The ability of third-party applications to aggregate and repurpose personal data is a fundamental privacy weakness in today’s social networking platforms. Prior work has proposed sandboxing in a hosted cloud infrastructure to prevent leakage of user information [22]. In this paper, we extend simple sandboxing to allow sharing of information among friends in a social network, and to help application developers securely aggregate user data according to differential privacy properties. Enabling these two key features requires preventing, among other subtleties, a new“Kevin Bacon” attack aimed at aggregating private data through a social network graph. We describe the significant architectural and security implications for the application framework in the

Web (JavaScript) application, backend cloud, and user data handling.