UNIVERSITY PARK, Pa. — A multi-institution team of researchers recently received a Hall of Fame Award from the Association for Computing Machinery’s Special Interest Group on Operating Systems (SIGOPS) for their 2010 paper that was the first to expose the ways in which smartphone applications use personal data.
The lead author of the paper, “TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones,” was William Enck, now associate professor in the Department of Computer Science at North Carolina State University, who was a Penn State graduate student at the time of the paper’s publication. He was advised by co-author Patrick McDaniel, William L. Weiss Chair in Information and Communications Technology in the Penn State School of Electrical Engineering and Computer Science.
The SIGOPS Hall of Fame Award is given to one or two papers each year to recognize the most influential operating systems papers that were published at least 10 years ago, according to the SIGOPS website. According to the awards committee, this paper specifically was chosen because it “sparked an important research agenda on smartphone privacy that continues to this day” by documenting “dozens of potential leaks of sensitive and private information” in smartphone applications.
“The first Apple phone was available in late 2007 and the first Android phone was 2008,” McDaniel said. “A lot of people hadn’t even experienced smartphones. At the time, there was a lot of denial from the providers about security concerns. This was the first paper to uncover the hidden economy of these apps. You were getting all of these free apps that could do all of these great things, but there was a hidden cost.”
At the time, there was awareness that information was collected through website use, but it had not yet been proven to be the case for phone apps. The researchers evaluated 30 popular apps and found that 20 of them were using GPS and providing personal information to third parties.
This paper marked the beginning of extensive research in operating systems security by Penn State researchers, according to McDaniel.
“Penn State continues to be a leader in smartphone security and applications,” he said. “We’ve had several generations of analytical tools that have evaluated smartphone vulnerabilities and operating systems. A number of our doctoral students have gone on to work directly with Google to evaluate apps being released into the market.”
Beyond influencing the research community, this paper, as the first to prove this misuse of user data, also served as the catalyst for policy discussions.
“This has been used within the policy community a lot,” McDaniel said. “It’s an ongoing policy question. The biggest impact this has had is that it changed conversation from, ‘Are apps using our private information?’ to ‘They are — how should we deal with it?’ Penn State is one of the institutions that changed that conversation.”
McDaniel’s work in cybersecurity and related fields has led to many accolades, most recently being named a fellow of the American Association for the Advancement of Science, the world’s largest general scientific society. He is also a fellow of the Institute of Electrical and Electronics Engineers and the Association of Computing Machinery. He is the director of both the Institute for Networking and Security Research and the Center for Trustworthy Machine Learning, a National Science Foundation Frontier project.
Other authors of this paper are Peter Gilbert, software engineer at Oasis Labs who was a doctoral student at Duke University at the time of the paper’s publication; Byung-Gon Chun, associate professor at Seoul National University; Landon P. Cox, principal researcher at Microsoft who was a professor at Duke University at the time of the paper’s publication; Jaeyeon Jung, corporate vice president at Samsung Electronics who was a research scientist at Intel at the time of publication; and Anmol N. Sheth, senior research scientist at A9.com (Amazon) who was with Technicolor Research Lab in Palo Alto, California, at the time of the paper’s publication.