Welcome to the REU Smartphone Privacy page.

This is part of the 2011 Research Experience for Undergraduates program at Oakland University.

Privacy Information- Grouped

posted Jun 27, 2011, 7:37 AM by Aimee Xia

Wednesday, June 22, 2011

The applications on smartphones and what information is used by each:

Contact List
Directory Info

Location Data

Web Browser:
Directory Info
Credit Card Info
Purchase history
Browser history
Browser passwords

Instant Messaging:
IM logs
Text Messaging:
SMS logs

Information that is specific to smartphones, and info that isn't:

NOT SPECIFIC                                            SPECIFIC

Credit Card Info

Purchase History

Browser History




Browser Passwords



SMS Logs


Motion information


Acoustic Data

Contact list

Call Log

Grouped according to privacy protocol:





SMS Logs





Contact list

Call Log

SMS Logs





Contact list

Call Log


SMS Logs


Motion information


Acoustic Data


Call Log


SMS Logs


Motion information


Acoustic Data


Call Log


Privacy Information

posted Jun 22, 2011, 7:12 AM by Aimee Xia

Tuesday, June 21, 2011

Personal information that consumers and users of smartphones might want to keep private is:

·      Directory Information

o   Name

o   Address

o   Phone Number

o   Email

·      Credit Card Info

·      Purchase History (Credit/Debit logs)

·      Location Data

·      Browser History

·      E-mails

·      Contacts

·      Pictures (Personal Media)

·      Geotagging (and Gyroscope Info)

·      IM Logs

·      SMS Logs

·      Browser Passwords

·      Files/Notes

·      Telephone ID (UID)

·      Physical Audio (Apps that eavesdrop)

·      Social Security Number

·      Calendars

·      System Log Files

·      Social Networking Account Info

·      Banking Info

·      Call History

·      Ringtones

·      Search History

We are going to use this information to write our own privacy policy.

Midterm Presentation

posted Jun 22, 2011, 6:46 AM by Aimee Xia   [ updated Jun 22, 2011, 7:12 AM ]

Friday, June 17, 2011

We presented our progress thus far in our midterm presentation.

Privacy Policies

posted Jun 22, 2011, 6:46 AM by Aimee Xia   [ updated Jun 27, 2011, 7:52 AM ]

Wednesday,  June 15, 2011

We have been studying privacy policies for the past few days. Many large companies' websites, such as Google, Yahoo, and even the Oakland University website, have policies, some directly related to privacy and others not so much.

The Federal Trade Commission also has five Fair Information Practice Principles. These are guidelines set in place that privacy policies should follow in order to be useful and protect the user. The five core values are:

1. Notice/Awareness
The consumer should be notified before his private information is collected. He should know what information would be taken and what it would be used for. This is the most fundamental value because without awareness, the consumer cannot make educated decisions regarding his private information.

2. Choice/Consent

The consumer should be able to choose whether or not to share his information, what information he wants to share, how he wants it to be used, and to whom it can be passed on to. The simplest example of this is opt in/opt out, where the consumer chooses whether or not he wants to give his information.

3. Access/Participation

The consumer should be able to see the private information collected from him, and be able to edit that information if inaccurate. The method of access should be quick, inexpensive, and easy to reach.

4. Integrity/Security

The collectors of the information should protect the data with reasonable measures. They should make sure to keep it safe from other, unauthorized parties.

5. Enforcement/Redress

The collectors should have a method of enforcing their privacy policy. Without this, the policy is useless. They should also provide the consumer with means of recourse if his information is stolen. For example, there could be a feedback system in place he consumer could complain to.

These five principles are at the core of every good privacy policy. (21)

Privacy Overview

posted Jun 10, 2011, 7:08 AM by Aimee Xia

Thursday, June 9, 2011

We put up a draft of an overview talking about smartphone privacy and its policies.


4G Privacy and Communication Models

posted Jun 6, 2011, 7:16 AM by Aimee Xia   [ updated Jun 6, 2011, 8:28 AM ]

Monday, June 6, 2011

4G Security

There are two candidates for the architecture for 4G, LTE Advanced and IEEE 802.16m.

LTE specifications on security are still being developed; documentation states “The 3GPP System Architecture Working Group 3 (SA3) is responsible for security and has decided to use either Advanced Encryption Standard (AES) or SNOW 3G algorithms. Specific modes for AES are still being determined…” (19). There is no mention of any privacy standards in the LTE model.

IEEE 802.16m is further developed, and includes implementation of an independent Security sublayer, which “provides subscribers with privacy, authentication, or confidentiality across the broadband wireless network” (20, p. 491). This includes a Privacy Key Management Protocol, which establishes “a client/server model between the base station and subscriber station that is used to secure distribution of keying material” (20, p. 17).

The WAP Stack

The Wireless Application Protocol is a five layer system. The layers' respective protocols are:

Application Layer: Wireless Application Environment (WAE)
Session Layer: Wireless Session Protocol (WSP)
Transaction Layer: Wireless Transaction Protocol (WTP)
Security Layer: Wireless Transport Layer Security (WTLS)
Transport Layer: Wireless Datagram Protocol (WDP)
(15, 17)

The Wireless Datagram Protocol

posted Jun 3, 2011, 7:45 AM by Aimee Xia   [ updated Jun 5, 2011, 8:03 PM ]

Friday, June 3, 2011

The Wireless Datagram Protocol acts as an interface to the greater internet (17). It splits data packets into a system of bearers which transmit information across the network. The following is a brief discussion on each of the bearers:

SMS: Operates the text messaging service found on all basic and sophisticated phones. The packets of text are limited to 160 characters in length. Most network operators do not develop services for SMS on WAP (16).

CSD: Data transfer over voice. The system either uses an onboard analog modem, or connects to a remote modem via phone call. As the transfer uses an analog modem, data speeds are limited (16).

USSD: Session-oriented service, used originally for administrative purposes, but can be used for two-way transactions (16). The USSD bearer frequently is a dialed service, following a formatted structure, and can be used to check balances, make transactions, or other miscellaneous operations (18).

GPRS: Serves as a supplement to SMS and CSD, utilizing variable speed and latency to maximize efficiency (16).

The WAP Stack

posted Jun 2, 2011, 10:29 AM by Aimee Xia   [ updated Jun 6, 2011, 8:22 AM ]

Thursday, June 2, 2011

The protocols, hardware, and software of the Internet is organized into five layers. Each layer offers services to layers above it, and are serviced by the layers below it.

For mobile networks, the protocol stack changes slightly. The model used is called the Wireless Application Protocol (WAP) stack, which also has five layers: the Application, Session, Transaction, Security, and Transport Layers (17).

The WAP stack is a set of protocols used in mobile communications. The layers of the stack are:

A variety of bearers are utilized to translate data to and from the web and the client (16).

The WAP is mostly congruent with the standard model for the internet, though it uses specific protocols in the Transport and Application layers (15). The OSI Model for communications can be seen here:

Privacy and Security Requirements

posted Jun 2, 2011, 10:25 AM by Aimee Xia

Wednesday, June 1, 2011

We looked at existing privacy and security requirements regarding the internet.

ITU-T IMT-2000 Security Requirements: Capability Set 1

It seems there are no official privacy requirements for internet and ISDN connections. According to the "ITU-T IMT-2000 Security Requirements: Capability Set 1," user privacy "between the core network and [the internet] is beyond the scope of IMT-2000 standards" (12). Because of this, the responsibility of internet user privacy, especially with regard to smartphones, is passed on to the phone manufacturers and application developers, resulting in varying degrees of reciprocity. Apple's App Store has a small barrier to entry for developers who wish to a create app, along with a review board for all independently produced apps. On the other hand, privacy for products on the Android Market is left almost entirely up to the individual developer. Thus, even though Android apps must be signed, they may not necessarily be safe (13, 14).

Research Groups and Network Infrastructure Map

posted Jun 2, 2011, 10:24 AM by Aimee Xia   [ updated Jun 15, 2011, 7:37 AM ]

Tuesday, May 31, 2011

Several research groups with particular interests in smartphone privacy are:

University of California Santa Barbara Smartphone Security

This group researches the vulnerability of smartphones, namely malware and the vulnerabilities of network interface integration and applications.

Rutgers University Computer Science

Computer Science researchers from Rutgers University discovered a software attack that could severely compromise the security of smartphones.

Carleton University Computer Science Lab

The computer science department at Carleton has several researchers researching smartphones.

Nokia Research

Nokia Research Center reportedly claims to research High Performance Mobile Devices. An emphasis is put on Mobile platform security and privacy.


Does research on a number of topics, notably the "mobile wireless ecosystem," a broad range of topics covering 4G infrastructure, hardware, chipset technology, and consumer end growth.

Here is a diagram of network architecture:

The Base Station Controller operates as a pager, determining which cell a particular phone is located in, and if a smart phone is accountably capable of making a phone call or connecting to the internet. To connect to the network, the BSC re-routes to a Serving GPRS Support Node, onward into a larger gateway, and into the internet. This architecture was created to be separate from the standard MSC phone network, and is implemented in all 2.5G and 3G networks. (4, pg 562)

On the other hand, all successful telephone connections are routed through the MSC into the public telephone network. (4, pg 561)

1-10 of 16