DOCSLIB.ORG

Towards Comprehensible and Effective Permission Systems

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Towards Comprehensible and Effective Permission Systems Towards Comprehensible and Effective Permission Systems by Adrienne Porter Felt A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science in the GRADUATE DIVISION of the UNIVERSITY OF CALIFORNIA, BERKELEY Committee in charge: Professor David Wagner, Chair Professor Vern Paxson Professor Tapan Parikh Fall 2012 Towards Comprehensible and Effective Permission Systems Copyright c 2012 by Adrienne Porter Felt Abstract Towards Comprehensible and Effective Permission Systems by Adrienne Porter Felt Doctor of Philosophy in Computer Science University of California, Berkeley Professor David Wagner, Chair How can we, as platform designers, protect computer users from the threats associated with ma- licious, privacy-invasive, and vulnerable applications? Modern platforms have turned away from the traditional user-based permission model and begun adopting application permission systems in an attempt to shield users from these threats. This dissertation evaluates modern permission systems with the goal of improving the security of future platforms. In platforms with application permission systems, applications are unprivileged by default and must request permissions in order to access sensitive API calls. Developers specify the permis- sions that their applications need, and users approve the granting of permissions. Permissions are intended to provide defense in depth by restricting the scope of vulnerabilities and user consent by allowing users to control whether third parties have access to their resources. In this dissertation we investigate whether permission systems are effective at providing de- fense in depth and user consent. First, we perform two studies to evaluate whether permissions provide defense in depth: we analyze applications to determine whether developers request mini- mal sets of permissions, and we quantify the impact of permissions on real-world vulnerabilities. Next, we evaluate whether permissions obtain the user’s informed consent by surveying and inter- viewing users. We use the Android application and Google Chrome extension platforms for our studies; at present, they are popular platforms with extensive permission systems. Our goal is to inform the design of future platforms with our findings. We argue that per- missions are a valuable addition to a platform, and our study results support continued work on permission systems. However, current permission warnings fail to inform the majority of users about the risks of applications. We propose a set of guidelines to aid in the design of more user- friendly permissions, based on our user research and relevant literature. 1 Contents Contents i Acknowledgements iv 1 Introduction 1 2 An Overview of Approaches to Permissions 4 2.1 Permissions For Malicious Users . 4 2.2 Permissions For Adversarial Applications . 5 2.3 Usable Permissions . 7 3 Case Studies’ Backgrounds 16 3.1 Android Applications . 16 3.2 Chrome Extensions . 20 4 Developers’ Permission Request Patterns 23 4.1 Introduction . 23 4.2 Permission Request Rates . 24 4.3 Overprivilege in Android Applications . 30 4.4 Overprivilege in Chrome Extensions . 44 4.5 Other Overprivilege Considerations . 48 4.6 Conclusion . 48 4.7 Acknowledgements . 49 5 The Effect of Permissions on Chrome Extension Vulnerabilities 50 5.1 Introduction . 50 i 5.2 Threat Model . 51 5.3 Extension Security Review . 52 5.4 Evaluation of the Permission System . 55 5.5 Evaluation of Isolated Worlds . 57 5.6 Evaluation of Privilege Separation . 59 5.7 Defenses . 62 5.8 Related Work . 66 5.9 Conclusion . 67 5.10 Acknowledgements . 68 6 Android Permissions: User Attention, Comprehension, and Behavior 69 6.1 Introduction . 69 6.2 Methodology . 70 6.3 Attention During Installation . 74 6.4 Comprehension of Permissions . 80 6.5 Influence on User Behavior . 86 6.6 Implications . 88 6.7 Conclusion . 91 6.8 Acknowledgments . 92 7 A Survey of Smartphone Users’ Concerns 93 7.1 Introduction . 93 7.2 Ratings . 94 7.3 Open-Ended Survey . 99 7.4 Reasons for Uninstallation . 102 7.5 Limitations . 104 7.6 Discussion . 105 7.7 Conclusion . 106 7.8 Acknowledgments . 107 8 How To Ask For Permission 108 8.1 Introduction . 108 8.2 Guiding Principles . 109 ii 8.3 Permission-Granting Mechanisms . 110 8.4 Expert Review . 115 8.5 Applying Our Guidelines . 116 8.6 Future Work . 121 8.7 Acknowledgements . 122 9 Conclusion 123 A Lists of Applications 124 A.1 Extension Overprivilege . 124 A.2 Extension Vulnerabilities . 124 B Full Results Of User Concern Survey 126 C Categorized Permissions 129 D Research Ethics and Safety 135 Bibliography 136 iii Acknowledgements This thesis would not have been possible without my family, friends, and colleagues. I would like to express my thanks to everyone who has provided me with support. I owe my deepest gratitude to my family. My family has always encouraged me to be curious, tenacious, and ambitious. I attribute my career in computing to my upbringing; at present, women are underrepresented in the field of Computer Science, but the lessons I learned at home taught me not to be intimidated by the gender imbalance. My father brought me to his software company’s office, my grandfather patiently answered all of my grade school “interview” questions about his career, and my mother never accepted my excuses for not completing my math homework. I was always told that I could accomplish anything. I am grateful to my husband Mark, who always provided me with his patience and support. Without him, I surely would have starved while working on paper deadlines. I would like to thank my graduate advisor, Professor David Wagner. His keen advice taught me how to formulate problems and identify feasible research directions. Too often, academia is harsh and hypercritical; David taught me how to temper criticism with kindness and a genuine desire to help. I also would like to thank my undergraduate advisor, Professor David Evans, who introduced me to research and encouraged me to consider graduate school. I would not have applied to graduate school without his assurance that I was capable of completing a Ph.D. Professors Vern Paxson, Coye Cheshire, and Tapan Parikh provided valuable feedback on my work that helped shape my research. Their comments contributed greatly to the way I thought about the problems discussed within this dissertation. I am also indebted to Adam Barth, who served as my unofficial mentor during my first year of graduate school. He taught me how to write a research paper. iv Chapter 1 Introduction Most modern platforms support large, thriving third-party application marketplaces. Users can select from an unprecedented number of applications to supplement their experiences with their smartphones, computers, web browsers, and social networking sites. For example, as of 2012, Google Play lists over 500,000 Android applications, the Facebook platform supports more than nine million applications, and the Apple App Store includes more than 600,000 iOS applica- tions [106, 53]. These applications offer a diverse set of features from a diverse set of developers. Unfortunately, third-party applications create risks for the user. Many otherwise legitimate applications aggressively collect personal information about their users (e.g., for marketing cam- paigns) in ways that make users uncomfortable [144]. Malicious applications use social engineer- ing tactics to convince users to install them [64, 159, 48, 134]. Applications can also put users at risk of external (e.g., network-based) attacks by containing vulnerabilities; the authors of third- party applications usually are not security experts [104, 154]. How can platform designers help users avoid these threats while still supporting a broad range of colorful applications? Traditional user-based security mechanisms were designed to protect users from each other on time-shared computers, in an era when most applications were downloaded from trusted sources or written by users themselves. Consequently, traditional operating systems assign the user’s full privileges to all applications. However, this threat model is no longer appropriate now that users cannot fully trust their applications. Modern platforms are consequently transitioning to a new se- curity model in which each application has a different set of permissions based on its requirements. These permissions control applications’ access to security- and privacy-relevant system resources, so that users can decide whether to give individual applications access to these sensitive resources. This new style of permission system can be found in contemporary smartphone operating sys- tems (e.g., Android and Windows Phone 7), new desktop operating systems (e.g., Windows 8 Metro), social networking platforms (e.g., Facebook and Twitter), and browsers (e.g., the Google Chrome extension platform and new HTML5 features). In some of these platforms, users are prompted to approve permissions as needed by applications at runtime. In others, developers are asked to declare their applications’ permission requirements up-front so that users can grant per- 1 missions at install-time. Regardless of when the permission request occurs, users are asked to make security decisions on a per-application basis, and developers need to design their applications to work within the constraints of the permission systems. This dissertation evaluates whether modern permission systems have a positive effect on end user security, with the goal of guiding the design of security mechanisms in future
Load more

Recommended publications
  • The Effectiveness of Application Permissions
    The Effectiveness of Application Permissions Adrienne Porter Felt,∗ Kate Greenwood, David Wagner University of California, Berkeley apf, kate eli, [email protected] Abstract cations’ permission requirements up-front so that users can grant them during installation. Traditional user-based permission systems assign the Traditional user-based permission systems assign the user’s full privileges to all applications. Modern plat- user’s full privileges to all of the user’s applications. In forms are transitioning to a new model, in which each the application permission model, however, each appli- application has a different set of permissions based on cation can have a customized set of permissions based its requirements. Application permissions offer several on its individual privilege requirements. If most applica- advantages over traditional user-based permissions, but tions can be satisfied with less than the user’s full priv- these benefits rely on the assumption that applications ileges, then three advantages of application permissions generally require less than full privileges. We explore over the traditional user-based model are possible: whether that assumption is realistic, which provides in- sight into the value of application permissions. • User Consent: Security-conscious users may be We perform case studies on two platforms with appli- hesitant to grant access to dangerous permissions cation permissions, the Google Chrome extension sys- without justification. For install-time systems, this tem and the Android OS. We collect the permission re- might alert some users to malware at installation; quirements of a large set of Google Chrome extensions for time-of-use systems, this can prevent an in- and Android applications.
    [Show full text]
  • Appendix 1 - 5 Appendix 1 - Questionnaire for Colleges
    Appendix 1 - 5 Appendix 1 - Questionnaire for Colleges Declaration: I, Rajeev Ghode, persuing my Ph.D. in Department of Communication Studies, Pune University. Title of Ph.D. Research is "To study potential and challenges in the use and adoption of ICT in Higher Education"For this research purpose, I want to collect quantitative data from all the professors of colleges which are affiliated to Pune University. I ensure that all the data collected will be used only for the Ph.D. research and secrecy of the data will be maintained. I appreciate you for spending your valuable time to fill this questionnaire. Thanking You <•;. Prof. Rajeev Ghode Questionnaire Name of the College Address/City 1 Arts Science and Commerce College 1 Arts Science and Commerce College with Computer Science Type of College 1 Commerce and BBA Q B.Ed. College 1 1 Law Institutional ICT Infrastructure Sr. ICT Infrastructure Yes No Provision in near No. future 1. Multimedia /Conference Hall 2. Computer Lab 3. Internet Connectivity in Campus 4. Digital Library 5. Website 6. Organization e-mail Server 7. Blog Appendix - I Sr. ICT Infrastructure Yes No Provision in near No. future 8. Presence on SNS 9. Online Admission System 10. Online/Offline Examination Application 11. Biometric Attendance 12. Student Management System 13. Professional membership for online journals Department-wise ICT Infrastructure Sr. ICT Infrastructure Yes No Provision in near No. future 1. Do you have separate Desktops for faculties in every department? 2. Do you have separate Laptops for every department? 3. Does every department have LCD Projector? 4.
    [Show full text]
  • Browser Wars
    Uppsala universitet Inst. för informationsvetenskap Browser Wars Kampen om webbläsarmarknaden Andreas Högström, Emil Pettersson Kurs: Examensarbete Nivå: C Termin: VT-10 Datum: 2010-06-07 Handledare: Anneli Edman "Anyone who slaps a 'this page is best viewed with Browser X' label on a Web page appears to be yearning for the bad old days, before the Web, when you had very little chance of read- ing a document written on another computer, another word processor, or another network" - Sir Timothy John Berners-Lee, grundare av World Wide Web Consortium, Technology Review juli 1996 Innehållsförteckning Abstract ...................................................................................................................................... 1 Sammanfattning ......................................................................................................................... 2 1 Inledning .................................................................................................................................. 3 1.1 Bakgrund .............................................................................................................................. 3 1.2 Syfte ..................................................................................................................................... 3 1.3 Frågeställningar .................................................................................................................... 3 1.4 Avgränsningar .....................................................................................................................
    [Show full text]
  • Apigee X Migration Offering
    Apigee X Migration Offering Overview Today, enterprises on their digital transformation journeys are striving for “Digital Excellence” to meet new digital demands. To achieve this, they are looking to accelerate their journeys to the cloud and revamp their API strategies. Businesses are looking to build APIs that can operate anywhere to provide new and seamless cus- tomer experiences quickly and securely. In February 2021, Google announced the launch of the new version of the cloud API management platform Apigee called Apigee X. It will provide enterprises with a high performing, reliable, and global digital transformation platform that drives success with digital excellence. Apigee X inte- grates deeply with Google Cloud Platform offerings to provide improved performance, scalability, controls and AI powered automation & security that clients need to provide un-parallel customer experiences. Partnerships Fresh Gravity is an official partner of Google Cloud and has deep experience in implementing GCP products like Apigee/Hybrid, Anthos, GKE, Cloud Run, Cloud CDN, Appsheet, BigQuery, Cloud Armor and others. Apigee X Value Proposition Apigee X provides several benefits to clients for them to consider migrating from their existing Apigee Edge platform, whether on-premise or on the cloud, to better manage their APIs. Enhanced customer experience through global reach, better performance, scalability and predictability • Global reach for multi-region setup, distributed caching, scaling, and peak traffic support • Managed autoscaling for runtime instance ingress as well as environments independently based on API traffic • AI-powered automation and ML capabilities help to autonomously identify anomalies, predict traffic for peak seasons, and ensure APIs adhere to compliance requirements.
    [Show full text]
  • Knowledge Graphs
    KNOWLEDGE GRAPHS Lecture 1: Introduction and Motivation Markus Krotzsch¨ Knowledge-Based Systems TU Dresden, 16th Oct 2018 Introduction and Organisation Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 2 of 25 Course Tutors Markus Krötzsch Maximilian Marx Lectures Exercises Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 3 of 25 Organisation Lectures Tuesday, DS 3 (11:10–12:40), APB E005 Exercise Sessions (starting 23 October) Tuesday, DS 5 (14:50–16:20), APB E005 Web Page https://iccl.inf.tu-dresden.de/web/Knowledge_Graphs_(WS2018/19) Lecture Notes Slides of current and past lectures will be online. Modules INF-B-510, INF-B-520, INF-BAS6, INF-E-3, INF-PM-FOR, INF-VERT6, MCL-KR, MCL-TCSL – anything else? Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 4 of 25 Goals and Prerequisites Goals • Introduce basic notions of graph-based knowledge representation(s) • Study important graph data management approaches (RDF, Property Graph) and query languages • Learn about relevant methods, tools, and datasets • Discuss aspects of modelling and quality assurance (Non-)Prerequisites • No particular prior courses needed • Basic programming skills are assumed; practical experience beyond basic courses will be helpful • Interesting optional synergies: databases, machine learning, social networks, graph theory Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 5 of 25 Motivation Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 6 of 25 The Hype (c) 2018 Gartner, Inc. All rights reserved. Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 7 of 25 Knowledge Graphs Everywhere All company logos subject to copyrights. All rights reserved. Markus Krötzsch, 16th Oct 2018 Knowledge Graphs slide 8 of 25 The original “Knowledge Graph” (Google, 2012): (c) Google.
    [Show full text]
  • EN-Google Hacks.Pdf
    Table of Contents Credits Foreword Preface Chapter 1. Searching Google 1. Setting Preferences 2. Language Tools 3. Anatomy of a Search Result 4. Specialized Vocabularies: Slang and Terminology 5. Getting Around the 10 Word Limit 6. Word Order Matters 7. Repetition Matters 8. Mixing Syntaxes 9. Hacking Google URLs 10. Hacking Google Search Forms 11. Date-Range Searching 12. Understanding and Using Julian Dates 13. Using Full-Word Wildcards 14. inurl: Versus site: 15. Checking Spelling 16. Consulting the Dictionary 17. Consulting the Phonebook 18. Tracking Stocks 19. Google Interface for Translators 20. Searching Article Archives 21. Finding Directories of Information 22. Finding Technical Definitions 23. Finding Weblog Commentary 24. The Google Toolbar 25. The Mozilla Google Toolbar 26. The Quick Search Toolbar 27. GAPIS 28. Googling with Bookmarklets Chapter 2. Google Special Services and Collections 29. Google Directory 30. Google Groups 31. Google Images 32. Google News 33. Google Catalogs 34. Froogle 35. Google Labs Chapter 3. Third-Party Google Services 36. XooMLe: The Google API in Plain Old XML 37. Google by Email 38. Simplifying Google Groups URLs 39. What Does Google Think Of... 40. GooglePeople Chapter 4. Non-API Google Applications 41. Don't Try This at Home 42. Building a Custom Date-Range Search Form 43. Building Google Directory URLs 44. Scraping Google Results 45. Scraping Google AdWords 46. Scraping Google Groups 47. Scraping Google News 48. Scraping Google Catalogs 49. Scraping the Google Phonebook Chapter 5. Introducing the Google Web API 50. Programming the Google Web API with Perl 51. Looping Around the 10-Result Limit 52.
    [Show full text]
  • 2Nd USENIX Conference on Web Application Development (Webapps ’11)
    conference proceedings Proceedings of the 2nd USENIX Conference Application on Web Development 2nd USENIX Conference on Web Application Development (WebApps ’11) Portland, OR, USA Portland, OR, USA June 15–16, 2011 Sponsored by June 15–16, 2011 © 2011 by The USENIX Association All Rights Reserved This volume is published as a collective work. Rights to individual papers remain with the author or the author’s employer. Permission is granted for the noncommercial reproduction of the complete work for educational or research purposes. Permission is granted to print, primarily for one person’s exclusive use, a single copy of these Proceedings. USENIX acknowledges all trademarks herein. ISBN 978-931971-86-7 USENIX Association Proceedings of the 2nd USENIX Conference on Web Application Development June 15–16, 2011 Portland, OR, USA Conference Organizers Program Chair Armando Fox, University of California, Berkeley Program Committee Adam Barth, Google Inc. Abdur Chowdhury, Twitter Jon Howell, Microsoft Research Collin Jackson, Carnegie Mellon University Bobby Johnson, Facebook Emre Kıcıman, Microsoft Research Michael E. Maximilien, IBM Research Owen O’Malley, Yahoo! Research John Ousterhout, Stanford University Swami Sivasubramanian, Amazon Web Services Geoffrey M. Voelker, University of California, San Diego Nickolai Zeldovich, Massachusetts Institute of Technology The USENIX Association Staff WebApps ’11: 2nd USENIX Conference on Web Application Development June 15–16, 2011 Portland, OR, USA Message from the Program Chair . v Wednesday, June 15 10:30–Noon GuardRails: A Data-Centric Web Application Security Framework . 1 Jonathan Burket, Patrick Mutchler, Michael Weaver, Muzzammil Zaveri, and David Evans, University of Virginia PHP Aspis: Using Partial Taint Tracking to Protect Against Injection Attacks .
    [Show full text]
  • Google Dictionary: a Critical Review
    3 Issues and Trends in Learning Technologies Volume 8, Number 1, May 2020 Google Dictionary: A Critical Review Musa Nushi Afshin Moradi Shahid Beheshti University Shahid Beheshti University Abstract In an increasingly digital world, online educational resources, apps, and other technologies can serve as incredibly effective tools to facilitate both teaching and learning. One such online tool is the Google Dictionary. This dictionary, an online service of Google, is probably one of the simplest dictionaries for English learners. The definitions usually use simple words and therefore are easy to understand. In addition to the definitions, examples, pictures, and usage notes, there is a separate pronunciation entry with interesting characteristics. This newly added entry provides users with the pronunciation of a word in two different accents, visemes, slow playback, and an option that lets Google collect feedback about the accuracy and helpfulness of the pronunciation recordings from users. This review paper offers a descriptive account of the entry, along with critical evaluation including its strong points and limitations. The review concludes with some suggestions to improve the educational quality of the pronunciation entry.. Keywords: Google Dictionary, pronunciation, second language, technology Website Details Publisher: Google Product Type: Web-based service Language(s): Multilingual Level: Any Media Format: WebP and WebM Operating Systems: Any Hardware Requirements: Internet Connection Supplementary Software: None Introduction The Internet has revolutionized the way we go about living our lives. There is hardly an area, at least in the Western world, that has not been touched by the Internet revolution (Esterle, Ranck & Schmitt, 2005; Selwyn, 2014). The affordances provided by the Internet are enormous, ranging from checking whether one’s plant needs water to booking a hotel in a resort island off the coast of Montenegro, in the Adriatic Sea.
    [Show full text]
  • Understanding and Mitigating Attacks Targeting Web Browsers
    Understanding and Mitigating Attacks Targeting Web Browsers A Dissertation presented in partial fulfillment of the requirements for the degree of Doctor of Philosophy in the field of Information Assurance by Ahmet Salih Buyukkayhan Northeastern University Khoury College of Computer Sciences Boston, Massachusetts April 2019 To my family, teachers and mentors. i Contents List of Figures v List of Tables vii Acknowledgments viii Abstract of the Dissertation ix 1 Introduction 1 1.1 Structure of the Thesis . .2 2 Background 4 2.1 Browser Extensions . .4 2.1.1 Firefox Extensions . .5 2.1.2 Extension Security . .7 2.2 Vulnerabilities in Web Applications . .9 2.2.1 Vulnerability Reward Programs and Platforms . .9 2.2.2 XSS Vulnerabilities . 10 2.2.3 XSS Defenses . 12 3 CrossFire: Firefox Extension-Reuse Vulnerabilities 14 3.1 Overview . 14 3.2 Threat Model . 15 3.3 Design . 16 3.3.1 Vulnerability Analysis . 17 3.3.2 Exploit Generation . 19 3.3.3 Example Vulnerabilities . 20 3.4 Implementation . 23 3.5 Evaluation . 23 3.5.1 Vulnerabilities in Top Extensions . 23 3.5.2 Random Sample Study of Extensions . 25 3.5.3 Performance & Manual Effort . 27 ii 3.5.4 Case Study: Submitting an Extension to Mozilla Add-ons Repository . 28 3.5.5 Jetpack Extensions. 30 3.5.6 Implications on Extension Vetting Procedures . 31 3.6 Summary . 31 4 SENTINEL: Securing Legacy Firefox Extensions 33 4.1 Overview . 33 4.2 Threat Model . 34 4.3 Design . 35 4.3.1 Intercepting XPCOM Operations . 36 4.3.2 Intercepting XUL Document Manipulations .
    [Show full text]
  • Security Analysis of Browser Extension Concepts
    Saarland University Faculty of Natural Sciences and Technology I Department of Computer Science Bachelor's thesis Security Analysis of Browser Extension Concepts A comparison of Internet Explorer 9, Safari 5, Firefox 8, and Chrome 14 submitted by Karsten Knuth submitted January 14, 2012 Supervisor Prof. Dr. Michael Backes Advisors Raphael Reischuk Sebastian Gerling Reviewers Prof. Dr. Michael Backes Dr. Matteo Maffei Statement in Lieu of an Oath I hereby confirm that I have written this thesis on my own and that I have not used any other media or materials than the ones referred to in this thesis. Saarbr¨ucken, January 14, 2012 Karsten Knuth Declaration of Consent I agree to make both versions of my thesis (with a passing grade) accessible to the public by having them added to the library of the Computer Science Department. Saarbr¨ucken, January 14, 2012 Karsten Knuth Acknowledgments First of all, I thank Professor Dr. Michael Backes for giving me the chance to write my bachelor's thesis at the Information Security & Cryptography chair. During the making of this thesis I have gotten a deeper look in a topic which I hope to be given the chance to follow up in my upcoming academic career. Furthermore, I thank my advisors Raphael Reischuk, Sebastian Gerling, and Philipp von Styp-Rekowsky for supporting me with words and deeds during the making of this thesis. In particular, I thank the first two for bearing with me since the release of my topic. My thanks also go to Lara Schneider and Michael Zeidler for offering me helpful advice.
    [Show full text]
  • Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros
    ARXIV.ORG DIGITAL LIBRARY 1 Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros Abstract—This articles surveys the existing literature on the of ads [1], [2], price discrimination [3], [4], assessing our methods currently used by web services to track the user online as health and mental condition [5], [6], or assessing financial well as their purposes, implications, and possible user’s defenses. credibility [7]–[9]. Apart from that, the data can be accessed A significant majority of reviewed articles and web resources are from years 2012 – 2014. Privacy seems to be the Achilles’ by government agencies and identity thieves. Some affiliate heel of today’s web. Web services make continuous efforts to programs (e.g., pay-per-sale [10]) require tracking to follow obtain as much information as they can about the things we the user from the website where the advertisement is placed search, the sites we visit, the people with who we contact, to the website where the actual purchase is made [11]. and the products we buy. Tracking is usually performed for Personal information in the web can be voluntarily given commercial purposes. We present 5 main groups of methods used for user tracking, which are based on sessions, client by the user (e.g., by filling web forms) or it can be collected storage, client cache, fingerprinting, or yet other approaches. indirectly without their knowledge through the analysis of the A special focus is placed on mechanisms that use web caches, IP headers, HTTP requests, queries in search engines, or even operational caches, and fingerprinting, as they are usually very by using JavaScript and Flash programs embedded in web rich in terms of using various creative methodologies.
    [Show full text]
  • Methods in User Data Searches Simplified Approach to Web Searches Chandana Mallapragada Missouri University of Science and Technology, [email protected]
    Association for Information Systems AIS Electronic Library (AISeL) MWAIS 2017 Proceedings Midwest (MWAIS) 6-2017 Methods in User Data Searches Simplified Approach to Web Searches Chandana Mallapragada Missouri University of Science and Technology, [email protected] Daniel Feissle Missouri University of Science and Technology, [email protected] Sonia Kapoor Missouri University of Science and Technology, [email protected] Tylor Brom Missouri University of Science and Technology, [email protected] Follow this and additional works at: http://aisel.aisnet.org/mwais2017 Recommended Citation Mallapragada, Chandana; Feissle, Daniel; Kapoor, Sonia; and Brom, Tylor, "Methods in User Data Searches Simplified Approach to Web Searches" (2017). MWAIS 2017 Proceedings. 4. http://aisel.aisnet.org/mwais2017/4 This material is brought to you by the Midwest (MWAIS) at AIS Electronic Library (AISeL). It has been accepted for inclusion in MWAIS 2017 Proceedings by an authorized administrator of AIS Electronic Library (AISeL). For more information, please contact [email protected]. Mallapragada et al. Methods in User Web Searches Methods in User Data Searches Simplified Approach to Web Searches Chandana Mallapragada Daniel Feissle Missouri University of Science and Technology Missouri University of Science and Technology [email protected] [email protected] Sonia Kapoor Tylor Brom Missouri University of Science and Technology Missouri University of Science and Technology [email protected] [email protected] Nathan Twyman Missouri University of Science and Technology [email protected] ABSTRACT The purpose of this study is to provide a solution for the unpleasant experience caused when the user wants to learn an unfamiliar word while reading online. We propose to build a cross-browser built-in dictionary extension called Word Detector.
    [Show full text]