Presentation is loading. Please wait.

Presentation is loading. Please wait.

THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect.

Similar presentations


Presentation on theme: "THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect."— Presentation transcript:

1 THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect Data from Imperious Applications SIL765 Jagjeet Singh Dhaliwal (2008CS50212) Manav Goel (2008CS50215)

2 Applications can’t be trusted  Recent academic research corroborates these findings * Source : Wall Street Journal -

3 What is the threat? Android applications that misappropriate the user’s privacy- sensitive data Transmit sensitive data that the user intends application to use on-device only Transmit sensitive data to third parties Third parties: servers not used directly for app functionality; but often for advertising & analytics

4 Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications

5 What qualifies as “sensitive data”? Basically identified 12 types of privacy-sensitive data on Android. device id location phone number contacts camera accounts logs microphone SMS messages history & bookmarks calendar subscribed feeds

6 How can we tell what apps are doing? TaintDroid: dynamic taint tracking for Android applications [Enck et al] loc = getLocation(); //taint tag applied... loc_copy = loc; //taint propagated... network_send(loc_copy); //checked for taint Gives runtime detection of sensitive data transmission for apps  Apps can’t transform, obfuscate data to remove taint  Enhance TaintDroid: added tracking for all 12 data types

7 Study of sensitive data usage The authors performed an extensive study of sensitive data usage by Android apps 110 popular free apps from Android Market Selected to cover all 12 sensitive data types Manually executed each app for ~5 minutes Used TaintDroid to measure types of sensitive data sent out and destinations sent to.

8 73 apps Appears that some apps use sensitive data only for purpose of sharing with third parties. For location data ( across 110 apps): Location? Android Application 45 apps Third parties 30 apps  Of these 30 apps, 28 sent location only to third parties!  Mobclix, Flurry, Inmobi, AdMob Results

9 83 apps Could they be tracking me? Multiple apps send device ID to same third parties: risk of cross-application profiling is real For unique device IDs (110 apps): Device ID? Android Application 31 apps Third parties 14 apps Just 3 third party destinations: Mobclix, Flurry, Freystripe

10 What else do apps misappropriate? Two apps sent out the user’s phone number for no apparent reason except tracking Call blocking app sent out user’s entire contacts book, then asked user to opt-in. Sensitive data intended only for on-device use may be sent off the device

11 Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications

12 Our Defense: AppFence Two complementary privacy controls: Shadowing: app doesn’t get sensitive data at all Blocking: app gets sensitive data, but can’t send it out Data shadowing Exfiltration blocking Application Android Sensitive data Sensitive data External servers

13 How data shadowing works CCS - October 17-21, 2011 Application Phone #? (206) analytics.com (206) (123) Shadow data Android

14 Three kinds of shadow data Blank data e.g. contacts: {S. Han, }  {} Fake data e.g. location: {47.653, }  {41.887, } Constructed data e.g. device ID = hash(app name, true device ID) Consistent for each application, but different across applications

15 Android How exfiltration blocking works CCS - October 17-21, 2011 Application Phone #? (206) analytics.com (206) Airplane mode: no network available

16 Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications

17 What should we measure? Privacy controls may cause changes in application behavior The authors decided to measure the impact of AppFence on the user’s experience. How did they measure this? Look for user-visible changes in application behavior: side effects Impact on whom?

18 An example of a side effect We look for user-visible changes in application screenshots:

19 Framework for measuring side effects Automate application execution by using an Android GUI testing program Converts a script of high-level commands (e.g. “press button,” “select from menu”) into GUI interactions Captures screenshot after every command A human detects side effects by comparing screenshots taken with and without AppFence enabled Classify applications based on the side effects observed: None Ads absent Less functional Broken

20 How we check for side effects BaselineAppFence Diff

21 Side effect: none BaselineAppFenceDiff

22 Side effect: ads absent BaselineAppFenceDiff

23 Side effect: less functional BaselineAppFenceDiff

24 Side effect: broken BaselineAppFenceDiff CCS - October 17-21, 2011

25 Outline Measurement study of sensitive data usage AppFence: a defense against misappropriation of sensitive data Framework for evaluating impact on user’s experience Evaluation of AppFence on 50 applications

26 Experiments Selected 50 apps that sent out sensitive data Wrote execution scripts for these apps Exercise main features and features likely to send out sensitive data Enable one AppFence privacy control, execute all applications Check screenshots for side effects and classify applications

27 Configuring privacy controls? To reveal the most side effects: Data shadowing of all sensitive data types Exfiltration blocking of all types to all destinations This imposes a policy on the app: sensitive data should never leave the device But don’t some apps have legitimate need to send out data?

28 Choose least- disruptive 30 (60%) 3 (6%) 11 (22%) 6 (12%) Side effects shown by 50 apps Data shadowing Exfiltration blocking None 28 (56%)16 (32%) Ads absent 0 (0%)11 (22%) Less functional 14 (28%)10 (20%) Broken 8 (16%)13 (26%)  Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent  We used profiling to choose; determining in advance is challenging  Remember, we applied a single privacy control (one or the other) to all applications  Slightly more than half of the apps ran with limited or no side effects  Data shadowing was less disruptive than exfiltration blocking

29 So 34% of applications didn’t work? These apps had four kinds of functionality that directly conflict with our configuration (sensitive data should never leave the device): Location broadcast (location) Geographic search (location) Find friends (contacts) Cross-application gaming profiles (device ID)

30 When to use data shadowing Data types such as device ID, location, phone number Aren’t presented directly to the user Must be transmitted off the device Example application behaviors: Device ID sent along with login information Location collected at application launch

31 When to use exfiltration blocking Data types such as contacts, SMS, calendar Presented to the user on the device Don’t need to be transmitted off the device Example application behaviors: Selecting a contact to send a message to Adding reminders to calendar

32 Conclusion AppFence breaks the power of the installation ultimatum We revealed side effects by never allowing sensitive data to leave the device Some apps: user must choose between functionality and privacy Majority of apps: two privacy controls can prevent misappropriation without side effects

33 Further Work Extending the Taint sources to include compression using Java.util.zip Extending Data shadowing to offer finer-granularity controls such as shadowing location with a nearby but less private place, e.g. the city center.

34 Questions?


Download ppt "THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect."

Similar presentations


Ads by Google