The time a person spends on different smartphone apps is enough to identify them from a larger group in more than one in three cases say researchers, who warn of the implications for security and privacy.
Psychologists Dr Heather Shaw, Professor Paul Taylor and Professor Stacey Conchie from Lancaster University, and Dr David Ellis from the University of Bath analyzed smartphone data from 780 people.
They fed 4,680 days of app usage data into statistical models. Each of these days was paired with one of the 780 users, such that the models learnt people’s daily app use patterns.
The researchers then tested whether models could identify an individual when provided with only a single day of smartphone activity that was anonymous and not yet paired with a user.
Dr Ellis from the University of Bath said: “Our models, which were trained on only six days of app usage data per person, could identify the correct person from a day of anonymous data one third of the time.”
That might not sound like much, but when the models made a prediction regarding who data belonged to, it could also provide a list of the most to the least likely candidates. It was possible to view the top 10 most likely individuals that a specific day of data belonged to. Around 75% of the time, the correct user would be among the top 10 most likely candidates.
Smartphone apps could identify person even when logged-out
Professor Taylor from Lancaster University added: “In practical terms, a law enforcement investigation seeking to identify a criminal’s new phone from knowledge of their historic phone use could reduce a candidate pool of approximately 1,000 phones to 10 phones, with a 25% risk of missing them.”
Consequently, the researchers warn that software granted access to a smartphone’s standard activity logging could render a reasonable prediction about a user’s identity even when they were logged-out of their account. An identification is possible with no monitoring of conversations or behaviours within apps themselves.
Dr Shaw from Lancaster University said: “We found that people exhibited consistent patterns in their application usage behaviours on a day-to-day basis, such as using Facebook the most and the calculator app the least. In support of this, we also showed that two days of smartphone data from the same person exhibited greater similarity in app usage patterns than two days of data from different people.”
Therefore, it is important to acknowledge that app usage data alone, which is often collected by a smartphone automatically, can potentially reveal a person’s identity.
While providing new opportunities for law enforcement, it also poses risks to privacy if this type of data is misused.
mobile app, data could, person’s identity
- IS 27001 Lead Implementer
- IS 27001 Foundation
- IS 27001 Lead Auditor
- CCISO – Certified Chief Information Security Officer
- Cybersecurity Professional
- Cybersecurity Lead Implementer
- Cybersecurity Lead Auditor
- CEH – Certified Ethical Hacker
- CHFI – Computer Hacking Forensic Investigator
(2022) How mobile app usage data could reveal a person’s identity. Recovered on 22 March 2022 https://www.helpnetsecurity.com/2022/02/24/smartphone-apps-identify-person/