Beyond Permissions: Investigating Mobile Personalization with Simulated Personas

Mobile applications are deeply embedded in daily life, enabling navigation, social networking, and personalized services. These conveniences, however, come at the cost of continuous and often opaque data collection. Apps routinely access GPS location, sensor readings, microphone inputs, browsing activity, and other system data, creating complex data flows that users rarely comprehend. For example, a weather app might log location data every few minutes, even when not in use, and a sports app may collect users’ movement patterns or Bluetooth signals to infer nearby devices [4, 26]. These practices have raised increasing concerns in recent media and research [36]. However, despite users’ privacy concerns, their behaviors often contradict these concerns, which is generally known as the privacy paradox [7, 22].

Compared to desktop web tracking, mobile applications have deeper, real-time access to sensitive data, often in ways that appear harmless but create unexpected risks when combined with third-party services. For instance, granting GPS access to a navigation app may seem reasonable, yet embedded advertising networks can repurpose this access to continuously track users’ movements [32]. Likewise, microphone permissions intended for voice commands can enable unintended background audio collection, raising surveillance concerns [18]. A New York Times investigation found that at least 75 companies collected and monetized precise location data from millions of mobile devices in the U.S., often without users’ clear understanding or consent [36]. These examples illustrate how seemingly innocent permissions can lead to unforeseen privacy risks through multi-modal data collection in mobile apps.

Yet, general users often have very limited means to understand the complexity of data collection and the associated privacy risks in mobile systems [8, 9, 13]. While platforms offer several mechanisms (e.g.,privacy policies, Android's Data Safety section, Apple's App Privacy labels, etc.), these tools are often unusable in practice: they tend to be overly long, vague, hard to interpret, or disconnected from meaningful context [24, 25, 37, 41]. Recent research has shown that even newer interventions like iOS privacy labels fail to significantly improve users’ understanding or ability to make informed choices [25, 42]. As a result of these shortcomings, users are often left with little real choice: they frequently consent to data collection not because they accept the terms, but because denying permissions means sacrificing access or functionality. In other words, the limitations of current mechanisms not only undermine awareness, but also create environments where even privacy-conscious users struggle to anticipate the downstream effects of their decisions, resulting in consent that is more procedural than genuinely informed [8, 9].

These limitations in user understanding have deeper implications when real-time data is used not just for collection, but for shaping user experiences directly. Modern mobile personalization systems compound these issues by operating behind the scenes, relying on continuous real-time sensor data, ranging from GPS location to accelerometer motion and ambient light, to infer users’ behavioral contexts and dynamically adjust app content [14, 20]. While these features enable adaptive experiences, they raise further concerns about transparency and user agency, particularly as users are seldom aware of when sensors are active or how behavioral data is interpreted by apps [23]. These mechanisms often function invisibly, making it difficult to trace how environmental signals or personal routines shape the digital experiences users encounter [3]. As such, the shift toward sensor-driven personalization adds another layer of opacity that users are not well-equipped to manage.

Conventional Privacy-Enhancing Technologies (PETs) such as location blurring, sensor noise injection, or access restriction frameworks (e.g., PrivaSense [29]) mainly aim to limit the data available to apps. Even though, these tools reduce exposure, they rarely help users understand how personalization decisions are actually made [10]. Prior work shows that even small or seemingly harmless sensor readings can be combined to reveal sensitive behaviors [27], a process often described as the behavioral inference pipeline [5]. In mobile environments, where sensing is continuous and signals from multiple sensors are fused, this pipeline creates privacy risks that remain largely invisible to users [14].

Taken together, the evolving privacy risks in mobile systems and users’ limited understanding of how their data contribute to these risks constitute a critical gap in the literature. Prior work has shown that part of this gap stems from the opacity of data flows and users’ hesitation to experiment with privacy settings due to fear of breaking functionality or exposing sensitive information [12]. To address this, recent research has proposed privacy sandbox environments, a safe, controlled space where users can explore how data inputs influence system behaviors without risking real-world consequences [12]. These sandboxes create opportunities for experimentation, education, and greater transparency by allowing users to test privacy-relevant scenarios without exposing personal data or altering persistent system settings.

Building on this idea, we introduce a novel LLM-based mobile sandbox that enables users to interactively explore the connection between mobile sensor data and associated privacy implications in a risk-free environment. Our system allows users to simulate mobile app interactions using synthetic, persona-driven sensor data and observe how apps adapt to different behavioral contexts, which helps users build more concrete mental models of how personalization and profiling mechanisms work.

To evaluate the feasibility of this sandbox approach, we developed a real-time sensor spoofing toolkit that replaces live sensor data with structured, simulated user profiles that reflect different lifestyle patterns (e.g., an active commuter, a sedentary worker, or a frequent traveler). Using this prototype, we conducted an initial experiment to test whether and how mobile apps respond to synthetic data. Our results suggested that the synthetic data successfully tricked various mobile apps, allowing the apps to respond to the fed data (e.g., fitness apps award activity badges without physical movement, shopping apps localize content based on spoofed GPS, and weather apps dynamically adjust UI and forecast based on time-of-day spoofing).

These results inform the design of an interactive sandbox that allows users to explore how varying types of sensor data influence app behaviors. Our investigation is guided by the following research questions:

• RQ1: What visible changes do users experience in mobile app behavior when synthetic, context-specific sensor data is introduced?
  
• RQ2: How can relatable personas help users make sense of these changes?
  

• RQ3: How might a sandbox-based toolkit help users understand mobile personalization and support transparency-focused privacy practices?
  

In this project, we also aim to examine whether such a system can enhance user understanding of how contextual sensor data shape app behavior, and whether that understanding could translate into greater trust, agency, or willingness to engage with behavioral transparency tools. In addition, we seek to identify which features of the system are most effective in supporting comprehension and enabling meaningful exploration of mobile personalization.

At a high level, our approach seeks a new paradigm for users to actively explore and reflect on the transparency of mobile ecosystem. This ongoing work aims to define a novel PET design space which encourages users’ experimentation and interpretation of how behavioral data influences app logic. This work makes the following contributions:

• A working prototype for mobile persona simulation that leverages Frida [33], LSposed [15], and the Motion Emulator app [34] on rooted Android devices to automate multi-sensor spoofing in real-time.
  
• Empirical findings demonstrating that a variety of apps, including shopping platforms, fitness trackers, and utility apps, respond dynamically and measurably to contextual changes introduced by sensor spoofing.
  
• A conceptual design for a user-facing sandbox that allows individuals to select a persona, activate spoofing conditions, and observe how apps respond to behavioral inputs from alternative user profiles.
  
• A roadmap for system extensions, including GPT-based persona generation, GPT-4 Vision-based UI summarization, synthetic Google Calendar input, and instrumentation of network/API behavior to support behavioral transparency and auditability.
  

While still in development, our system demonstrates potential to support future tools for user education, transparency audits, and mobile behavior research. Ultimately, we propose that giving users the means to simulate and observe their digital self shaped by sensor data can open new avenues for privacy awareness and accountability in data-driven personalization systems.

Privacy risks in mobile ecosystems have grown substantially with the rise of sensor-rich devices and ubiquitous background data collection. Numerous studies emphasize that users often lack visibility into how their behavioral data is collected, inferred, and used by applications [28, 38]. For instance, mobile apps regularly access accelerometer, GPS, and light sensors to build granular user profiles and personalize recommendations or ads [28]. Research into “digital phenotyping” has shown how sensor data is repurposed to monitor user mood and mental health [31], raising serious ethical and privacy concerns. Yet, tools that allow users to meaningfully observe or intervene in this personalization pipeline remain limited [16, 38].

To address this, privacy-enhancing technologies (PETs) have traditionally focused on static protections like anonymization or minimization. However, recent efforts emphasize transparency and user-side experimentation. Aaraj et al. [1], Xian et al. [40] explore visual analytics and sandboxing for user experimentation, while Ayalon et al. [6] examine how developers balance privacy design with user experience. Still, many of these tools require technical expertise or are limited to controlled use cases. On-device protection mechanisms such as those proposed by Malekzadeh et al. [27] mitigate sensitive inferences by transforming raw sensor data before sharing. Similarly, Narain and Noubir [30] introduced PrivoScope, which provides synthetic GPS trajectories to help users track and manage location-based app behaviors. These efforts improve observability but generally treat individual sensors in isolation, without integrating broader behavioral context or multiple modalities.

Recent research has also turned toward frameworks that help users make sense of their data through interactive feedback. Chen et al. [11] introduced a system that allows users to audit personalized web recommendations and understand algorithmic logic, aligning with broader transparency goals. In the mobile space, however, reverse engineering tools like Frida [33] and LSposed [15] remain mostly targeted at technical users, and require scripting knowledge for app testing or spoofing scenarios. As such, the opportunity to democratize these tools for broader privacy exploration is still largely untapped.

Chen et al. [12] propose an empathy-based sandbox to help users understand how data influences web experiences, showing how interactive exploration can bridge the gap between privacy attitudes and behaviors. Our work builds on this foundation and applies it to the mobile domain, where the stakes are often higher due to sensor-rich tracking. By allowing users to simulate realistic behavioral personas using synthetic, sensor-driven data, we offer a low-risk method for studying mobile personalization dynamics without exposing users’ own data. This complements existing work on privacy behaviors while introducing a novel integration of persona simulation, multi-sensor spoofing, and visual UI inspection to surface hidden personalization mechanisms.

To operationalize these ideas, we present a two-part contribution: (1) a system that enables users to simulate behavioral patterns through real-time sensor spoofing using structured personas, and (2) an experiment that allows users to observe how mobile apps visibly adapt to these simulated contexts.

We built a prototype system that simulates user behaviors through a combination of persona generation, sensor spoofing, and visual analysis. This section outlines our current implementation and technical components.

3.1 Personas in Design

Personas play a critical role in privacy research by making abstract risks more tangible [11, 12]. Rather than focusing solely on abstract sensor values, our system grounds those values in recognizable human behaviors and demographics. By tying spoofed sensor data to narrative user profiles, we give structure to what would otherwise be invisible personalization mechanisms. This framing helps both researchers and users reason about when app behavior aligns or misaligns with their expectations.

We have already implemented a robust persona generation pipeline that draws on language models to create diverse, context-rich profiles. One such persona, Lila Rodriguez, is a 27-year-old Latina who works as a community organizer and urban gardener. She frequently uses her mobile phone to track runs, browse sustainable living content, and discover local farmers’ markets. Her behavioral profile reflects a moderate-to-high fitness level, plant-based diet, and daily outdoor routines, all of which are mapped to spoofed sensor traits like early-morning light exposure, frequent step activity, and elevated motion during commute hours. Figure 1 presents Lila's demographic attributes and synthesized portrait, illustrating how grounded, human-readable profiles guide both sensor mapping and interface evaluation.

Profile image and JSON-style demographic and behavioral traits for Lila Rodriguez.

These profiles are designed not only for realism but for internal consistency, which capture how someone like Lila, who walks or bikes to work and practices yoga in the evening, might appear through motion and system data. Her profile, generated through GPT-4 via OpenAI's API, includes demographic context, lifestyle traits, and sensor mappings such as increased drift in accelerometer and step counter values during active hours.

Moving forward, we continue refining these personas to more closely match real-world variation in behavior and environment. We aim to expand into areas like browser profile spoofing (e.g., simulating Chrome history and Google ad IDs) to reflect more of a user's digital footprint. Our approach draws inspiration from prior research showing that rich, data-driven personas can foster user empathy and improve engagement with privacy decisions [21], but shifts the focus toward active, sensor-based experimentation rather than static educational tools.

By anchoring our spoofing approach in personas like Lila's, we create a more interpretable layer for detecting behavioral inference and identifying mismatches between spoofed behavior and app response. This approach offers a practical bridge between low-level data spoofing techniques and the broader, user-facing implications of app personalization.

3.3 Sensor Spoofing Infrastructure

To simulate persona-driven sensor environments, we leverage the Motion Emulator app [34], an LSposed-based module designed for rooted Android devices. Our experimental setup consists of a Magisk-rooted [19] Android phone running LSposed, integrated with a locally hosted Frida server for real-time instrumentation. We execute Frida commands directly through the Termux [35] terminal on the device to launch, hook, and manipulate the Motion Emulator application during runtime. A custom-built interface feeds structured sensor data into the emulator, allowing us to inject temporally synchronized spoofed values while the emulator records input across different sensors.

The system currently supports spoofing a wide range of behavioral and environmental signals, including accelerometer, gyroscope, linear acceleration, ambient light, step counter, step detector, rotation vector, gravity, magnetic field, orientation, GPS location, cell tower station, system time, and time zone. Once injected, these values are relayed through the Android sensor subsystem, allowing mobile applications to process them as though they originated from genuine user behavior. As a result, apps that rely on these contextual signals dynamically respond to the simulated conditions, e.g., changing their interface layouts, triggering different content modules, or adjusting interaction flows in ways consistent with the persona being emulated (see Figure 2).

Our early experiments demonstrate that injecting different persona-driven sensor contexts leads to measurable app adaptations: fitness apps award activity badges without physical movement, shopping apps localize content based on spoofed GPS, and weather apps dynamically adjust UI and forecast based on time-of-day spoofing. These consistent behavioral shifts indicate that sensor-based profiling is not only active but observable and reproducible. While our system is still in development, these findings suggest its potential to support future tools for user education, transparency audits, and mobile behavior research. We contribute a technical prototype, a repeatable testing pipeline, and a design rationale for repurposing sensor spoofing as a foundation for behavioral transparency and user-centered analysis in mobile ecosystems.

We tested our system on over ten Android applications across categories such as e-commerce, fitness, navigation, and utilities, and observed clear signs that sensor-driven personalization is both active and detectable. Our evaluations simulated diverse behavioral contexts by spoofing GPS location, system time, motion sensors, and light exposure, providing a window into how different apps respond to manipulated user environments.

Fitness-focused apps displayed some of the most immediate and observable reactions. In the app Step Counter - Pedometer, injecting high-frequency step counter values along with accelerometer drift led to rapid increases in step tallies. The app promptly responded with congratulatory pop-ups, motivational notifications, and goal-based achievement badges, even in the absence of any physical activity (see Figure  3a, 3b). This behavior illustrates that such apps rely directly on real-time sensor values and are quick to generate feedback loops based on those inputs.

Weather and utility apps showed similarly responsive behavior. When the device's GPS and system time were spoofed to simulate nighttime in a different city, the UI adapted accordingly, switching to night mode and updating forecasts for the spoofed region (Figure 3c). These changes confirm a tight coupling between ambient sensor signals and app interface logic.

In navigation and transportation apps, spoofing location data produced more nuanced effects. In the Lyft app, for instance, changing the GPS coordinates to a Canadian city resulted in fare estimates being displayed in CAD instead of USD (Figure 3f), while a U.S. location showed USD (Figure 3e). More strikingly, setting the GPS to a country where Lyft does not operate (e.g., certain regions in Europe or Asia) triggered fallback messages indicating the service was unavailable in the spoofed location. These examples highlight that even core app functionality can dynamically shift based on geographic sensor input.

E-commerce platforms such as AliExpress were more conservative in their adaptation. While our system spoofed location and time to simulate browsing from Rome during night hours, the app interface did not automatically localize content based on GPS alone. Instead, region-based personalization appeared to depend on account-level settings or explicit region selection, suggesting the presence of internal gating logic before applying contextual changes. This contrast underscores the variability in how apps integrate sensor data into their personalization pipelines.

Importantly, not all applications responded uniformly. Some apps remained inert to spoofed inputs unless users interacted with specific features, while others showed delayed personalization effects, offering tailored suggestions or notifications hours after the spoofed conditions were applied. These varied behaviors suggest that some personalization mechanisms are event-triggered or tied to backend inference models that process composite behavioral patterns over time.

Our toolkit enables researchers and end-users to systematically surface these hidden behaviors without modifying app binaries or requiring advanced technical expertise. Although our tests represent early-stage evaluations, the results highlight the importance of multi-sensor awareness in privacy audits and suggest that further exploration, such as combining spoofed browsing history, long-term persona routines, or app engagement patterns, may uncover deeper layers of behavioral inference across mobile ecosystems.

Our preliminary findings confirm that mobile apps dynamically adapt to behavioral signals spoofed via sensor data. These changes, ranging from fitness badges to localized content and UI shifts, demonstrate that sensor-driven personalization is both active and observable. Building on this, our next steps focus on strengthening the system's technical capabilities and exploring how users interpret these behaviors.

In terms of system refinement, we are expanding spoofing beyond environmental sensors to include identity-linked traits such as browser history, calendar routines, and advertising IDs. This will help us examine how higher-level contextual signals influence content personalization, including ad delivery and UI behavior. Additionally, we plan to enhance instrumentation to log network activity, app logic, and sensor access over time, using tools like the Android Privacy Dashboard [39] to help map how and when apps access specific types of data.

On the user-facing side, we are developing a lightweight mobile interface that lets individuals select and activate personas (e.g., student, traveler, fitness enthusiast), each mapped to curated sensor profiles. This will support non-technical users in running their own spoofing sessions and observing app responses in real time.

To evaluate the system's impact, we are designing a small-scale user study in which we will present participants with persona-driven app experiences. Through think-aloud protocols and interviews, we aim to understand how users interpret content changes, whether they can identify sensor triggers, and whether these interactions foster greater privacy awareness or control.

After establishing the technical feasibility of persona-driven sensor spoofing, the next stage of this work turns toward the human dimension. The value of this system lies not only in its ability to elicit measurable behavioral changes from mobile apps, but also in revealing how people interpret these changes, how such interpretations shape their privacy attitudes, and whether they lead to different decision-making over time. Addressing these questions will involve conducting user studies in a controlled lab environment, where participants engage with persona-driven app experiences and subsequently take part in semi-structured interviews and open discussions. Both the system's behavioral logs and participants’ qualitative responses will be analyzed in tandem, enabling us to link observed personalization changes with how users perceive and interpret them. This dual analysis will provide richer insight into the relationship between technical adaptation mechanisms and human privacy reasoning. By structuring the project in this way, we ensure that technical refinements directly enable richer, more realistic scenarios for human-centered inquiry, ultimately allowing the platform to serve as both a diagnostic tool for app behavior and a catalyst for meaningful discussion on mobile privacy and personalization.

Together, these efforts aim to reposition behavioral spoofing as a user-facing method for auditing mobile personalization. Rather than being a circumvention tactic, our approach frames spoofing as a form of transparency—empowering users to test, reflect on, and better understand how their mobile behaviors are interpreted and influence app experiences.

As the system matures, we also plan to situate its findings within the broader landscape of known personalization behaviors. Specifically, we will compare observed adaptations against patterns already documented in public sources, such as user reports, developer forums, and prior research, to further validate the novelty that our sandbox produces. This comparison will help us evaluate the added value of active persona-driven testing over passively collected or crowd-sourced observations, clarifying the kinds of insights our approach can uniquely provide.

This work introduces a novel sandbox-based toolkit that repositions sensor spoofing as a constructive, user-facing mechanism for transparency and auditing—rather than solely a tool for adversarial attack. By simulating behavioral contexts through persona-driven sensor inputs, our system enables users and researchers to visualize how mobile apps adapt in response to inferred identities and routines. These adaptations, though often invisible, shape content delivery, personalization pathways, and even user trust in ways that are seldom made transparent.

While still early in development, this approach offers a new direction for privacy-enhancing technologies: one grounded in active exploration and experiential awareness. Instead of shielding users from data flows through static protections, our system empowers them to interrogate and reflect on those flows interactively. The combination of real-time sensor spoofing, automated persona generation, and visual UI analysis not only supports empirical studies of app behavior but also suggests a future in which mobile privacy tools can foster critical digital literacy.

By making app personalization visible and testable through real-time sensor manipulation, our system helps shift privacy tools away from passive restriction and toward active engagement. Instead of simply limiting data access, users are given the opportunity to explore how different behaviors influence app responses. This visibility encourages deeper understanding of personalization mechanisms and can support future efforts in privacy education, design evaluation, and user research. When users can see how routine actions—like commuting patterns or late-night browsing—shape their digital environment, they are better equipped to reflect on the trade-offs they make in everyday app use.

We call on researchers, developers, and platform designers to consider sensor spoofing as a valuable auditing strategy—capable of surfacing opaque inference mechanisms and informing the design of more transparent and accountable personalization systems. Future iterations of this work may integrate feedback loops, participatory design frameworks, or even crowd-sourced persona libraries to better align with diverse user needs and ethical considerations.

As mobile ecosystems continue to deepen their reliance on behavioral sensing, systems like ours can help ensure that users are not merely passive recipients of personalization, but active participants in shaping the terms of their digital experiences. Equipping individuals with tools to explore and understand how personalization systems operate can foster greater transparency, user agency, and critical awareness in today's data-driven environments.