Abstract
IFTTT is a platform that allows users to create applets for connecting smart devices to online services, or to compose online services, in order to provide customized functionalities in Internet of Things scenarios. Despite their flexibility and ease-of-use, IFTTT applets may create privacy risks for users, who might unknowingly share sensitive information with a wider audience than intended. In this paper, we focus on privacy issues related to the sharing of pictures through IFTTT applets. We propose a framework to detect when IFTTT applets violate user’s privacy, both at design-time and run-time, based on the visibility and sensitivity of shared data. We have realized two prototypes implementing the framework, a browser plugin to detect design-time privacy violations and an online service to detect run-time privacy violations. We evaluate the online service using an IFTTT applet for posting to Twitter new pictures uploaded in Google Drive.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
The service is not publicly available on the IFTTT website. Publishing an IFTTT service requires a premium IFTTT developer account and applets submitted for publication have to go through a long code vetting process.
References
Balliu, M., Merro, M., Pasqua, M.: Securing cross-app interactions in IoT platforms. In: Computer Security Foundations Symposium, pp. 319–334. IEEE (2019)
Bastys, I., Balliu, M., Sabelfeld, A.: If this then what?: controlling flows in IoT apps. In: Conference on Computer and Communications Security, pp. 1102–1119. ACM (2018)
Bu, L., et al.: Systematically ensuring the confidence of real-time home automation IoT systems. ACM Trans. Cyber-Phys. Syst. 2(3), 1–23 (2018)
Celik, Z.B., Fernandes, E., Pauley, E., Tan, G., McDaniel, P.: Program analysis of commodity IoT applications for security and privacy: challenges and opportunities. ACM Comput. Surv. 52(4), 1–30 (2019)
Celik, Z.B., McDaniel, P., Tan, G.: Soteria: automated IoT safety and security analysis. In: USENIX Annual Technical Conference, pp. 147–158. USENIX Association (2018)
Celik, Z.B., Tan, G., McDaniel, P.D.: IoTGuard: dynamic enforcement of security and safety policy in commodity IoT. In: Network and Distributed System Security Symposium. The Internet Society (2019)
Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Trans. Comput. Syst. 32(2), 5:1–5:29 (2014)
Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: Symposium on Security and Privacy, pp. 636–654. IEEE (2016)
Fernandes, E., Paupore, J., Rahmati, A., Simionato, D., Conti, M., Prakash, A.: FlowFence: practical data protection for emerging IoT application frameworks. In: USENIX Security Symposium, pp. 531–548. USENIX Association (2016)
Fernandes, E., Rahmati, A., Jung, J., Prakash, A.: Decentralized action integrity for trigger-action IoT platforms. In: Network and Distributed Security Symposium. The Internet Society (2018)
Jia, Y.J., et al.: ContexIoT: towards providing contextual integrity to appified iot platforms. In: Network and Distributed Security Symposium. The Internet Society (2017)
Leonardi, N., Manca, M., Paternò, F., Santoro, C.: Trigger-action programming for personalising humanoid robot behaviour. In: Conference on Human Factors in Computing Systems. ACM (2019)
Manso, C.G., Górniak, S.: Recommendations for a methodology of the assessment of severity of personal data breaches. https://www.enisa.europa.eu/publications/dbn-severity
Mi, X., Qian, F., Zhang, Y., Wang, X.: An empirical characterization of IFTTT: ecosystem, usage, and performance. In: Internet Measurement Conference, pp. 398–404. ACM (2017)
Nissenbaum, H.: Privacy as contextual integrity. Washington Law Rev. 79(1), 119–157 (2004)
Ravidas, S., Lekidis, A., Paci, F., Zannone, N.: Access control in internet-of-things: a survey. J. Netw. Comput. Appl. 144, 79–101 (2019)
Surbatovich, M., Aljuraidan, J., Bauer, L., Das, A., Jia, L.: Some recipes can do more than spoil your appetite: analyzing the security and privacy risks of IFTTT recipes. In: International Conference on World Wide Web. pp. 1501–1510. International World Wide Web Conferences Steering Committee (2017)
Wang, Q., Hassan, W.U., Bates, A., Gunter, C.A.: Fear and logging in the internet of things. In: Network and Distributed System Security Symposium. The Internet Society (2018)
Xu, R., Zeng, Q., Zhu, L., Chi, H., Du, X., Guizani, M.: Privacy leakage in smart homes and its mitigation: IFTTT as a case study. IEEE Access 7, 63457–63471 (2019)
Acknowledgments
This work is partially supported by the H2020-ECSEL programme of the European Commission through the SECREDAS project (grant no. 783119).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Paci, F., Bianchin, D., Quintarelli, E., Zannone, N. (2020). IFTTT Privacy Checker. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2020. Lecture Notes in Computer Science(), vol 12515. Springer, Cham. https://doi.org/10.1007/978-3-030-64455-0_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-64455-0_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64454-3
Online ISBN: 978-3-030-64455-0
eBook Packages: Computer ScienceComputer Science (R0)