1 / 34

These Aren’t the Droids You’re Looking For

These Aren’t the Droids You’re Looking For. Retrofitting Android to Protect Data from Imperious Applications. Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall. SIL765 Jagjeet Singh Dhaliwal (2008CS50212) Manav Goel (2008CS50215).

havyn
Download Presentation

These Aren’t the Droids You’re Looking For

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. These Aren’t the Droids You’re Looking For Retrofitting Android to Protect Data from Imperious Applications Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall SIL765 Jagjeet Singh Dhaliwal (2008CS50212) ManavGoel (2008CS50215)

  2. Applications can’t be trusted • Recent academic research corroborates these findings * Source : Wall Street Journal - http://online.wsj.com/article/SB10001424052748704368004576027751867039730.html

  3. What is the threat? • Android applications that misappropriatethe user’s privacy-sensitive data • Transmit sensitive data that the user intends application to use on-device only • Transmit sensitive data to third parties • Third parties: servers not used directly for app functionality; but often for advertising & analytics

  4. Outline • Measurementstudyofsensitivedatausage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications

  5. What qualifies as “sensitive data”? • Basically identified 12 types of privacy-sensitive data on Android.

  6. How can we tell what apps are doing? • TaintDroid: dynamic taint tracking for Android applications [Enck et al] loc = getLocation(); //taint tag applied ... loc_copy = loc; //taint propagated ... network_send(loc_copy); //checked for taint • Apps can’t transform, obfuscate data to remove taint • Enhance TaintDroid: added tracking for all 12 data types Gives runtime detection of sensitive data transmission for apps

  7. Study of sensitive data usage • The authors performed an extensive study of sensitive data usage by Android apps • 110 popular free apps from Android Market • Selected to cover all 12 sensitive data types • Manually executed each app for ~5 minutes • Used TaintDroid to measure types of sensitive data sent out and destinationssent to.

  8. Results For location data ( across 110 apps): Application Third parties Appears that some apps use sensitive data only for purpose of sharing with third parties. 30 apps 45 apps Location? • Of these 30 apps,28 sent location only to third parties! • Mobclix, Flurry, Inmobi, AdMob 73 apps Android

  9. Could they be tracking me? For unique device IDs (110 apps): Application Third parties Multiple apps send device ID to same third parties: risk of cross-application profiling is real 14 apps 31 apps Device ID? Just 3 third party destinations: Mobclix, Flurry, Freystripe 83 apps Android

  10. What else do apps misappropriate? • Two apps sent out the user’s phone number forno apparent reason except tracking • Call blocking app sent out user’s entire contacts book, then asked user to opt-in. Sensitive data intended only for on-device use may be sent off the device

  11. Outline • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications

  12. Our Defense: AppFence External servers Application • Two complementaryprivacy controls: • Shadowing: app doesn’t get sensitive data at all • Blocking: app gets sensitive data, but can’t send it out Sensitive data Sensitive data Android Exfiltration blocking Data shadowing

  13. CCS - October 17-21, 2011 How data shadowing works Application analytics.com (206) 555-4321 (123) 456-7890 (206) 555-4321 Phone #? • Shadow data (123) 456-7890 Android

  14. Three kinds of shadow data • Blank data • e.g. contacts: {S. Han, 206-555-4321}  {} • Fake data • e.g. location: {47.653,-122.306}  {41.887,-87.619} • Constructed data • e.g. device ID = hash(app name, true device ID) • Consistent for each application, but different across applications

  15. CCS - October 17-21, 2011 How exfiltration blocking works analytics.com Application (206) 555-4321 Airplane mode: no network available Phone #? (206) 555-4321 Android

  16. Outline • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications

  17. What should we measure? • Privacy controls may cause changes in application behavior • The authors decided to measure the impact of AppFence on the user’sexperience. • How did they measure this? • Look for user-visiblechanges in application behavior: side effects • Impact on whom?

  18. An example of a side effect • We look for user-visible changes in application screenshots:

  19. Framework for measuring side effects • Automate application execution by using an Android GUI testing program • Converts a script of high-level commands (e.g. “press button,” “select from menu”) into GUI interactions • Captures screenshot after every command • A human detects side effects by comparing screenshots taken with and without AppFenceenabled • Classify applications based on the side effects observed: • None • Ads absent • Less functional • Broken

  20. How we check for side effects Diff Baseline AppFence

  21. Side effect: none Baseline AppFence Diff

  22. Side effect: ads absent Baseline AppFence Diff

  23. Side effect: less functional Baseline AppFence Diff

  24. CCS - October 17-21, 2011 Side effect: broken Baseline AppFence Diff

  25. Outline • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications

  26. Experiments • Selected 50 apps that sent out sensitive data • Wrote execution scripts for these apps • Exercise main features and features likely to send out sensitive data • Enable oneAppFence privacy control, execute all applications • Check screenshots for side effects and classify applications

  27. To reveal the most side effects: • Data shadowing of all sensitive data types • Exfiltration blocking of all types to all destinations • This imposes a policy on the app: sensitive data should never leave the device • But don’t some apps have legitimate need to send out data? Configuring privacy controls?

  28. Side effects shown by 50 apps • Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent • We used profiling to choose; determining in advance is challenging • Remember, we applied a single privacy control (one or the other) to all applications • Slightly more than half of the apps ran with limited or no side effects • Data shadowing was less disruptive than exfiltration blocking

  29. So 34% of applications didn’t work? • These apps had four kinds of functionality that directly conflict with our configuration (sensitive data should never leave the device): • Location broadcast (location) • Geographic search (location) • Find friends (contacts) • Cross-application gaming profiles (device ID)

  30. When to use data shadowing • Data types such as device ID, location, phone number • Aren’t presented directly to the user • Must be transmitted off the device • Example application behaviors: • Device ID sent along with login information • Location collected at application launch

  31. When to use exfiltration blocking • Data types such as contacts, SMS, calendar • Presented to the user on the device • Don’t need to be transmitted off the device • Example application behaviors: • Selecting a contact to send a message to • Adding reminders to calendar

  32. Conclusion • AppFence breaks the power of the installation ultimatum • We revealed side effects by never allowing sensitive data to leave the device • Some apps: user must choose between functionality and privacy • Majority of apps: two privacy controls can prevent misappropriation without side effects

  33. Further Work • Extending the Taint sources to include compression using Java.util.zip • Extending Data shadowing to offer finer-granularity controls such as shadowing location with a nearby but less private place, e.g. the city center.

  34. Questions?

More Related