Shintaro Kanaoya 'Droids Eye View: A Developer' Chorus Worldwide
These Aren’t the Droids You’re Looking For
description
Transcript of These Aren’t the Droids You’re Looking For
THESE AREN’T THE DROIDS YOU’RE LOOKING FOR
Peter Hornyack, Seungyeop Han, Jaeyeon Jung,Stuart Schechter, David Wetherall
Retrofitting Android to Protect Data fromImperious Applications
SIL765
Jagjeet Singh Dhaliwal (2008CS50212) Manav Goel (2008CS50215)
Applications can’t be trusted
Recent academic research corroborates these findings
* Source : Wall Street Journal - http://online.wsj.com/article/SB10001424052748704368004576027751867039730.html
What is the threat?• Android applications that
misappropriate the user’s privacy-sensitive data• Transmit sensitive data that the user
intends application to use on-device only• Transmit sensitive data to third parties
• Third parties: servers not used directly for app functionality; but often for advertising & analytics
Outline• Measurement study of sensitive data usage• AppFence: a defense against misappropriation of
sensitive data• Framework for evaluating impact on user’s experience• Evaluation of AppFence on 50 applications
What qualifies as “sensitive data”?• Basically identified 12
types of privacy-sensitive data on Android.
device idlocationphone numbercontactscameraaccountslogsmicrophoneSMS messageshistory & bookmarkscalendarsubscribed feeds
How can we tell what apps are doing?• TaintDroid: dynamic taint tracking for Android applications
[Enck et al]
loc = getLocation(); //taint tag applied...loc_copy = loc; //taint propagated...network_send(loc_copy); //checked for taint
Gives runtime detection of sensitive data transmission for apps
Apps can’t transform, obfuscate data to remove taint Enhance TaintDroid: added tracking for all 12 data types
Study of sensitive data usage• The authors performed an extensive study of sensitive
data usage by Android apps
• 110 popular free apps from Android Market• Selected to cover all 12 sensitive data types
• Manually executed each app for ~5 minutes
• Used TaintDroid to measure types of sensitive data sent out and destinations sent to.
73 apps
Appears that some apps use sensitive data only for purpose of sharing with third parties.
For location data ( across 110 apps):
Location?
Android
Application
45 apps
Third parties
30 apps Of these 30 apps,
28 sent location only to third parties!
Mobclix, Flurry, Inmobi, AdMob
Results
83 apps
Could they be tracking me?
Multiple apps send device ID to same third parties: risk of cross-application profiling is real
For unique device IDs (110 apps):
Device ID?
Android
Application
31 apps
Third parties
14 apps
Just 3 third party destinations: Mobclix, Flurry, Freystripe
What else do apps misappropriate?• Two apps sent out the user’s phone number for
no apparent reason except tracking
• Call blocking app sent out user’s entire contacts book, then asked user to opt-in.
Sensitive data intended only for on-device use may be sent off the device
Outline• Measurement study of sensitive data usage• AppFence: a defense against misappropriation of
sensitive data• Framework for evaluating impact on user’s experience• Evaluation of AppFence on 50 applications
Our Defense: AppFence
• Two complementary privacy controls:• Shadowing: app doesn’t get sensitive data at all• Blocking: app gets sensitive data, but can’t send it out
Data shadowing
Exfiltration blocking
Application
Android
Sensitivedata
Sensitivedata
External servers
How data shadowing works
CCS - October 17-21, 2011
Application
Phone #? (206) 555-4321
analytics.com
(206) 555-4321
(123) 456-7890
(123) 456-7890
Shadow data
Android
Three kinds of shadow data• Blank data
• e.g. contacts: {S. Han, 206-555-4321} {}• Fake data
• e.g. location: {47.653,-122.306} {41.887,-87.619}• Constructed data
• e.g. device ID = hash(app name, true device ID)• Consistent for each application, but different across applications
Android
How exfiltration blocking works
CCS - October 17-21, 2011
Application
Phone #? (206) 555-4321
analytics.com
(206) 555-4321
Airplane mode: no network available
Outline• Measurement study of sensitive data usage• AppFence: a defense against misappropriation of
sensitive data• Framework for evaluating impact on user’s experience• Evaluation of AppFence on 50 applications
What should we measure?• Privacy controls may cause changes in application
behavior• The authors decided to measure the impact of AppFence
on the user’s experience.• How did they measure this?
• Look for user-visible changes in application behavior: side effects
• Impact on whom?
An example of a side effect• We look for user-visible changes in application
screenshots:
Framework for measuring side effects• Automate application execution by using an Android GUI
testing program• Converts a script of high-level commands (e.g. “press button,”
“select from menu”) into GUI interactions• Captures screenshot after every command
• A human detects side effects by comparing screenshots taken with and without AppFence enabled
• Classify applications based on the side effects observed:• None• Ads absent• Less functional• Broken
How we check for side effectsBaseline AppFence Diff
Side effect: noneBaseline AppFence Diff
Side effect: ads absentBaseline AppFence Diff
Side effect: less functionalBaseline AppFence Diff
Side effect: brokenBaseline AppFence Diff
CCS - October 17-21, 2011
Outline• Measurement study of sensitive data usage• AppFence: a defense against misappropriation of
sensitive data• Framework for evaluating impact on user’s experience• Evaluation of AppFence on 50 applications
Experiments• Selected 50 apps that sent out sensitive data• Wrote execution scripts for these apps
• Exercise main features and features likely to send out sensitive data
• Enable one AppFence privacy control, execute all applications
• Check screenshots for side effects and classify applications
Configuring privacy controls?• To reveal the most side effects:
• Data shadowing of all sensitive data types
• Exfiltration blocking of all types to all destinations
• This imposes a policy on the app: sensitive data should never leave the device• But don’t some apps have
legitimate need to send out data?
Choose least-disruptive
30 (60%)3 (6%)
11 (22%)6 (12%)
Side effects shown by 50 appsData
shadowingExfiltration
blockingNone 28 (56%) 16 (32%)Ads absent 0 (0%) 11 (22%)Less functional 14 (28%) 10 (20%)Broken 8 (16%) 13 (26%)
Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent We used profiling to choose; determining in
advance is challenging
Remember, we applied a single privacy control (one or the other) to all applications
Slightly more than half of the apps ran with limited or no side effects
Data shadowing was less disruptive than exfiltration blocking
So 34% of applications didn’t work?• These apps had four kinds of functionality that directly
conflict with our configuration (sensitive data should never leave the device):• Location broadcast (location)• Geographic search (location)• Find friends (contacts)• Cross-application gaming profiles (device ID)
When to use data shadowing• Data types such as device ID, location, phone number
• Aren’t presented directly to the user• Must be transmitted off the device
• Example application behaviors:• Device ID sent along with login information• Location collected at application launch
When to use exfiltration blocking• Data types such as contacts, SMS, calendar
• Presented to the user on the device• Don’t need to be transmitted off the device
• Example application behaviors:• Selecting a contact to send a message to• Adding reminders to calendar
Conclusion• AppFence breaks the power of the installation ultimatum• We revealed side effects by never allowing sensitive data
to leave the device• Some apps: user must choose between functionality and
privacy• Majority of apps: two privacy controls can prevent
misappropriation without side effects
Further Work• Extending the Taint sources to include compression using
Java.util.zip
• Extending Data shadowing to offer finer-granularity controls such as shadowing location with a nearby but less private place, e.g. the city center.
Questions?