A Guideline for YAPI:An Automated Location Privacy Benchmarking Tool for Smartphone Users

This is a guideline for introducing how to get benchmarking results with related tools mentioned in YAPI.

A. Benchmarking Routine:

1. Location Abusing Type
2. Excavating Privacy Threat Activities
3. Evaluating Activity Utilized Frequencies
4. Calculating Benchmarking Results

1. Location Abusing Type

Type 0: Exact Location (no location privacy threats)
Type 1: Only Track (location privacy can be protected at tracking level)
Type 2: Only City (location privacy can be protected at city level)
Type3: No location (location information is abused seriously)

2. Excavating Privacy Threat Activities

2.1 Tools:

2.1.1
Fiddler/Charles
Download: Fiddler: https://www.telerik.com/download/fiddler
Charles: https://www.charlesproxy.com
2.1.2
AUICrawler-master
Download: AUICrawler: https://github.com/Tonyzhangcanon/AUICrawler
Or: AUICrawler

2.2 Methods:

You should indicate target activities, the path to apk files and other related settings in AUICrawler\config\Setting.py and then use AUICrawler to invoke target Android activities in 5 cloned Android emulators by executing scripts: AUICrawler/ Crawler.py. The 5 cloned emulators are only different in the system location information so that you can make a comparison with the information without other interferences:

Emulator 1&2: exact location information

Emulator 3: tracking level location information

Emulator 4: city level location information

Emulator 4: no location information

Both HTTP and HTTPS packets for Android devices can be captured by Fiddler or Charles, but several steps of the setting have to be done beforehand. The settings are not introduced in detail here.

With information of the packets captured during the target activity active period, you can analyze which information threat type the activity has posed. For example, if location information is uploaded to servers, the feedbacks should be related to your location information. You also need to make a judgment on which threat types the app is posed with a comparison of the 5 emulator packets.

3. Evaluating Activity Utilized Frequencies

You can use AppCrawler to avoid user preferences on evaluating activity utilized frequencies.

3.1 Tools:

3.1.1
Appium
Download: http://appium.io
3.1.2 AppCrawler
Download: https://github.com/seveniruby/AppCrawler
Or: AppCrawler

3.2 Methods:

For any apps, to better traverse more app components in your smartphone or emulator, you have to design a configuration file (xxx.yml Or xxx.yaml) with some basic settings like black and white lists, first traversed components, and traverse depth, etc.

With the configuration file, you can launch AppCrawler with Appium on your PC. The traverse results will be saved automatically, and then you can get the utilized frequencies for the tested app. The configuration files are different for iOS apps and Android apps.

4. Calculating Benchmarking Results

The mentality of designing algorithms can be referred in the dissertation, and the algorithms are as following:

TL ← 0
TL(j) ← 0
for j ← 0 to 3
     for i ← 1 to n
         A(i) ← (n(i) + N/n)/2N
         TL(j) ← tl(j) * A(i) + TL(j)
     TL ← TL(j) + TL
YAPI(j) ← TL(j)/TL

TL: Total threat level (initial value is 0)
TL(j): Overall threat levels TL(j) for one app (j: 0-3)
A(i): The activity weight (i:0-3)
n(i): Active times of the activity
n: Activity numbers
N: Traverse times
N/n: Cardinality
tl(j): Location abusing types
YAPI(j): Overall location abusing level

B. Other Necessary files and video tutorials

Videos:

Appcrawler+Whatsapp.mp4: A demo about traversing WhatsApp Android app with AppCrawler (Evaluating Activity Utilized Frequencies).

auicrawler1.mp4 & auicrawler2.mp4: Excavating Privacy Threat Activities.

fiddlerCatch.mp4: A demo about how fiddler can capture smartphone HTTP & HTTPS packets.

inspackage.mp4: To introduce a method for collecting Android app activities.

I didn’t traverse WhatsApp app components for a long period in the video tutorials and the benchmarking result calculated from the short demo with the above algorithms indicates that there is no location abuse detected. You can try the test by yourself on WhatsApp or other apps. YAPI.apk: Implementing location protection in Android smartphones.

AppCrawler configuration file

App activities of WhatsApp