Taming Information-Stealing Smartphone Applications (on Android) (original) (raw)
Related papers
Your Privacy is not so Private: Unveiling Android Apps Privacy Framework from the Dark
As the adoption of smartphones continues to surge all over the world, mobile apps have become a tool of greater significance, offering free access to everything ranging from social networking sites and emails to online banking transactions and ticket reservations. In any case, even free applications can include potential tradeoffs with regard to allowing access to private information of their users. This pattern has brought about expanding worries over the malicious nature of these apps and the security threats that these apps force upon its users. In this paper, we analyze the mobile apps privacy framework, its loopholes and survey the proposed tools and frameworks which primarily focuses on the effect of sensitive data leakage and privacy risks involved with it.
You can't always get what you want: towards user-controlled privacy on Android
2021
Mobile applications (hereafter, apps) collect a plethora of information regarding the user behavior and his device through third-party analytics libraries. However, the collection and usage of such data raised several privacy concerns, mainly because the end-user i.e., the actual owner of the data is out of the loop in this collection process. Also, the existing privacy-enhanced solutions that emerged in the last years follow an ”all or nothing” approach, leaving the user the sole option to accept or completely deny the access to privacy-related data. This work has the two-fold objective of assessing the privacy implications on the usage of analytics libraries in mobile apps and proposing a data anonymization methodology that enables a trade-off between the utility and privacy of the collected data and gives the user complete control over the sharing process. To achieve that, we present an empirical privacy assessment on the analytics libraries contained in the 4500 most-used Androi...
PhoneProtector: Protecting User Privacy on the Android-Based Mobile Platform
International Journal of Distributed Sensor Networks, 2014
With the popularity of Android platform based mobile phones, privacy protection of Android platform becomes a focus area. Now protection for Android based smart phone has many shortages, and also most phone protection systems are based on C/S model. In this paper, we propose a browser-free multilevel smart phone privacy protection system, which is based on the Android sensor platform. In this system, protection is ensured by means of SMS, which turns out to be easy, quick, and convenient. Users can send SMS to phones remotely as operating instructions; then the sensors on remote phones execute the instructions and return useful information. Second, the sensors based on the daemon process mechanism are used to prevent the sensors from being maliciously closed and uninstalled. Third, our system adopts SIM detecting mechanism to judge whether the SIM card is removed or changed. If exception is detected, the phone will be locked automatically by its inside sensors. The three points ensure full protection of phone privacy. Test results show that our system has good robustness and low resource consumption.
Understanding the Behaviour of Privacy in Mobile Apps and Detecting Privacy Leaks
With the advent of smartphones, mobile application industry is becoming one of the fastest growing industry today. Every now and then, we hear about a new app being launched. However, besides providing you with information like news, fun and amusement servicesthey can also seize your privacy. One of the most common example of this trend is asking permission from users when they are seeking to download those apps. Many types of researches have suggested that users don't care much while giving permissions to these apps. The main purpose of our research is to know the main reason for asking these permission requests by analyzing your app's traffic and how they collect sensitive information such as your phone's IMEI number or location for advertisement, tracking, or analytical purposes. To address this issue, we have developed Network Privacy Monitor (NPM), a tool for active network monitoring and context aware network filtering capabilities. With this tool, a user can block any app that utilizes personal or confidential data for a specified context. Our work is a small contribution towards strengthening the existing Android security framework.
Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android
2015 IEEE Symposium on Security and Privacy, 2015
Stealing of sensitive information from apps is always considered to be one of the most critical threats to Android security. Recent studies show that this can happen even to the apps without explicit implementation flaws, through exploiting some design weaknesses of the operating system, e.g., shared communication channels such as Bluetooth, and side channels such as memory and network-data usages. In all these attacks, a malicious app needs to run side-by-side with the target app (the victim) to collect its runtime information. Examples include recording phone conversations from the phone app, gathering WebMD's data usages to infer the disease condition the user looks at, etc. This runtime-information-gathering (RIG) threat is realistic and serious, as demonstrated by prior research and our new findings, which reveal that the malware monitoring popular Android-based home security systems can figure out when the house is empty and the user is not looking at surveillance cameras, and even turn off the alarm delivered to her phone.
HideMyApp: Hiding the Presence of Sensitive Apps on Android
2019
Millions of users rely on mobile health (mHealth) apps to manage their wellness and medical conditions. Although the popularity of such apps continues to grow, several privacy and security challenges can hinder their potential. In particular, the simple fact that an mHealth app is installed on a user’s phone can reveal sensitive information about the user’s health. Due to Android’s open design, any app, even without per- missions, can easily check for the presence of a specific app or collect the entire list of installed apps on the phone. Our analysis shows that Android apps expose a significant amount of metadata, which facilitates fingerprinting them. Many third parties are interested in such information: Our survey of 2917 popular apps in the Google Play Store shows that around 57% of these apps explicitly query for the list of installed apps. Therefore, we designed and implemented HideMyApp (HMA), an effective and practical solution for hiding the presence of sensitive apps fro...
CenterYou: A cloud-based Approach to Simplify Android Privacy Management
2020
With mobile applications and associated services becoming increasingly popular, concerns are being raised about private data leakages have raised. Previous solutions to this well-known set of problems have approached it from the ground up but required rewriting the operating system which is unnecessary and burdensome. In this work, a framework we proposed to overcome these issues by applying a pseudo data technique and cloud-based decision-making system to identify potential privacy leakages.
Identity, Location, Disease and More: Inferring Your Secrets from Android Public Resources
2013
The design of Android is based on a set of unprotected shared resources, including those inherited from Linux (e.g., Linux public directories). However, the dramatic development in Android applications (app for short) makes available a large amount of public background information (e.g., social networks, public online services), which can potentially turn such originally harmless resource sharing into serious privacy breaches. In this paper, we report our work on this important yet understudied problem. We discovered three unexpected channels of information leaks on Android: per-app data-usage statistics, ARP information, and speaker status (on or off). By monitoring these channels, an app without any permission may acquire sensitive information such as smartphone user’s identity, the disease condition she is interested in, her geo-locations and her driving route, from top-of-the-line Android apps. Furthermore, we show that using existing and new techniques, this zero-permission app can both determine when its target (a particular application) is running and send out collected data stealthily to a remote adversary. These findings call into question the soundness of the design assumptions on shared resources, and demand effective solutions. To this end, we present a mitigation mechanism for achieving a delicate balance between utility and privacy of such resources.
Check Points against Privacy Breaches in Android Applications
2012
Summary The risk of privacy breaches by malicious programs has been increasing, and these programs have used more elaborate techniques to circumvent detection. Attacks using a collaboration of applications are especially difficult to find since distinct applications obtain privacy-sensitive data and send the data to the outside. Current mobile platforms have a security enforcement mechanism based on a sandbox to prevent direct data sharing between applications.
UIPicker: User-Input Privacy Identification in Mobile Applications
Identifying sensitive user inputs is a prerequisite for privacy protection. When it comes to today's program analysis systems, however, only those data that go through well-defined system APIs can be automatically labelled. In our research, we show that this conventional approach is far from adequate, as most sensitive inputs are actually entered by the user at an app's runtime: in our research, we inspect 17, 425 top apps from Google Play, and find that 35.46% of them involve sensitive user inputs. Manually marking them involves a lot of effort, impeding a large-scale, automated analysis of apps for potential information leaks. To address this important issue, we present UIPicker, an adaptable framework for automatic identification of sensitive user inputs. UIPicker is designed to detect the semantic information within the application layout resources and program code, and further analyze it for the locations where security-critical information may show up. This approach can support a variety of existing security analysis on mobile apps. We further develop a runtime protection mechanism on top of the technique, which helps the user make informed decisions when her sensitive data is about to leave the device in an unexpected way. We evaluate our approach over 200 randomly selected popular apps on Google-Play. UIPicker is able to accurately label sensitive user inputs most of the time, with 93.6% precision and 90.1% recall.