In Snooping on Mobile Phones: Prevalence and Trends, a paper presented at SOUPS 16, computer scientists from UBC and the University of Lisbon show that a rigorous survey reveals that up to one in five people have snooped on a loved one or friend by accessing their phone.
This conduct, called a "lunchtime attack" by security researchers, was measured by administering a "list experiment" questionnaire to over 1,300 participants sourced through Amazon's Mechanical Turk.
31 percent of respondents admitted to going through a friend or loved one's phone in the past year; in the US proportion of the respondents, it was about 20%.
Though this study has a large pool of participants and uses a well-understood methodology — list experiments measure socially stigmatized conduct by burying questions about it in long questionnaires that have been stuffed with other kinds of questions — it does suffer from a methodological problem to a lot of social science: it drew its participants from people who'd signed up to do piecework for the Mechanical Turk. This methodological bias is the latest incarnation of the earlier problem of almost all social science research subjects being drawn from university undergrads (who are not at all representative of either the general population or even the population of university-aged young adults).
This state-of-affairs can and should be addressed. There is room to
improve privacy-preserving technologies that still impose too much
effort on users, like mobile authentication. In recent year, biometric
authentication on mobile devices, especially fingerprint authentication,
has become more available and usable. There have also
been extensive research efforts in making secret-based authentication
more usable. Trends such as these indicate that defenses may
be catching up.
However, two considerations should be given to the authentication
approach of defense. First, as usable as authentication is made to
be, it is not unreasonable to think that, for many people, it will
never be attractive. Potential users of secret-based authentication
may continue to think that it's a hassle. Potential users of biometric
authentication may have privacy concerns. Defenses against
snooping attacks for those people are few, if any.
A second consideration it that innovations in authentication should
include snooping attacks in their threat models, because snooping
attacks are likely to be attempted. Some adaptive authentication
methods that have been proposed can reduce authentication
requirements when devices are in "trusted places", like at home or
at work (for instance, Android's Smart Lock ). It should now
be clear that, in face of the pervasiveness of snooping attacks, that
increase in usability will likely come at the cost of increased security
Snooping on Mobile Phones: Prevalence and Trends
[Diogo Marques, Ildar Muslukhov, Tiago Guerreiro, Konstantin Beznosov, Luis Carrico/Symposium On Usable Privacy and Security 2016]
Your Smartphone Is Being Secretly Accessed—By Your Friends and Family