework, Synthetic Mobility Models, Location-based Services, Mobile Apps, Android

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.