Traditional mechanisms for delivering notice and enabling choice have so far failed to protect users’ privacy. Users are continuously frustrated by complex privacy policies, unreachable privacy settings, and a multitude of emerging standards. The miniaturization trend of smart devices and the emergence of the Internet of Things (IoTs) will exacerbate this problem further. In this project, we are proposing Conversational Privacy Bots (PriBots) as a new way of delivering notice and choice through a two-way dialogue between the user and a computer agent (a chatbot). PriBots improve on state-of-the-art by offering users a more intuitive and natural interface to inquire about their privacy settings, thus allowing them to control their privacy. In addition to presenting the potential applications of PriBots, we describe the underlying system needed to support their functionality. We also delve into the challenges associated with delivering privacy as an automated service. PriBots have the potential for enabling the use of chatbots in other related fields where users need to be informed or to be put in control.

Voice has become an increasingly popular User Interaction (UI) channel, largely contributing to the ongoing trend of wearables, smart vehicles, and home automation systems. Voice assistants such as Siri, Google Now and Cortana, have become our everyday fixtures, especially in scenarios where touch interfaces are inconvenient or even dangerous to use, such as driving or exercising. Nevertheless, the open nature of the voice channel makes voice assistants difficult to secure and exposed to various attacks as demonstrated by security researchers. VAuth is the first system that provides continuous and usable authentication for voice assistants. We design VAuth to fit in a necklace's pendant, where it collects the sternum-surface vibrations of the user and matches it with the speech signal received by the voice assistant's microphone. VAuth passes to the voice assistant only those commands that originate from the voice of the owner. We tested VAuth on 8 users and 30 voice commands and found it achieving an almost perfect matching accuracy with less than 1% false positives. VAuth successfully thwarts different practical attacks such as replayed attacks, mangled voice attacks, or impersonation attacks. It also has low energy overhead and is compatible with most existing voice assistants.

Bluetooth Low Energy (BLE) has emerged as the de facto communication protocol in the new computing paradigm of the Internet of Things (IoT). A BLE-equipped device or sensor advertises its presence to let interested parties connect and glean relevant information. These advertisements, however, are a double-edged sword; an adversary can exploit them to learn more about the BLE-equipped devices of a certain user or in a specific environment – generally referred to in literature as the inventory attack. Revealing the device's presence is the stepping stone toward more serious privacy and security attacks with grave consequences, as demonstrated for medical devices. My analysis of the advertisements from 214 different types of BLE-equipped devices and sensors revealed that BLE's security and privacy provisions are ineffective; BLE advertisements leak an alarming amount of information that allows an adversary to track, profile, fingerprint, and access user's sensitive information. To address these threats, current approaches require changes to the protocol itself or to the way the BLE-equipped devices function rendering them impractical to deploy.

I designed and implemented BLE-Guardian, a novel device-agnostic system that defends against security and privacy threats to BLE- equipped devices. BLE-Guardian efficiently invokes friendly jamming to prevent others from receiving a selected device's advertisement, effectively rendering it invisible, without affecting other nearby devices. Hiding a device prevents an adversary from being aware of its existence and hence limits the potential security/privacy threats to its owner/carrier. In addition, BLE-Guardian includes an access control module that allows only authorized devices to discover, scan, and connect to the user's BLE-equipped devices. BLE-Guardian is effective in combating security and privacy threats, has low overhead, and incurs minimal or no disruption to the legitimate BLE devices.

Links:

You can find the link to the source code of BLE-Mon, the app we used to collect BLE advertisements, here.
The link to the privacy policy of BLE-Mon is here.

I designed and implemented PR-LBS (Privacy vs. Reward for Location Based Service), a system that balances the users' privacy concerns and the benefits of sharing location data in indoor location tracking environments. PR-LBS includes three novel online location release mechanisms that achieve differential privacy guarantees, and ensures that the user engages in a fair location-service exchange with the service provider. Moreover, PR-LBS achieves equilibrium between user's privacy protection and SP's data utility in indoor scenarios. As localization can be device-based or infrastructure-based, PR-LBS can be installed on individual devices or deployed as a broker between users and service providers.

PR-LBS is inspired and motivated by an online survey that we performed for 200 hypothetical shoppers in Walmart and Nordstrom.

Links:

You can find a link to the Walmart survey here, and the respondents' responses to the survey here.
You can also find a link to the Nordstrom survey here, and the respondents' responses to the survey here.

LP-Guardian:

To date, there have been a limited number of approaches to handle the mobile location privacy threats in real-world settings. Most location privacy protection mechanisms, proposed in literature, address unrealistic threat models instead of handling privacy threats as posed by the mobile apps. To fill this gap in location privacy research, I propose LP-Guardian, the first comprehensive and app-aware framework for location privacy protection on Android smartphones. LP-Guardian overcomes the shortcomings of existing approaches and achieves privacy protection through anonymizing user's location before the app can access it. LP-Guardian guarantees that the observed mobility pattern of a certain user is indistinguishable among a theoretical set of individuals. As a result, an adversary can't attribute the observed location information to the real user. LP-Guardian only patches the Android framework, and requires no changes in apps or the service providers. It incurs low overhead and has minimal effect on the apps' functionality.

LP-Doctor:

In a follow-up project, I investigated the deployment challenges facing location privacy protection mechanisms. All location privacy-enhancing mechanisms require changes either to the underlying platform or the infrastructure which make them untenable to be deployed. Therefore, users are left with what mobile operating systems provide them in terms location access control. My analysis of the location privacy threats posed by 1160 apps for 150 users over two years revealed that OSes' location access controls lack granularity and threat awareness. I propose LP-Doctor, a lightweight and user-level Android tool1 which enables the users to be aware of the underlying location privacy threats and exercise fine-grained location access control. LP-Doctor picks a novel privacy criterion that limits information leaked about the user from the location data released to different apps. A user study of 227 participants indicated LP-Doctor's ease of deployability and usability. This work was funded by a Google Faculty Award which I coauthored its proposal.

Links:

You can find a link to the survey regarding mobile users' persepctive towards location-aware apps here, and the respondents' responses to the survey here.
You can find a link to the LP-Doctor's source code here.
You can find a link to the usability survey for LP-Doctor with the Facebook app here, and the respondents' responses to the survey here.
You can also find a link to the usability survey for LP-Doctor with the Yelp app here, and the respondents' responses to the survey here.

Mobile devices are manifesting as very attractive targets for attacks, with the number of detected malware instances increasing exponentially. Malicious apps exploit device vulnerabilities, steal personal information, track users through aggressive sensor polling, convert the mobile device to a bot for DDoS attacks or spamming, and embezzle the users through toll fraud attacks. Current mobile malware detection strategies depend on signature matching – identifying malware based on known and static characteristics. Nevertheless, malware, advancing at a fast rate, employ a set of techniques to hide their malicious payload and evade detection. Behavioral analysis techniques overcome the shortcomings of the existing malware detection mechanisms; they continuously monitor app behaviors through tracking a number of features on the device. As the number of features increases, the behavioral analysis engine becomes too expensive to run on the mobile device which impacts user experience.

I contributed to Qualcomm's Smart Protect platform, the first efficient and performance-aware behavioral analysis architecture for mobile malware detection. At the core of this architecture lies my work – JFSP, a joint feature selection and pruning algorithm that converts a malware classification model based on the full feature set to a lean model based on a reduced feature set. JFSP performs this task dynamically, on the device, without retraining, while incurring little loss in detection accuracy. JFSP is able to reduce 70% of the original number of features at a minimal loss (less than 7%) of detection accuracy.

As people rely more on location-aware mobile phones for their daily lives and businesses, they expose more of their location information to service providers. An entity with access to the user’s location traces can infer information about the points of interest (PoIs) the user visits, thus raising the risk of his privacy. To protect a user’s location privacy, we propose a new approach that creates Dummy Crowd for Location Privacy Protection (D-Coy). D-Coy protects a user’s location privacy at three levels. On the highest level, it hides the user’s frequently-visiting PoIs within a set of dummy PoIs, effectively protecting his identity. On the next level, D-Coy protects the user’s trajectories by generating a set of dummy paths that are indistinguishable from his actual path. As D-Coy associates every location sample with a set of dummy locations, it achieves instantaneous protection of location privacy on the lowest level. Our extensive evaluation of D-Coy using real-life traces has shown that it effectively protects the user’s location privacy while providing an acceptable quality of service and real-time user experience.