AppPETs

Competence center:  Security

Contact:  Arik Messerman, Prof. Dr.-Ing. Sahin Albayrak, Dr.-Ing. Karsten Bsufka

Partners: DAI-Labor (TU-Berlin), Universität Hamburg, Westfälische Wilhelms-Universität Münster, ULD (Unabhängiges Landeszentrum für Datenschutz), mediaTest digital, praemandatum, JonDos

Sponsor: Federal Ministry of Education and Research (Bundesministerium für Bildung und Forschung)          

 

Duration: 02/2016-01/2019

 

AppPETs

Privacy-friendly Smartphone Applications without Compromise.

Motivation

Smartphones and numerous apps support the majority of us in the every day’s life. Through linking our personal data by various apps, they gain additional values. In such cases, personal data are often captured, processed and sent to arbitrary servers. To what extent the collection and transmission of our personal data fulfills the individual purpose of a regarded application is generally not answered. It is also increasingly difficult to make statements if there is sufficient protection against reconnaissance or other threats, even if an encrypted connection to a respective server exists. Furthermore, the question arises, if or how the user is involved in the transmission of his data. Does the user agree on the transmission of his data depending on the context? Is he informed about such a transmission? Should data be stored on external cloud services of third parties in interpretable form, or could it be sufficient enough to adapt the data before transmission in a form in which only the data owner will be able to interpret them correctly?

With the sensitization for IT security also by app developers, the question arises whether typical developers also have sufficient knowledge in use with complex security solutions. Often, developers do not have such knowledge in these areas. Instead, it is recognizable that various developers use often external security libraries with offered complex security methods. But usually, these methods should be parameterized with several parameters, for which expert awareness is required but not available. 

Goals

The “AppPETs” project focuses on the development of a privacy library (P-Lib) which offers a set of different security solutions that require minimal security knowledge. Furthermore, the P-Lib will include techniques in which it is feasible to ensure the user’s privacy. Private data should never be transmitted in by externals interpretable forms without the self-determination of the user itself.  Here, the P-Lib provides numerous interfaces that an app developer can use to protect the privacy of his future users. Before transmission, data get encrypted, anonymized, pseudonymized or protected by complex privacy-enhanced technologies (PETs) through the use of provided P-Lib interfaces. Within the area of influence of the P-Lib and with this, beyond the sphere of influence of an app developer, the use of interfaces of the P-Lib can cause the user to be informed at run-time, that certain data are intended to be transmitted outside the device (in interpretable form). This is required for scenarios, in which personal data transmission is essential for functionality reasons. But in such cases, the user is i) informed about such a data flow and furthermore ii) able to stop such a transmission before data are sent somewhere. 

The fact that there aren’t side channels in which private data are transmitted without agreement of the user or in general without the prior influence of the P-Lib is ensured through a source code-independent audit of an app in the form of a static and dynamic analysis. Privacy-friendly apps will achieve a privacy certificate in order to motivate app developers to develop privacy-friendly. 

 

 

 

The project AppPETs is funded by the BMBF as part of the call for data protection: "self-determined in the digital world" from February 2016 to January 2019.