Towards a privacy-preserving platform for apps
On mobile platforms such as iOS and Android, Web browsers such as Google Chrome, and even smart televisions such as Google TV or Roku, hundreds of thousands of software apps provide services to users. Their functionality often requires access to potentially sensitive user data (e.g., contact lists, passwords, photos), sensor inputs (e.g., camera, microphone, GPS), and/or information about user behavior. Most apps use this data responsibly, but there has also been evidence of privacy violations. As a result, individuals must carefully consider what apps to install and corporations often restrict what apps employees can install on their devices, to prevent an untrusted app—or a cloud provider that an app communicates with—from leaking personal data and proprietary information. There is an inherent trade-off between users’ privacy and apps’ functionality. An app with no access to user data cannot leak anything sensitive, but many apps cannot function without such data. A password management app needs access to passwords, an audio transcription app needs access to the recordings of users’ speech, and a navigation app needs users’ location. In this dissertation, we present two app platform designs, πBox and CleanRoom, that strike a useful balance between users’ privacy and apps’ functional needs, thus shifting much of the responsibility for protecting privacy from the app and its users to the platform itself. πBox is a new app platform that prevents apps from misusing information about their users. To achieve this, πBox deploys (1) a sandbox that spans the user’s device and the cloud, (2) specialized storage and communication channels that enable common app functionality, and (3) an adaptation of recent theoretical algorithms for differential privacy under continual observation. We describe a prototype implementation of πBox and show how it enables a wide range of useful apps with minimal performance overhead and without sacrificing user privacy. In particular, πBox develops the aforementioned three techniques under the assumption of limited sharing of personal data. CleanRoom extends πBox and is designed to protect confidentiality in a "Bring Your Own Apps" (BYOA) world in which employees use their own untrusted third-party apps to create, edit, and share corporate data. CleanRoom’s core guarantee is privacy-preserving collaboration: CleanRoom enables employees to work together on shared documents while ensuring that the documents’ owners—not the app accessing the document—control who can access and collaborate on the document. To achieve this guarantee, CleanRoom partitions an app into three parts, each of which implements a different function of the app (data navigation, data manipulation, and app settings), and controls communication between these parts. We show that CleanRoom accommodates a broad range of apps, preserves the confidentiality of the data that these apps access, and incurs insignificant overhead (e.g., 0.11 ms of overhead per client-server request). Both πBox and CleanRoom use differential privacy for apps to provide feedback to their publisher. This dissertation explores how to adapt differential privacy to be useful for app platforms. In particular, we investigate an adaptation of re- cent theoretical algorithms for differential privacy under continual observation and several techniques to leverage it for useful features in an app environment including advertising, app performance feedback, and error reporting.