Nick Nikiforakis (Stony Brook University)

Small and Different: Security and Privacy Risks of Mobile Browsers

Recent years have seen a steady increase in the sales of mobile devices as more and more users purchase smartphones and tablets to supplement their computing needs. The smartphones' cleaner UIs in combination with an ever increasing number of apps and constantly decreasing prices, are attracting more and more users who entrust their devices with sensitive data, such as personal photographs, work emails, and financial information. To browse the web from these devices, users can choose between hundreds of competing mobile browsers, each advertising its own unique set of features.

In this talk, we will discuss the idiosyncrasies of these mobile web browsers and show that they are vulnerable to attacks that were never an issue on traditional desktop browsers. We will first present the results of analyzing over 2,000 versions of mobile browsers, spanning five years and 128 browser families, and show that mobile browsers are becoming more vulnerable to certain classes of attacks with each passing year. We will then focus on the ability of mobile browsers to enforce standard security mechanisms, such as, the HTTP Strict Transport Security mechanism and Content-Security Policy. We will show that mobile browsers lag behind desktop browsers in their support of these mechanisms, resulting in users being less secure when they browse a given website over a mobile browser, as opposed to a desktop browser. Lastly, we will explore the workings of data-savings mobile browsers and how their unique design can open up users to attacks.

Bo Li (University of Illinois at Urbana-Champaign)


Elissa M. Redmiles (Max Planck Institute for Software Systems)

Learning from the People: Responsibly Encouraging Adoption of Contact Tracing Apps

While significant focus was put on developing privacy protocols for these apps, relatively less attention was given to understanding why, and why not, users might adopt them. Yet, for these technological solutions to benefit public health, users must be willing to adopt these apps. In this talk I showcase the value of taking a descriptive ethics approach to setting best practices in this new domain. Descriptive ethics, introduced by the field of moral philosophy, determines best practices by learning directly from the user -- observing people’s preferences and inferring best practice from that behavior -- instead of exclusively relying on experts' normative decisions. This talk presents an empirically-validated framework of user's decision inputs to adopt COVID19 contact tracing apps, including app accuracy, privacy, benefits, and mobile costs. Using predictive models of users' likelihood to install COVID apps based on quantifications of these factors, I show how high the bar is for achieving adoption. I conclude by discussing a large-scale field study in which we put our survey and experimental results into practice to help the state of Louisiana advertise their COVID app through a series of randomized controlled Google Ads experiments.