Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables
Doguhan Yeke, Muhammad Ibrahim, Güliz Seray Tuncay, Habiba Farrukh, Abdullah Imran, Antonio Bianchi
IEEE Symposium on Security and Privacy 2024 · Day 2 · Continental Ballroom 4
This talk, "Wear's my Data? Understanding the Cross-Device Runtime Permission Model in Wearables," presented by researchers from Purdue University, Google, and the University of Florida, delves into the often-misunderstood security and privacy implications of how permissions are handled across paired wearable devices, specifically focusing on the Wear OS ecosystem. The speakers, Doguhan Yeke, Muhammad Ibrahim, and Güliz Seray Tuncay, highlight a critical disconnect between user expectations and the technical reality of data flow between smartphones and smartwatches. Their work uncovers significant vulnerabilities stemming from the dual permission models employed by these interconnected devices.
AI review
This research uncovers critical, systemic privacy vulnerabilities in the Wear OS cross-device permission model, demonstrating how sensitive data flows between paired devices often bypass user expectations and explicit denials. The team's static analysis tool, FlowFinder, provides concrete evidence of these flows in real-world apps, while their user study highlights widespread misconceptions and a practical phishing vector via redirection prompts. This is essential work that directly impacts platform design and user trust in wearable ecosystems.