1 in 5 snoop on a phone belonging to a friend or loved one

In Snooping on Mobile Phones: Prevalence and Trends, a paper presented at SOUPS 16, computer scientists from UBC and the University of Lisbon show that a rigorous survey reveals that up to one in five people have snooped on a loved one or friend by accessing their phone.

This conduct, called a "lunchtime attack" by security researchers, was measured by administering a "list experiment" questionnaire to over 1,300 participants sourced through Amazon's Mechanical Turk.

31 percent of respondents admitted to going through a friend or loved one's phone in the past year; in the US proportion of the respondents, it was about 20%.

Though this study has a large pool of participants and uses a well-understood methodology -- list experiments measure socially stigmatized conduct by burying questions about it in long questionnaires that have been stuffed with other kinds of questions -- it does suffer from a methodological problem to a lot of social science: it drew its participants from people who'd signed up to do piecework for the Mechanical Turk. This methodological bias is the latest incarnation of the earlier problem of almost all social science research subjects being drawn from university undergrads (who are not at all representative of either the general population or even the population of university-aged young adults).

This state-of-affairs can and should be addressed. There is room to improve privacy-preserving technologies that still impose too much effort on users, like mobile authentication. In recent year, biometric authentication on mobile devices, especially fingerprint authentication, has become more available and usable. There have also been extensive research efforts in making secret-based authentication more usable. Trends such as these indicate that defenses may be catching up.

However, two considerations should be given to the authentication approach of defense. First, as usable as authentication is made to be, it is not unreasonable to think that, for many people, it will never be attractive. Potential users of secret-based authentication may continue to think that it’s a hassle. Potential users of biometric authentication may have privacy concerns. Defenses against snooping attacks for those people are few, if any.

A second consideration it that innovations in authentication should include snooping attacks in their threat models, because snooping attacks are likely to be attempted. Some adaptive authentication methods that have been proposed can reduce authentication requirements when devices are in "trusted places", like at home or at work (for instance, Android’s Smart Lock [16]). It should now be clear that, in face of the pervasiveness of snooping attacks, that increase in usability will likely come at the cost of increased security risk.

Snooping on Mobile Phones: Prevalence and Trends [Diogo Marques, Ildar Muslukhov, Tiago Guerreiro, Konstantin Beznosov, Luis Carrico/Symposium On Usable Privacy and Security 2016]

Your Smartphone Is Being Secretly Accessed—By Your Friends and Family [Bryson Masse/Motherboard]

(Image: Setting a passcode lock on Android | Ting )

Start the discussion at bbs.boingboing.net