Efficient, context-aware privacy leakage confinement for android applications without firmware modding

Zhang, Mu; Yin, Heng

doi:10.1145/2590296.2590312

Cited by 38 publications

(18 citation statements)

References 24 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…AppIntent [29] tracks the sequence of events leading to private data transmission, which helps to determine whether it is user intended or not. Zhang and Yin [30] develop Capper that can track privacy information and detect leakage at run time by inserting instrumentation code into apps. Our work takes a different viewpoint by systematically analyzing what privacy sensitive information the advertiser can collect and aggregate at run-time from multiple apps and infer the social relationship of a user.…”

Section: Discussionmentioning

confidence: 99%

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

Wang

Chen

et al. 2015

2015 IEEE 35th International Conference on Distributed Computing Systems

View full text Add to dashboard Cite

Abstract-Many smartphone apps routinely gather various private user data and send them to advertisers. Despite recent study on protection mechanisms and analysis on apps' behavior, the understanding about the consequences of such privacy losses remains limited. In this paper we investigate how much an advertiser can infer about users' social and community relationships by combining data from multiple applications and across many users. After one month's user study involving about 200 most popular Android apps, we find that an advertiser can infer 90% of the social relationships. We further propose a privacy leakage inference framework and use real mobility traces and Foursquare data to quantify the consequences of privacy leakage. We find that achieving 90% inference accuracy of the social and community relationships requires merely 3 weeks' user data. The discoveries underscore the importance of early adoption of privacy protection mechanisms.

show abstract

Section: Discussionmentioning

confidence: 99%

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

Wang

Chen

et al. 2015

2015 IEEE 35th International Conference on Distributed Computing Systems

View full text Add to dashboard Cite

show abstract

“…AppSealer [49] instruments Android apps for generating vulnerability-specific patches, which prevent component hijacking attacks at runtime. Other approaches [50,51] apply the same idea, which injects shadow code into Android apps, to perform privacy leaks prevention.…”

Section: Related Workmentioning

confidence: 99%

DroidRA: taming reflection to support whole-program analysis of Android apps

Bissyandé

Octeau

et al. 2016

Proceedings of the 25th International Symposium on Software Testing and Analysis

130

View full text Add to dashboard Cite

Android developers heavily use reflection in their apps for legitimate reasons, but also significantly for hiding malicious actions. Unfortunately, current state-of-the-art static analysis tools for Android are challenged by the presence of reflective calls which they usually ignore. Thus, the results of their security analysis, e.g., for private data leaks, are inconsistent given the measures taken by malware writers to elude static detection. We propose the DroidRA instrumentationbased approach to address this issue in a non-invasive way. With DroidRA, we reduce the resolution of reflective calls to a composite constant propagation problem. We leverage the COAL solver to infer the values of reflection targets and app, and we eventually instrument this app to include the corresponding traditional Java call for each reflective call. Our approach allows to boost an app so that it can be immediately analyzable, including by such static analyzers that were not reflection-aware. We evaluate DroidRA on benchmark apps as well as on real-world apps, and demonstrate that it can allow state-of-the-art tools to provide more sound and complete analysis results.

show abstract

“…For example, TaintDroid [21] uses dynamic taint analysis to detect privacy leaks in Android apps, while PiOS [20] targets the iOS platform. Several systems [16,29,32,40,42,47,48,48,50] have been proposed to mitigate this threat. They either extend the Android framework to provide fine-grained permission control, or repackage apps to avoid changing the framework.…”

Section: Related Workmentioning

confidence: 99%

Harvesting developer credentials in Android apps

Zhou

Wang

et al. 2015

Proceedings of the 8th ACM Conference on Security &Amp; Privacy in Wireless and Mobile Networks

View full text Add to dashboard Cite

Developers often integrate third-party services into their apps. To access a service, an app must authenticate itself to the service with a credential. However, credentials in apps are often not properly or adequately protected, and might be easily extracted by attackers. A leaked credential could pose serious privacy and security threats to both the app developer and app users.In this paper, we propose CredMiner to systematically study the prevalence of unsafe developer credential uses in Android apps. CredMiner can programmatically identify and recover (obfuscated) developer credentials unsafely embedded in Android apps. Specifically, it leverages data flow analysis to identify the raw form of the embedded credential, and selectively executes the part of the program that builds the credential to recover it. We applied CredMiner to 36, 561 apps collected from various Android markets to study the use of free email services and Amazon AWS. There were 237 and 196 apps that used these two services, respectively. CredMiner discovered that 51.5% (121/237) and 67.3% (132/196) of them were vulnerable. In total, CredMiner recovered 302 unique email login credentials and 58 unique Amazon AWS credentials, and verified that 252 and 28 of these credentials were still valid at the time of the experiments, respectively.

show abstract

Efficient, context-aware privacy leakage confinement for android applications without firmware modding

Cited by 38 publications

References 24 publications

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

Towards Understanding the Advertiser's Perspective of Smartphone User Privacy

DroidRA: taming reflection to support whole-program analysis of Android apps

Harvesting developer credentials in Android apps

Contact Info

Product

Resources

About