Download presentation
Presentation is loading. Please wait.
Published byHarley Derbyshire Modified over 9 years ago
1
THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect Data from Imperious Applications SIL765 Jagjeet Singh Dhaliwal (2008CS50212) Manav Goel (2008CS50215)
2
Applications can’t be trusted Recent academic research corroborates these findings * Source : Wall Street Journal - http://online.wsj.com/article/SB10001424052748704368004576027751867039730.html
3
What is the threat? Android applications that misappropriate the user’s privacy- sensitive data Transmit sensitive data that the user intends application to use on-device only Transmit sensitive data to third parties Third parties: servers not used directly for app functionality; but often for advertising & analytics
4
Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications
5
What qualifies as “sensitive data”? Basically identified 12 types of privacy-sensitive data on Android. device id location phone number contacts camera accounts logs microphone SMS messages history & bookmarks calendar subscribed feeds
6
How can we tell what apps are doing? TaintDroid: dynamic taint tracking for Android applications [Enck et al] loc = getLocation(); //taint tag applied... loc_copy = loc; //taint propagated... network_send(loc_copy); //checked for taint Gives runtime detection of sensitive data transmission for apps Apps can’t transform, obfuscate data to remove taint Enhance TaintDroid: added tracking for all 12 data types
7
Study of sensitive data usage The authors performed an extensive study of sensitive data usage by Android apps 110 popular free apps from Android Market Selected to cover all 12 sensitive data types Manually executed each app for ~5 minutes Used TaintDroid to measure types of sensitive data sent out and destinations sent to.
8
73 apps Appears that some apps use sensitive data only for purpose of sharing with third parties. For location data ( across 110 apps): Location? Android Application 45 apps Third parties 30 apps Of these 30 apps, 28 sent location only to third parties! Mobclix, Flurry, Inmobi, AdMob Results
9
83 apps Could they be tracking me? Multiple apps send device ID to same third parties: risk of cross-application profiling is real For unique device IDs (110 apps): Device ID? Android Application 31 apps Third parties 14 apps Just 3 third party destinations: Mobclix, Flurry, Freystripe
10
What else do apps misappropriate? Two apps sent out the user’s phone number for no apparent reason except tracking Call blocking app sent out user’s entire contacts book, then asked user to opt-in. Sensitive data intended only for on-device use may be sent off the device
11
Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications
12
Our Defense: AppFence Two complementary privacy controls: Shadowing: app doesn’t get sensitive data at all Blocking: app gets sensitive data, but can’t send it out Data shadowing Exfiltration blocking Application Android Sensitive data Sensitive data External servers
13
How data shadowing works CCS - October 17-21, 2011 Application Phone #? (206) 555-4321 analytics.com (206) 555-4321 (123) 456-7890 Shadow data Android
14
Three kinds of shadow data Blank data e.g. contacts: {S. Han, 206-555-4321} {} Fake data e.g. location: {47.653,-122.306} {41.887,-87.619} Constructed data e.g. device ID = hash(app name, true device ID) Consistent for each application, but different across applications
15
Android How exfiltration blocking works CCS - October 17-21, 2011 Application Phone #? (206) 555-4321 analytics.com (206) 555-4321 Airplane mode: no network available
16
Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications
17
What should we measure? Privacy controls may cause changes in application behavior The authors decided to measure the impact of AppFence on the user’s experience. How did they measure this? Look for user-visible changes in application behavior: side effects Impact on whom?
18
An example of a side effect We look for user-visible changes in application screenshots:
19
Framework for measuring side effects Automate application execution by using an Android GUI testing program Converts a script of high-level commands (e.g. “press button,” “select from menu”) into GUI interactions Captures screenshot after every command A human detects side effects by comparing screenshots taken with and without AppFence enabled Classify applications based on the side effects observed: None Ads absent Less functional Broken
20
How we check for side effects BaselineAppFence Diff
21
Side effect: none BaselineAppFenceDiff
22
Side effect: ads absent BaselineAppFenceDiff
23
Side effect: less functional BaselineAppFenceDiff
24
Side effect: broken BaselineAppFenceDiff CCS - October 17-21, 2011
25
Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications
26
Experiments Selected 50 apps that sent out sensitive data Wrote execution scripts for these apps Exercise main features and features likely to send out sensitive data Enable one AppFence privacy control, execute all applications Check screenshots for side effects and classify applications
27
Configuring privacy controls? To reveal the most side effects: Data shadowing of all sensitive data types Exfiltration blocking of all types to all destinations This imposes a policy on the app: sensitive data should never leave the device But don’t some apps have legitimate need to send out data?
28
Choose least- disruptive 30 (60%) 3 (6%) 11 (22%) 6 (12%) Side effects shown by 50 apps Data shadowing Exfiltration blocking None 28 (56%)16 (32%) Ads absent 0 (0%)11 (22%) Less functional 14 (28%)10 (20%) Broken 8 (16%)13 (26%) Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent We used profiling to choose; determining in advance is challenging Remember, we applied a single privacy control (one or the other) to all applications Slightly more than half of the apps ran with limited or no side effects Data shadowing was less disruptive than exfiltration blocking
29
So 34% of applications didn’t work? These apps had four kinds of functionality that directly conflict with our configuration (sensitive data should never leave the device): Location broadcast (location) Geographic search (location) Find friends (contacts) Cross-application gaming profiles (device ID)
30
When to use data shadowing Data types such as device ID, location, phone number Aren’t presented directly to the user Must be transmitted off the device Example application behaviors: Device ID sent along with login information Location collected at application launch
31
When to use exfiltration blocking Data types such as contacts, SMS, calendar Presented to the user on the device Don’t need to be transmitted off the device Example application behaviors: Selecting a contact to send a message to Adding reminders to calendar
32
Conclusion AppFence breaks the power of the installation ultimatum We revealed side effects by never allowing sensitive data to leave the device Some apps: user must choose between functionality and privacy Majority of apps: two privacy controls can prevent misappropriation without side effects
33
Further Work Extending the Taint sources to include compression using Java.util.zip Extending Data shadowing to offer finer-granularity controls such as shadowing location with a nearby but less private place, e.g. the city center.
34
Questions?
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.