ISSN 0253-2778

CN 34-1054/N

Open AccessOpen Access JUSTC Original Paper

An approach to evaluate the effectiveness of privacy protection in Android system

Cite this:
https://doi.org/10.3969/j.issn.0253-2778.2014.10.009
  • Received Date: 17 January 2014
  • Accepted Date: 13 March 2014
  • Rev Recd Date: 13 March 2014
  • Publish Date: 30 October 2014
  • To protect private data in smart phones, Android enforces a permission-based security policy. PrivacyMiner, a tool for evaluating the effectiveness of privacy protection in Android, was designed. First, 22 categories of private data in smart phones were identified, which were then checked to see if Android could efficiently protect them from malware. PrivacyMiner was applied to 12 revisions of Android source code, and it was found that 7 categories of private data were not well protected, as Malware can read them and send them out without any permission. These vulnerabilities were verified on 6 Android devices with 6 revisions of Android, from 2.1 up to 4.4.2. Our findings were confirmed by the Android Security Team from Google.
    To protect private data in smart phones, Android enforces a permission-based security policy. PrivacyMiner, a tool for evaluating the effectiveness of privacy protection in Android, was designed. First, 22 categories of private data in smart phones were identified, which were then checked to see if Android could efficiently protect them from malware. PrivacyMiner was applied to 12 revisions of Android source code, and it was found that 7 categories of private data were not well protected, as Malware can read them and send them out without any permission. These vulnerabilities were verified on 6 Android devices with 6 revisions of Android, from 2.1 up to 4.4.2. Our findings were confirmed by the Android Security Team from Google.
  • loading
  • [1]
    Apple Press Info. Apple s App Store Marks Historic 50 Billionth Download [EB/OL]. http://www.apple.com/pr/library/2013/05/16Apples-App-Store-Marks-Historic-50-Billionth-Download.html.
    [2]
    There have been 900 million Android activations, 48 billion app installs to date [EB/OL]. http://www.engadget.com/2013/05/15/900-million-android-activations/.
    [3]
    Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX conference on Operating systems design and implementation. Berkley, USA: ACM Press. 2010, 10: 255-270.
    [4]
    Enck W, Octeau D, McDaniel P, et al. A study of android application security [C]// Proceedings of the 20th USENIX conference on Security. Berkley, USA: ACM Press 2011: 21.
    [5]
    Orthacker C, Teufl P, Kraxberger S, et al. Android security permissions — Can we trust them? [C]// International ICST Conference on Security and Privacy in Mobile Information and Communication Systems. Aalborg, Denmark: Springer, 2012: 40-51.
    [6]
    Zhou Y J, Jiang X X. Dissecting android malware: Characterization and evolution [C]// Proceedings of the 2012 IEEE Symposium on Security and Privacy. San Francisco, USA: IEEE Press, 2012: 95-109.
    [7]
    Chia P H, Yamamoto Y, Asokan N. Is this app safe? A large scale study on application permissions and risk signals [C]// Proceedings of the 21st International Conference on World Wide Web. Lyon, France: ACM Press, 2012: 311-320.
    [8]
    Android Company. Permissions in Android [EB/OL]. http://developer.android.com/reference/android/Manifest.permission.html.
    [9]
    Felt A P, Ha E, Egelman S, et al. Android permissions: User attention, comprehension, and behavior [C]// Proceedings of the 8th Symposium on Usable Privacy and Security. University of California, Berkeley, USA: ACM Press, 2012: Article No.3(1-14).
    [10]
    Lane M. Does the android permission system provide adequate information privacy protection for end-users of mobile apps? [C]// Proceedings of the 10th Australian Information Security Management Conference. Perth, Australia: ePrint, 2012: 66-73.
    [11]
    Chin E. Felt A P, Greenwood K, et al. Analyzing Inter-application communication in android [C]// Proceedings of the 9th International Conference on Mobile systems, applications, and services. Bethesda, USA: ACM Press, 2011: 239-252.
    [12]
    Kantola D, Chin E, He W D, et al. Reducing attack surfaces for intra-application communication in android [C]// Proceedings of the second ACM workshop on Security and privacy in SmartPhones and Mobile Devices. Raleigh, USA: ACM Press, 2012: 69-80.
    [13]
    Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock android SmartPhones [C]// Proceedings of the 19th Network and Distributed System Security Symposium. San Diego, USA: ACM Press, 2012.
    [14]
    Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
    [15]
    Wei X T, Gomez L, Neamtiu L, et al. Permission evolution in the android ecosystem [C]// Proceedings of the 28th Annual Computer Security Applications Conference.Orlando, USA: ACM Press, 2012: 31-40.
    [16]
    Barrera D, Kayacik H G, van Oorschot P C, et al. A methodology for empirical analysis of permission-based security models and its application to android [C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2010: 73-84.
    [17]
    Au K W Y, Zhou Y F, Huang Z, et al. PScout: analyzing the Android permission specification [C]// Proceedings of the 2012 ACM conference on Computer and Communications Security. Raleigh, USA: ACM Press, 2012: 217-228.
    [18]
    Zhou W, Zhou Y J, Jiang X X, et al. Detecting repackaged SmartPhone applications in third-party android marketplaces [C]// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio, USA: ACM Press, 2012: 317-326.
    [19]
    Zhou W, Zhang X W, Jiang X X. AppInk: Watermarking android apps for repackaging deterrence [C]// Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. Hangzhou, China: ACM Press, 2013: 1-12.
    [20]
    Felt A P, Chin E, Hanna S, et ala. Android permissions demystified [C]// Proceedings of the 18th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2011: 627-638.
    [21]
    Chan P F, Hui C K, Yiu S M. DroidChecker: Analyzing android applications for capability leak [C]// Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, USA: ACM Press, 2012: 125-136.
    [22]
    Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
    [23]
    Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Vancouver, Canada: USENIX Association, 2010, 10: 255-270.
    [24]
    Yang Z M, Yang M. Leakminer: Detect information leakage on android with static taint analysis [C]// Third World Congress on Software Engineering. Wuhan, China: IEEE Press, 2012: 101-104.
    [25]
    Yan L K, Yin H. Droidscope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis [C]// Proceedings of the 21st USENIX Security Symposium. Berkeley, USA: USENIX Association, 2012: 29.
    [26]
    Yang Z M, Yang M, Zhang Y, et al. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection [C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Scottsdale, USA, ACM Press, 2013: 1 043-1 054.
  • 加载中

Catalog

    [1]
    Apple Press Info. Apple s App Store Marks Historic 50 Billionth Download [EB/OL]. http://www.apple.com/pr/library/2013/05/16Apples-App-Store-Marks-Historic-50-Billionth-Download.html.
    [2]
    There have been 900 million Android activations, 48 billion app installs to date [EB/OL]. http://www.engadget.com/2013/05/15/900-million-android-activations/.
    [3]
    Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX conference on Operating systems design and implementation. Berkley, USA: ACM Press. 2010, 10: 255-270.
    [4]
    Enck W, Octeau D, McDaniel P, et al. A study of android application security [C]// Proceedings of the 20th USENIX conference on Security. Berkley, USA: ACM Press 2011: 21.
    [5]
    Orthacker C, Teufl P, Kraxberger S, et al. Android security permissions — Can we trust them? [C]// International ICST Conference on Security and Privacy in Mobile Information and Communication Systems. Aalborg, Denmark: Springer, 2012: 40-51.
    [6]
    Zhou Y J, Jiang X X. Dissecting android malware: Characterization and evolution [C]// Proceedings of the 2012 IEEE Symposium on Security and Privacy. San Francisco, USA: IEEE Press, 2012: 95-109.
    [7]
    Chia P H, Yamamoto Y, Asokan N. Is this app safe? A large scale study on application permissions and risk signals [C]// Proceedings of the 21st International Conference on World Wide Web. Lyon, France: ACM Press, 2012: 311-320.
    [8]
    Android Company. Permissions in Android [EB/OL]. http://developer.android.com/reference/android/Manifest.permission.html.
    [9]
    Felt A P, Ha E, Egelman S, et al. Android permissions: User attention, comprehension, and behavior [C]// Proceedings of the 8th Symposium on Usable Privacy and Security. University of California, Berkeley, USA: ACM Press, 2012: Article No.3(1-14).
    [10]
    Lane M. Does the android permission system provide adequate information privacy protection for end-users of mobile apps? [C]// Proceedings of the 10th Australian Information Security Management Conference. Perth, Australia: ePrint, 2012: 66-73.
    [11]
    Chin E. Felt A P, Greenwood K, et al. Analyzing Inter-application communication in android [C]// Proceedings of the 9th International Conference on Mobile systems, applications, and services. Bethesda, USA: ACM Press, 2011: 239-252.
    [12]
    Kantola D, Chin E, He W D, et al. Reducing attack surfaces for intra-application communication in android [C]// Proceedings of the second ACM workshop on Security and privacy in SmartPhones and Mobile Devices. Raleigh, USA: ACM Press, 2012: 69-80.
    [13]
    Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock android SmartPhones [C]// Proceedings of the 19th Network and Distributed System Security Symposium. San Diego, USA: ACM Press, 2012.
    [14]
    Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
    [15]
    Wei X T, Gomez L, Neamtiu L, et al. Permission evolution in the android ecosystem [C]// Proceedings of the 28th Annual Computer Security Applications Conference.Orlando, USA: ACM Press, 2012: 31-40.
    [16]
    Barrera D, Kayacik H G, van Oorschot P C, et al. A methodology for empirical analysis of permission-based security models and its application to android [C]// Proceedings of the 17th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2010: 73-84.
    [17]
    Au K W Y, Zhou Y F, Huang Z, et al. PScout: analyzing the Android permission specification [C]// Proceedings of the 2012 ACM conference on Computer and Communications Security. Raleigh, USA: ACM Press, 2012: 217-228.
    [18]
    Zhou W, Zhou Y J, Jiang X X, et al. Detecting repackaged SmartPhone applications in third-party android marketplaces [C]// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio, USA: ACM Press, 2012: 317-326.
    [19]
    Zhou W, Zhang X W, Jiang X X. AppInk: Watermarking android apps for repackaging deterrence [C]// Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. Hangzhou, China: ACM Press, 2013: 1-12.
    [20]
    Felt A P, Chin E, Hanna S, et ala. Android permissions demystified [C]// Proceedings of the 18th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2011: 627-638.
    [21]
    Chan P F, Hui C K, Yiu S M. DroidChecker: Analyzing android applications for capability leak [C]// Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, USA: ACM Press, 2012: 125-136.
    [22]
    Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale [C]// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
    [23]
    Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones [C]// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Vancouver, Canada: USENIX Association, 2010, 10: 255-270.
    [24]
    Yang Z M, Yang M. Leakminer: Detect information leakage on android with static taint analysis [C]// Third World Congress on Software Engineering. Wuhan, China: IEEE Press, 2012: 101-104.
    [25]
    Yan L K, Yin H. Droidscope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis [C]// Proceedings of the 21st USENIX Security Symposium. Berkeley, USA: USENIX Association, 2012: 29.
    [26]
    Yang Z M, Yang M, Zhang Y, et al. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection [C]// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Scottsdale, USA, ACM Press, 2013: 1 043-1 054.

    Article Metrics

    Article views (36) PDF downloads(85)
    Proportional views

    /

    DownLoad:  Full-Size Img  PowerPoint
    Return
    Return