隱私洩漏（Privacy Disclosure）一般認為屬於廣泛見於各種數位平台之間透過不同之媒介對於個人敏感資訊進行程度不一之揭露行為，在過去由於信息交換的必要性從未有像今日如此緊密而頻繁地出現於日常生活當中因此我們的社會近年來才漸漸提升此類議題的重要性，不可否認在社群網站及電子商務的出現後更加速了個人主體在網路世界中的延伸，而個人隱私的敏感資訊則更常駐於我們的手持裝置中。為確保個人隱私的保障以及安全性，以期能夠在使用社群服務、線上交易的場合中能夠在隱私洩漏風險及便利間取得平衡，我們需要一個有效而能夠量化隱私洩漏程度的模型。
在本篇論文中我們提出了量測資訊洩漏（Information Leakage）的方法並且引入了使用者感知（User Perception）作為評估隱私洩漏的參數，且我們實際以一個雛形應用程式來驗證我們的風險計算模型。我們也提出一個評估隱私風險的框架，並且在使用者運行應用程式時的流程中根據我們的模組所蒐集到的使用者輸入資訊，來評估風險層級。根據上述的做法而能夠給予使用者對於目前所處的情境之下之風險試算，使用者能採用這些評估資訊更佳的掌控自己使用應用程式的方式。

Managing privacy leakage processes are of great importance in the Android platform. The variety of new user privacy fraud reveals a new challenge in predicting potential privacy disclosure threats and protecting our privacy inside our pocket. In this paper, we present an analysis framework, called LRPDroid, for information leakage evaluation, privacy disclosure detection, and privacy risk assessment for Android applications. With newly formalized privacy measures, LRPDroid can effectively and efficiently support mobile user in identifying privacy risks of specific and operating mobile applications. New analysis viewpoints such as user perception and attack awareness with the execution data flow of mobile application are adopted in LRPDroid. With two testing scenarios evaluated, this study shows that the feasibility and practicability of LRPDroid are guaranteed.

中文摘要i
Abstractii
Contentsiii
List of Figuresiv
List of Tablesv
Chapter 1Introduction6
Chapter 2Related Work9
Chapter 3Preliminary12
Chapter 4Design Concept of LRPDroid16
Chapter 5LRPDroid System Design20
Chapter 6LRPDroid Implementation24
6.1Scenario 1: Leakage Simulation24
6.2Scenario 2: Handling Privacy Leakage Event25
Chapter 7Conclusion28
Appendix A29
Appendix B31
Reference34

[1]Steven Euijong Whang, and Hector Garcia-Molina, “A model for quantifying information leakage,” Lecture Notes in Computer Science (SDM 2012), Vol. 7482, 2012, pp. 25-44.
[2]Christopher D. Manning, Prabhakar Raghavan, and Hinrich Schtze, Introduction to information retrieval, Cambridge University Press, NY, USA, 2008.
[3]William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. “TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones,” In Proceedings of the 9th USENIX conference on Operating systems design and implementation (OSDI’10), Berkeley, CA, USA, 2010, pp. 1-6.
[4]Clint Gibler, Jonathan Crussell, Jeremy Erickson, and Hao Chen, “AndroidLeaks: automatically detecting potential privacy leaks in android applications on a large scale,” In Proceedings of the 5th international conference on Trust and Trustworthy Computing (TRUST'12), Berlin, Heidelberg, 2012, pp. 291-307.
[5]Mario Frank, Ben Dong, Adrienne Porter-Felt, and Dawn Song.
“Mining Permission Request Patterns from Android and Facebook Applications,”. In Proceedings of 2012 IEEE International Conference on Data Mining (ICDM 2012), 2012, pp. 870-875.
[6]Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X. Sean Wang, “AppIntent: analyzing sensitive data transmission in android for privacy leakage detection,”. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security (CCS’13), NY, USA, 2013, pp. 1043-1054.
[7]Erika McCallister, Tim Grance, Karen Scarfone, “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII),” NIST Special Publication 800-122, 2010.
[8]Murugiah Souppaya, Karen Scarfone, “Guidelines for Managing and Securing Mobile Devices in the Enterprise (Draft),” NIST Special Publication 800-124, 2012.
[9]Personal Information Protection Act (Taiwan, R.O.C.), http://law.moj.gov.tw/LawClass/LawAll.aspx?PCode=I0050021, 2012.
[10]Sanae Rosen, Zhiyun Qian, and Z. Morely Mao, “AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users,” In Proceedings of the third ACM conference on Data and application security and privacy (CODASPY '13), NY, USA, 2013, pp. 221-232.
[11]Te-En Wei, A. B. Jeng, Hahn-Ming Lee, Chih-How Chen, Chin-Wei Tien, “Android Privacy,” In Proceedings of the 2012 International Conference on Machine Learning and Cybernetics, Xian, 15-17 July, 2012, pp. 1830-1837.
[12]Takamasa Isohara, Keisuke Takemori and Ayumu Kubota, “Kernel-based Behavior Analysis for Android Malware Detection,” In Proceedings of the Seventh International Conference on Computational Intelligence and Security, 3-4 Dec, 2011, pp. 1011-1015.
[13]Markus Tschersicha, Christian Kahla, Stephan Heima, Stephen Craneb, Katja Bottchera, Ioannis Krontirisa and Kai Rannenberga, “Towards privacy-enhanced mobile communities—Architecture, concepts and user trials,” The Journal of Systems and Software, vol. 84, 2011, pp. 1947-1960.
[14]Welderufael Berhane Tesfay, Todd Booth, and Karl Andersson, “Reputation Based Security Model for Android Applications,” In Proceedings of the IEEE 11th International Conference on Trust, Security and Privacy in Computing and Communications, pp. 896-901, 2012.
[15]Noora Al Mutawa, Ibrahim Baggili, Andrew Marrington, “Forensic analysis of social networking applications on mobile devices,” Digital Investigation, vol. 9, pp. 24-33, 2012.
[16]Asaf Shabtai and Yuval Elovici, “Applying Behavioral Detection on Android-Based Devices,” Mobilware 2010, LNICST, vol. 48, 2010, pp. 235-249.
[17]Adrienne Porter Felt, Matthew Finifter, Erika Chin, Steven Hanna, and David Wagner, “A Survey of Mobile Malware in the Wild,” In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (SPSM’11), 2011, Illinois, USA, pp. 3-14.
[18]Yacin Nadji, Jonathon Giffin, Patrick Trayno, “Automated remote repair for mobile malware,” In Proceedings of the 27th Annual Computer Security Applications Conference (ACSAC '11), 2011, pp. 413-422.
[19]Iker Burguera, Urko Zurutuza, Simin Nadjm-Tehrani, “Crowdroid Behavior-Based Malware Detection System,” In Proceedings of the 1st ACM workshop on Security and privacy in smartphones and mobile devices (SPSM’11), 2011, Illinois, USA, pp. 15-26.
[20]Max Landman, “Managing Smart Phone Security Risks,” In Proceedings of the 2010 Information Security Curriculum Development Conference (InfoSecCD '10), 2010, pp. 145-155.
[21]Georgios Portokalidis, Philip Homburg, Kostas Anagnostakis, Herbert Bos, “Paranoid Android: versatile protection for smartphones,” In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC '10), 2010, pp. 347-356.
[22]Michael Grace, Yajin Zhou, Qiang Zhang, Shihong Zou, Xuxian Jiang, “RiskRanker: scalable and accurate zero-day android malware detection,” In Proceedings of the 10th international conference on Mobile systems, applications, and services (MobiSys '12), 2012, pp. 281-294.
[23]Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, Wei Zou, “SmartDroid: an automatic system for revealing UI-based trigger conditions in android applications,” In Proceedings of the second ACM workshop on Security and privacy in smartphones and mobile devices (SPSM '12), 2012, pp 93-94.
[24]Naver corporation, http://www.navercorp.com/en/index.nhn
[25]Weka: Data Mining Software in Java, http://www.cs.waikato.ac.nz/ml/weka/
[26]Stuart J Russell, Peter Norvig and Ernest Davis, Artificial intelligence: a modern approach, Prentice Hall, Upper Saddle River, NJ, USA, 2010.