簡易檢索 / 詳目顯示
| 研究生: |
鐘珮珊 Pei-Shan Zhong |
|---|---|
| 論文名稱: |
於Android應用程式置入風險資訊之方法 An Approach to Embed Risk Information into Android Application. |
| 指導教授: |
查士朝
Shi-Cho Cha 洪政煌 Cheng-Huang Hung |
| 口試委員: |
羅乃維
Nai-Wei Lo 郁方 Fang Yu |
| 學位類別: |
碩士 Master |
| 系所名稱: |
管理學院 - 資訊管理系 Department of Information Management |
| 論文出版年: | 2015 |
| 畢業學年度: | 103 |
| 語文別: | 中文 |
| 論文頁數: | 40 |
| 中文關鍵詞: | Android 隱私保護 、隱私權政策 、智慧型手機應用程式安全 |
| 外文關鍵詞: | Android Privacy, Smartphone Application Security, Privacy Policy |
| 相關次數: | 點閱:323 下載:5 |
| 分享至: |
| 查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報 |
隨著智慧型手機技術的進步,使用者可以下載行動應用程式來擴增手機的功能,而手機上搭載的各種感應器,可以感測使用者的情境資訊,因而提供使用者更佳的體驗。然而,也帶來更多的隱私威脅。在眾多智慧型手機平台中,本研究針對 Android 平台手機應用程式的隱私問題。過去 Android 平台雖然提供權限機制,要求應用程式必須取得使用者的許可才可存取某些機敏資料或是進行特定操作。然而,這樣的機制並沒有辦法滿足現今各國對於個人資料保護的需求。因此,像是美國加州就開始要求智慧型手機應用程式開發者要提供應用程式的隱私政策。而歐盟也發布了類似的意見書。然而目前大部分的市集站並沒有強制要求應用程式開發者一定要提供隱私政策,即便有提供隱私政策,使用者有時也不能確認隱私政策的正確性,而手機程式更新的機制,更造成使用者忽略了隱私政策是也跟著更新。
有鑒於此,本研究提出一個在智慧型手機應用程式中嵌入個資使用方式的方法。該政策需要經過驗證單位的背書,以便確保符合實際的狀況。而使用者在安裝了檢測客戶端程式後,在應用程式的安裝與更新時,就會去取得存於應用程式中的個資使用方法,並且通報使用者以取得同意。透過本研究所提出的方法,使用者在安裝或更新應用程式時,就能夠知道該應用程式會如何使用個資,從而決定是否要接受該應用程式。因而能夠滿足現今個人資料保護的要求。
As advances of smartphone technologies, users can install applications on current smartphones to enhance smartphone functions. Moreover, as current smartphones usually equipped with several sensors, applications can utilize context information to provide tailored services. However, if the applications leak personal data to malicious parties, personal privacy may be invaded. This thesis focuses on the Android smartphone platform. Although the Android platform has permission mechanism to request applications to obtain users’ consent to assess critical resources, the permission mechanism does not satisfy current international personal data protection rules. Therefore, several countries start to enact regulations to address the issue to request mobile application developers to provide privacy policies of their applications. In this case, when a person obtain privacy policy of an application, the person may not know whether the policy is enforced by associate parties. Moreover, Android applications usually update automatically if the applications do not request more permissions than before. Therefore, users may not notice that privacy policies of applications are updated.
For the very sake of that, this study proposes a method to embed practices of personal data usage of Android applications in content of applications. The practices can be verified by trusted parties. Therefore, users can know the whether practices of personal data usage in their applications are trustworthy. Furthermore, users can install inspection applications in their smartphones to notify users how applications use their personal data automatically while the users install or update the applications. Therefore, the thesis can hopefully contribute to enable users to obtain privacy risk information of applications.
[1] iubenda.資料保護指令.[Online].Available
http://www.iubenda.com/en/privacy-legal-requirements
[2] Felt, A. P., Chin, E., Hanna, S., Song, D., & Wagner, D. (2011). Android permissions demystified. Paper presented at the Proceedings of the 18th ACM conference on Computer and communications security.
[3] Johnson, R., Wang, Z., Gagnon, C., & Stavrou, A. (2012). Analysis of android applications' permissions. Paper presented at the Software Security and Reliability Companion (SERE-C), 2012 IEEE Sixth International Conference on.
[4] 趨勢科技.(2014). 行動裝置之惡意與高風險的應用程式[Online].Available
http://www.trendmicro.com/vinfo/us/security/news/mobile-safety/the-mobile-landscape-roundup-1h-2014
[5] Toninelli, A., Pathak, A., & Issarny, V. (2011). Yarta: a middleware for managing mobile social ecosystems Advances in Grid and Pervasive Computing (pp. 209-220): Springer.
[6] Au, K. W. Y., Zhou, Y. F., Huang, Z., & Lie, D. (2012). Pscout: analyzing the android permission specification. Paper presented at the Proceedings of the 2012 ACM conference on Computer and communications security.
[7] Huang, C.-Y., Tsai, Y.-T., & Hsu, C.-H. (2013). Performance evaluation on permission-based detection for android malware Advances in Intelligent Systems and Applications-Volume 2 (pp. 111-120): Springer.
[8] Zhou, W., Zhou, Y., Jiang, X., & Ning, P. (2012). Detecting repackaged smartphone applications in third-party android marketplaces. Paper presented at the Proceedings of the second ACM conference on Data and Application Security and Privacy.
[9] Nauman, M., Khan, S., & Zhang, X. (2010). Apex: extending android permission model and enforcement with user-defined runtime constraints. Paper presented at the Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security.
[10] Enck, W., Ongtang, M., & McDaniel, P. (2009). On lightweight mobile phone application certification. Paper presented at the Proceedings of the 16th ACM conference on Computer and communications security.
[11] Android官方網站.(2015).Broadcast事件.[Online].Available
http://developer.android.com/reference/android/content/Intent.html
[12] 蔡育軒.(2015).PathDrawoid:能呈現 Android 應用程式敏感資料流向的動態分析平台.碩士論文.台北:台灣科技大學資訊管理研究所
