Mobile devices such as smartphones and Internet tablets have achieved computing and networking capabilities comparable to traditional personal computers. Their successful consumerization has also become a source of pain for adopting users and organizations. For example, the widespread presence of information-stealing applications raises substantial security and privacy concerns. The operating systems supporting these new devices have both advantages and disadvantages with respect to security. On one hand, they use application sandboxing to contain exploits and limit privileges given to malware. On the other hand, they routinely collect and organize many forms of security- and privacy-sensitive information and make that information easily accessible to third-party applications.

Recognizing smartphone security and privacy as an emerging area, this workshop intends to provide a venue for interested researchers and practitioners to get together and exchange ideas. Topics of interest include (but are not limited to) the following subject categories:

We also encourage novel paradigms and controversial ideas that are not on the above list. The workshop is to act as a venue for creative debate and interaction in security- and privacy-sensitive areas of computing and communication impacted by smartphones. We will favor submissions that are radical, forward-looking, and open-ended, as opposed to mature work on the verge of conference publication. Submissions that discuss a real-world problem without a solution are encouraged.

Important Dates

Manuscript Submission: 13th of June, 2015, 05:00 UTC - Passed
Acceptance Notification: 18th of July, 2015
Final Manuscript due: 28th of July, 2015
Workshop Date: 12th of October, 2015


The submission deadline has now passed and no further submissions will be accepted.

Authors were invited to submit either

Submissions must be in double-column ACM format (available at the ACM Website) with a font no smaller than 9 point. Only PDF files will be accepted. Submissions need to have their pages numbered and should not substantially overlap with papers that have been published or that are simultaneously submitted to a journal or a conference with proceedings. All authors and their affiliations must be listed. Each accepted paper must be presented by one registered author. Submissions not meeting these guidelines risk rejection without consideration of their merits. Accepted papers will be published by the ACM Press and/or the ACM Digital Library.

The submission website is CCS-SPSM 2015 in Easychair.

For questions, email

Organizing Committees

Program Co-chairs

Technical Program Committee

Steering Committee


To register for the SPSM 2015 workshop, please visit the CCS2015 Registration website. Registering for the Monday workshops is sufficient to register for SPSM 2015.

Technical Program - Monday October 12th, 2015

The below schedule is based on the ACM CCS schedule. Each technical presentation is scheduled for 25 minutes plus 5 minutes for questions.

6:45 - 8:00 Breakfast
8:00 - 8:20 Opening Remarks & Logistics
8:20 - 9:00 Break (Setup)
9:00 - 9:10 Welcome: David Lie (University of Toronto) and Glenn Wurster (BlackBerry)
9:10 - 10:20 Keynote: Alex Manea (BlackBerry)

The Past, Present, and Future of Digital Privacy

Abstract: Communication technologies have evolved immensely over the past 20 years, with the Internet removing physical borders and mobility keeping us always connected. But privacy technologies, standards and legislation have struggled to keep up. This talk will look at the evolution of online privacy through the lens of users, government and private industry. We will examine where we are today, how we got here, and most importantly how we move forward in a way that protects consumer privacy without stifling innovation. Last but not least, we will discuss the viability and importance of public/private partnerships in solving issues related to online privacy.

Bio: Alex Manea is a Director of BlackBerry Security. He is a founding member of the group that has made BlackBerry synonymous with mobile security. Alex has looked after BlackBerry product security for over 9 years, including BlackBerry smartphones, BES and BBM. He is a Certified Software Security Lifecycle Professional and has an Honors degree in Systems Design Engineering from the University of Waterloo.

10:20 - 11:00 Break
11:00 - 12:30

Technical Session: Application Isolation

Session Chair: Alastair Beresford (University of Cambridge)

Android Rooting: Methods, Detection, and Evasion

San-Tsai Sun (University of British Columbia), Andrea Cuadros (University of British Columbia), Konstantin Beznosov (University of British Columbia)

PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices

Yihang Song (University of Waterloo), Urs Hengartner (University of Waterloo)

NJAS: sandboxing unmodified applications in non-rooted devices running stock Android

Antonio Bianchi (University of California, Santa Barbara), Yanick Fratantonio (University of California, Santa Barbara), Christopher Kruegel (University of California, Santa Barbara), Giovanni Vigna (University of California, Santa Barbara)

12:30 - 2:00 Lunch
2:00 - 3:30

Technical Session: Privacy

Session Chair: TBD

AutoPPG: Automated Generation of Privacy Policy for Android Applications

Le Yu (The Hong Kong Polytechnic University), Tao Zhang (The Hong Kong Polytechnic University), Xiapu Luo (The Hong Kong Polytechnic University), Lei Xue (The Hong Kong Polytechnic University)

Supporting Privacy-Conscious App Update Decisions with User Reviews

Yuan Tian (Carnegie Mellon University), Bin Liu (Carnegie Mellon University), Weisi Dai (Google), Blase Ur (Carnegie Mellon University), Patrick Tague (Carnegie Mellon University), Lorrie Faith Cranor (Carnegie Mellon University)

The Impact of Timing on the Salience of Smartphone App Privacy Notices

Rebecca Balebako (Carnegie Mellon University), Florian Schaub (Carnegie Mellon University), Idris Adjerid (Notre Dame University), Alessandro Acquisti (Carnegie Mellon University), Lorrie Cranor (Carnegie Mellon University)

3:30 - 4:00 Break
4:00 - 5:30

Technical Session: Android Framework

Session Chair: TBD

(Short Paper) Context-Specific Access Control: Conforming Permissions With User Expectations

Amir Rahmati (University of Michigan), Harsha V. Madhyastha (University of Michigan)

(Short Paper) Understanding the Service Life Cycle of Android Apps: An Exploratory Study

Kobra Khanmohammadi (Concordia University), Mohammad Reza Rejali (Concordia University), Abdelwahab Hamou-Lhadj (Concordia University)

Security Metrics for the Android Ecosystem

Daniel Thomas (University of Cambridge), Alastair Beresford (University of Cambridge), Andrew Rice (University of Cambridge)