Abstract
Today, security is a requirement for smartphone operating systems that are used to store and handle sensitive information. However, smartphone users usually download third-party applications that can leak personal data without user authorization. For this reason, the dynamic taint analysis mechanism is used to control the manipulation of private data by third-party apps [9]. But this technique does not detect control flows. In particular, untrusted applications can circumvent Android system and get privacy sensitive information through control flows. In this paper, we propose a hybrid approach that combines static and dynamic analysis to propagate taint along control dependencies in Android system. To evaluate the effectiveness of our approach, we analyse 27 free Android applications. We found that 14 of these applications use control flows to transfer sensitive data. We successfully detect that 8 of them leaked private information. Our approach creates 19 % performance overhead that is due to the propagation of taint in the control flow. By using our approach, it becomes possible to detect leakage of personal data through control flows.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Android. http://www.android.com/
dex2jar. http://code.google.com/p/dex2jar/
Java decompiler. http://jd.benow.ca/
AT&T Research: Graphviz. http://www.graphviz.org/
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing inter-application communication in android. In: Proceedings of the 9th International Conference on Mobile Systems, Applications, and Services. pp. 239–252. ACM (2011)
P.S. Corporation: Caffeinemark 3.0. http://www.benchmarkhq.ru/cm30/
Denning, D.: Secure information flow in computer systems. Ph.D. thesis, Purdue University (1975)
Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: detecting privacy leaks in iOS applications. In: Proceedings of the Network and Distributed System Security Symposium (2011)
Enck, W., Gilbert, P., Chun, B., Cox, L., Jung, J., McDaniel, P., Sheth, A.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. pp. 1–6. USENIX Association (2010)
Fenton, J.: Memoryless subsystem. Comput. J. 17(2), 143–147 (1974)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: automated security certification of android applications. Manuscript, University of Maryland (2009). http://www.cs.umd.edu/~avik/projects/scandroidascaa
Graa, M., Cuppens-Boulahia, N., Cuppens, F., Cavalli, A.: Detecting control flow in smarphones: combining static and dynamic analyses. In: Xiang, Y., Lopez, J., Jay Kuo, C.-C., Zhou, W. (eds.) CSS 2012. LNCS, vol. 7672, pp. 33–47. Springer, Heidelberg (2012)
Graa, M., Cuppens-Boulahia, N., Cuppens, F., Cavalli, A.: Formal characterization of illegal control flow in android system. In: 9th International Conference on Signal Image Technology & Internet Systems (2013)
Graa, M., Cuppens-Boulahia, N., Cuppens, F., Cavalli, A.: Protection against Code obfuscation attacks based on control dependencies in android systems. In: 8th International Workshop on Trustworthy Computing (2014)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 639–652. ACM (2011)
Kang, M., McCamant, S., Poosankam, P., Song, D.: Dta++: dynamic taint analysis with targeted control-flow propagation. In: Proceedings of the 18th Annual Network and Distributed System Security Symposium, San Diego, CA (2011)
Rob van der Meulen, J.R.: Gartner says smartphone sales accounted for 55 percent of overall mobile phone sales in third quarter of 2013 (2013). http://www.gartner.com/newsroom/id/2623415
Nair, S., Simpson, P., Crispo, B., Tanenbaum, A.: A virtual machine based information flow control system for policy enforcement. Electron. Notes Theoret. Comput. Sci. 197(1), 3–16 (2008)
News, B.: Bbc google activations and downloads update, May 2013. http://www.bbc.com/news/technology-22542725
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: Bitblaze: A new approach to computer security via binary analysis. In: Information Systems Security, pp. 1–25 (2008)
Wilson, T.: Many android apps leaking private information, July 2011. http://www.informationweek.com/security/mobile/many-android-apps-leaking-private-inform/231002162
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Graa, M., Cuppens-Boulahia, N., Cuppens, F., Cavalli, A. (2015). Detection of Illegal Control Flow in Android System: Protecting Private Data Used by Smartphone Apps. In: Cuppens, F., Garcia-Alfaro, J., Zincir Heywood, N., Fong, P. (eds) Foundations and Practice of Security. FPS 2014. Lecture Notes in Computer Science(), vol 8930. Springer, Cham. https://doi.org/10.1007/978-3-319-17040-4_22
Download citation
DOI: https://doi.org/10.1007/978-3-319-17040-4_22
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17039-8
Online ISBN: 978-3-319-17040-4
eBook Packages: Computer ScienceComputer Science (R0)