Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android

Zhang, Nan; Yuan, Kan; Naveed, Muhammad; Zhou, Xiaoyong; Wang, Xiaofeng

doi:10.1109/sp.2015.61

Cited by 61 publications

(46 citation statements)

References 9 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An alternative approach is to monitor the use of the leaky APIs while some sensitive apps are running in the foreground. This idea has been illustrated in Android by Zhang et al [65] on Android using a non-privileged guardian app. Due to the more strict cross-app isolation on iOS, however, this task can only be accomplished by the system itself on iOS.…”

Section: Countermeasuresmentioning

confidence: 99%

“…Lin et al [45] employed procfs to extract an app's CPU usage to detect user's key press operation on Android. Zhang et al [65] explored similar channels from procfs to fingerprint user behavior through the Android apps of IP cameras. Most recently, Diao et al [36] studied the use of global interrupt counters in procfs to infer the user's unlock patterns and foreground apps.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS

Zhang¹,

Wang²,

Bai³

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

Abstract-It has been demonstrated in numerous previous studies that Android and its underlying Linux operating systems do not properly isolate mobile apps to prevent cross-app sidechannel attacks. Cross-app information leakage enables malicious Android apps to infer sensitive user data (e.g., passwords), or private user information (e.g., identity or location) without requiring specific permissions. Nevertheless, no prior work has ever studied these side-channel attacks on iOS-based mobile devices. One reason is that iOS does not implement procfsthe most popular side-channel attack vector; hence the previously known attacks are not feasible.In this paper, we present the first study of OS-level sidechannel attacks on iOS. Specifically, we identified several new side-channel attack vectors (i.e., iOS APIs that enable cross-app information leakage); developed machine learning frameworks (i.e., classification and pattern matching) that combine multiple attack vectors to improve the accuracy of the inference attacks; demonstrated three categories of attacks that exploit these vectors and frameworks to exfiltrate sensitive user information. We have reported our findings to Apple and proposed mitigations to the attacks. Apple has incorporated some of our suggested countermeasures into iOS 11 and MacOS High Sierra 10.13 and later versions.

show abstract

Section: Countermeasuresmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS

Zhang¹,

Wang²,

Bai³

et al. 2018

Proceedings 2018 Network and Distributed System Security Symposium

Self Cite

View full text Add to dashboard Cite

show abstract

“…It replaces the original peripheral drivers by a remote update when a user enters restricted spaces such as a federal building, and doesn't cancel the enforcement of usage policies until the user checks out. App Guardian (Zhang et al 2015) thwarts the runtime-information-gathering of malicious apps by blocking the runtime monitoring attempt. To realize this, App Guardian pauses the malicious app when sensitive app is running.…”

Section: Related Workmentioning

confidence: 99%

Using IM-Visor to stop untrusted IME apps from stealing sensitive keystrokes

et al. 2018

View full text Add to dashboard Cite

Third-party IME (Input Method Editor) apps are often the preference means of interaction for Android users' input. In this paper, we first discuss the insecurity of IME apps, including the Potentially Harmful Apps (PHAs) and malicious IME apps, which may leak users' sensitive keystrokes. The current defense system, such as I-BOX, is vulnerable to the prefix substitution attack and the colluding attack due to the post-IME nature. We provide a deeper understanding that all the designs with the post-IME nature are subject to the prefix-substitution and colluding attacks. To remedy the above post-IME system's flaws, we propose a new idea, pre-IME, which guarantees that "Is this touch event a sensitive keystroke?" analysis will always access user touch events prior to the execution of any IME app code. We design an innovative TrustZone-based framework named IM-Visor which has the pre-IME nature. Specifically, IM-Visor creates the isolation environment named STIE as soon as a user intends to type on a soft keyboard, then the STIE intercepts,Android event sub translates and analyzes the user's touch input. If the input is sensitive, the translation of keystrokes will be delivered to user apps through a trusted path. Otherwise, IM-Visor replays non-sensitive keystroke touch events for IME apps or replays non-keystroke touch events for other apps. A prototype of IM-Visor has been implemented and tested with several most popular IMEs. The experimental results show that IM-Visor has small runtime overheads.

show abstract

“…Zhang et al focus on side-channel leaks and propose an application-level monitor that prevents background processes from collecting privacy-sensitive information [56]. This defense does not protect against AdSDKs that openly send location data over the network, nor against mobile ads that run in the foreground.…”

Section: Related Workmentioning

confidence: 99%

What Mobile Ads Know About Mobile Users

Son

Kim

Shmatikov

2016

Proceedings 2016 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Abstract-We analyze the software stack of popular mobile advertising libraries on Android and investigate how they protect the users of advertising-supported apps from malicious advertising. We find that, by and large, Android advertising libraries properly separate the privileges of the ads from the host app by confining ads to dedicated browser instances that correctly apply the same origin policy.We then demonstrate how malicious ads can infer sensitive information about users by accessing external storage, which is essential for media-rich ads in order to cache video and images. Even though the same origin policy prevents confined ads from reading other apps' external-storage files, it does not prevent them from learning that a file with a particular name exists. We show how, depending on the app, the mere existence of a file can reveal sensitive information about the user. For example, if the user has a pharmacy price-comparison app installed on the device, the presence of external-storage files with certain names reveals which drugs the user has looked for.We conclude with our recommendations for redesigning mobile advertising software to better protect users from malicious advertising.

show abstract

Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android

Cited by 61 publications

References 9 publications

OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS

OS-level Side Channels without Procfs: Exploring Cross-App Information Leakage on iOS

Using IM-Visor to stop untrusted IME apps from stealing sensitive keystrokes

What Mobile Ads Know About Mobile Users

Contact Info

Product

Resources

About