An approach to evaluate the effectiveness of privacy  protection in Android system

ZENG Shuke; ZHANG Yang; CHENG Liang; DENG Yi; FENG Dengguo

doi:10.3969/j.issn.0253-2778.2014.10.009

PDF( 1450 KB)

Open Access JUSTC Original Paper

An approach to evaluate the effectiveness of privacy protection in Android system

1.
School of Computer Science and Technology, University of Science and Technology of China, Hefei 230027, China
2.
Institute of Software, Chinese Academy of Sciences, Beijing 100190, China

Cite this:

https://doi.org/10.3969/j.issn.0253-2778.2014.10.009

Received Date: 17 January 2014
Accepted Date: 13 March 2014
Rev Recd Date: 13 March 2014
Publish Date: 30 October 2014

Abstract Full text PDF

Abstract

Abstract

To protect private data in smart phones, Android enforces a permission-based security policy. PrivacyMiner, a tool for evaluating the effectiveness of privacy protection in Android, was designed. First, 22 categories of private data in smart phones were identified, which were then checked to see if Android could efficiently protect them from malware. PrivacyMiner was applied to 12 revisions of Android source code, and it was found that 7 categories of private data were not well protected, as Malware can read them and send them out without any permission. These vulnerabilities were verified on 6 Android devices with 6 revisions of Android, from 2.1 up to 4.4.2. Our findings were confirmed by the Android Security Team from Google.

Abstract

To protect private data in smart phones, Android enforces a permission-based security policy. PrivacyMiner, a tool for evaluating the effectiveness of privacy protection in Android, was designed. First, 22 categories of private data in smart phones were identified, which were then checked to see if Android could efficiently protect them from malware. PrivacyMiner was applied to 12 revisions of Android source code, and it was found that 7 categories of private data were not well protected, as Malware can read them and send them out without any permission. These vulnerabilities were verified on 6 Android devices with 6 revisions of Android, from 2.1 up to 4.4.2. Our findings were confirmed by the Android Security Team from Google.

FullText(HTML)

References(26)

References

[1]	Apple Press Info. Apple s App Store Marks Historic 50 Billionth Download [EB/OL]. http://www.apple.com/pr/library/2013/05/16Apples-App-Store-Marks-Historic-50-Billionth-Download.html.
[2]	There have been 900 million Android activations, 48 billion app installs to date [EB/OL]. http://www.engadget.com/2013/05/15/900-million-android-activations/.
[3]	Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX conference on Operating systems design and implementation. Berkley, USA: ACM Press. 2010, 10: 255-270.
[4]	Enck W, Octeau D, McDaniel P, et al. A study of android application security [C]// Proceedings of the 20th USENIX conference on Security. Berkley, USA: ACM Press 2011: 21.
[5]	Orthacker C, Teufl P, Kraxberger S, et al. Android security permissions — Can we trust them? [C]// International ICST Conference on Security and Privacy in Mobile Information and Communication Systems. Aalborg, Denmark: Springer, 2012: 40-51.
[6]	Zhou Y J, Jiang X X. Dissecting android malware: Characterization and evolution [C]// Proceedings of the 2012 IEEE Symposium on Security and Privacy. San Francisco, USA: IEEE Press, 2012: 95-109.
[7]	Chia P H, Yamamoto Y, Asokan N. Is this app safe? A large scale study on application permissions and risk signals [C]// Proceedings of the 21st International Conference on World Wide Web. Lyon, France: ACM Press, 2012: 311-320.
[8]	Android Company. Permissions in Android [EB/OL]. http://developer.android.com/reference/android/Manifest.permission.html.
[9]	Felt A P, Ha E, Egelman S, et al. Android permissions: User attention, comprehension, and behavior [C]// Proceedings of the 8th Symposium on Usable Privacy and Security. University of California, Berkeley, USA: ACM Press, 2012: Article No.3(1-14).
[10]	Lane M. Does the android permission system provide adequate information privacy protection for end-users of mobile apps? [C]// Proceedings of the 10th Australian Information Security Management Conference. Perth, Australia: ePrint, 2012: 66-73.
[11]	Chin E. Felt A P, Greenwood K, et al. Analyzing Inter-application communication in android [C]// Proceedings of the 9th International Conference on Mobile systems, applications, and services. Bethesda, USA: ACM Press, 2011: 239-252.
[12]	Kantola D, Chin E, He W D, et al. Reducing attack surfaces for intra-application communication in android [C]// Proceedings of the second ACM workshop on Security and privacy in SmartPhones and Mobile Devices. Raleigh, USA: ACM Press, 2012: 69-80.
[13]	Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock android SmartPhones [C]// Proceedings of the 19th Network and Distributed System Security Symposium. San Diego, USA: ACM Press, 2012.
[14]	Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
[15]	Wei X T, Gomez L, Neamtiu L, et al. Permission evolution in the android ecosystem [C]// Proceedings of the 28th Annual Computer Security Applications Conference.Orlando, USA: ACM Press, 2012: 31-40.
[16]	Barrera D, Kayacik H G, van Oorschot P C, et al. A methodology for empirical analysis of permission-based security models and its application to android [C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2010: 73-84.
[17]	Au K W Y, Zhou Y F, Huang Z, et al. PScout: analyzing the Android permission specification [C]// Proceedings of the 2012 ACM conference on Computer and Communications Security. Raleigh, USA: ACM Press, 2012: 217-228.
[18]	Zhou W, Zhou Y J, Jiang X X, et al. Detecting repackaged SmartPhone applications in third-party android marketplaces [C]// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio, USA: ACM Press, 2012: 317-326.
[19]	Zhou W, Zhang X W, Jiang X X. AppInk: Watermarking android apps for repackaging deterrence [C]// Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. Hangzhou, China: ACM Press, 2013: 1-12.
[20]	Felt A P, Chin E, Hanna S, et ala. Android permissions demystified [C]// Proceedings of the 18th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2011: 627-638.
[21]	Chan P F, Hui C K, Yiu S M. DroidChecker: Analyzing android applications for capability leak [C]// Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, USA: ACM Press, 2012: 125-136.
[22]	Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
[23]	Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Vancouver, Canada: USENIX Association, 2010, 10: 255-270.
[24]	Yang Z M, Yang M. Leakminer: Detect information leakage on android with static taint analysis [C]// Third World Congress on Software Engineering. Wuhan, China: IEEE Press, 2012: 101-104.
[25]	Yan L K, Yin H. Droidscope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis [C]// Proceedings of the 21st USENIX Security Symposium. Berkeley, USA: USENIX Association, 2012: 29.
[26]	Yang Z M, Yang M, Zhang Y, et al. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection [C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Scottsdale, USA, ACM Press, 2013: 1 043-1 054.

Supplements(0)

Track Citations

Proportional views

Proportional views

Get Citation

PDF

XML

[1]	Apple Press Info. Apple s App Store Marks Historic 50 Billionth Download [EB/OL]. http://www.apple.com/pr/library/2013/05/16Apples-App-Store-Marks-Historic-50-Billionth-Download.html.
[2]	There have been 900 million Android activations, 48 billion app installs to date [EB/OL]. http://www.engadget.com/2013/05/15/900-million-android-activations/.
[3]	Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX conference on Operating systems design and implementation. Berkley, USA: ACM Press. 2010, 10: 255-270.
[4]	Enck W, Octeau D, McDaniel P, et al. A study of android application security [C]// Proceedings of the 20th USENIX conference on Security. Berkley, USA: ACM Press 2011: 21.
[5]	Orthacker C, Teufl P, Kraxberger S, et al. Android security permissions — Can we trust them? [C]// International ICST Conference on Security and Privacy in Mobile Information and Communication Systems. Aalborg, Denmark: Springer, 2012: 40-51.
[6]	Zhou Y J, Jiang X X. Dissecting android malware: Characterization and evolution [C]// Proceedings of the 2012 IEEE Symposium on Security and Privacy. San Francisco, USA: IEEE Press, 2012: 95-109.
[7]	Chia P H, Yamamoto Y, Asokan N. Is this app safe? A large scale study on application permissions and risk signals [C]// Proceedings of the 21st International Conference on World Wide Web. Lyon, France: ACM Press, 2012: 311-320.
[8]	Android Company. Permissions in Android [EB/OL]. http://developer.android.com/reference/android/Manifest.permission.html.
[9]	Felt A P, Ha E, Egelman S, et al. Android permissions: User attention, comprehension, and behavior [C]// Proceedings of the 8th Symposium on Usable Privacy and Security. University of California, Berkeley, USA: ACM Press, 2012: Article No.3(1-14).
[10]	Lane M. Does the android permission system provide adequate information privacy protection for end-users of mobile apps? [C]// Proceedings of the 10th Australian Information Security Management Conference. Perth, Australia: ePrint, 2012: 66-73.
[11]	Chin E. Felt A P, Greenwood K, et al. Analyzing Inter-application communication in android [C]// Proceedings of the 9th International Conference on Mobile systems, applications, and services. Bethesda, USA: ACM Press, 2011: 239-252.
[12]	Kantola D, Chin E, He W D, et al. Reducing attack surfaces for intra-application communication in android [C]// Proceedings of the second ACM workshop on Security and privacy in SmartPhones and Mobile Devices. Raleigh, USA: ACM Press, 2012: 69-80.
[13]	Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock android SmartPhones [C]// Proceedings of the 19th Network and Distributed System Security Symposium. San Diego, USA: ACM Press, 2012.
[14]	Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
[15]	Wei X T, Gomez L, Neamtiu L, et al. Permission evolution in the android ecosystem [C]// Proceedings of the 28th Annual Computer Security Applications Conference.Orlando, USA: ACM Press, 2012: 31-40.
[16]	Barrera D, Kayacik H G, van Oorschot P C, et al. A methodology for empirical analysis of permission-based security models and its application to android [C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2010: 73-84.
[17]	Au K W Y, Zhou Y F, Huang Z, et al. PScout: analyzing the Android permission specification [C]// Proceedings of the 2012 ACM conference on Computer and Communications Security. Raleigh, USA: ACM Press, 2012: 217-228.
[18]	Zhou W, Zhou Y J, Jiang X X, et al. Detecting repackaged SmartPhone applications in third-party android marketplaces [C]// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio, USA: ACM Press, 2012: 317-326.
[19]	Zhou W, Zhang X W, Jiang X X. AppInk: Watermarking android apps for repackaging deterrence [C]// Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. Hangzhou, China: ACM Press, 2013: 1-12.
[20]	Felt A P, Chin E, Hanna S, et ala. Android permissions demystified [C]// Proceedings of the 18th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2011: 627-638.
[21]	Chan P F, Hui C K, Yiu S M. DroidChecker: Analyzing android applications for capability leak [C]// Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, USA: ACM Press, 2012: 125-136.
[22]	Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
[23]	Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Vancouver, Canada: USENIX Association, 2010, 10: 255-270.
[24]	Yang Z M, Yang M. Leakminer: Detect information leakage on android with static taint analysis [C]// Third World Congress on Software Engineering. Wuhan, China: IEEE Press, 2012: 101-104.
[25]	Yan L K, Yin H. Droidscope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis [C]// Proceedings of the 21st USENIX Security Symposium. Berkeley, USA: USENIX Association, 2012: 29.
[26]	Yang Z M, Yang M, Zhang Y, et al. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection [C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Scottsdale, USA, ACM Press, 2013: 1 043-1 054.

TrendMD

Volume 44 Issue 10 page: 853-861

Cover

Keywords

Article Metrics

Article views (31) PDF downloads(73)

An approach to evaluate the effectiveness of privacy protection in Android system

Abstract

Abstract

References

Proportional views

Catalog

Recommended articles

TrendMD

Article Metrics

Proportional views

Authors

Browse

Contact Us

About

An approach to evaluate the effectiveness of privacy protection in Android system

Share

Tools

Abstract

Abstract

References

Proportional views

Catalog

Recommended articles

TrendMD

Article Metrics

Proportional views

Authors

Browse

Contact Us

About

Export File

Citation

Format

Content