Skip to main content
SpringerLink
Log in

Efficient and Context-Aware Privacy Leakage Confinement

  • Chapter
  • First Online:
Android Application Security

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

Abstract

As Android has become the most prevalent operating system in mobile devices, privacy concerns in the Android platform are increasing. A mechanism for efficient runtime enforcement of information-flow security policies in Android apps is desirable to confine privacy leakage. The prior works towards this problem require firmware modification (i.e., modding) and incur considerable runtime overhead. Besides, no effective mechanism is in place to distinguish malicious privacy leakage from those of legitimate uses. In this paper, we take a bytecode rewriting approach. Given an unknown Android app, we selectively insert instrumentation code into the app to keep track of private information and detect leakage at runtime. To distinguish legitimate and malicious leaks, we model the user’s decisions with a context-aware policy enforcement mechanism. We have implemented a prototype called Capper and evaluated its efficacy on confining privacy-breaching apps. Our evaluation on 4723 real-world Android applications demonstrates that Capper can effectively track and mitigate privacy leaks. Moreover, after going through a series of optimizations, the instrumentation code only represents a small portion (4.48 % on average) of the entire program. The runtime overhead introduced by Capper is also minimal, merely 1.5 % for intensive data propagation.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
eBook
USD 16.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 16.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Capper is short for Context-Aware Privacy Policy Enforcement with Re-writing.

References

  1. Enck W, Octeau D, McDaniel P, Chaudhuri S (2011) A study of Android application security. In: Proceedings of the 20th usenix security symposium, August 2011

    Google Scholar 

  2. Enck W, Gilbert P, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2010) TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX symposium on operating systems design and implementation (OSDI’10), October 2010

    Google Scholar 

  3. Hornyack P, Han S, Jung J, Schechter S, Wetherall D (2011) These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: Proceedings of CCS, 2011

    Google Scholar 

  4. Zhou Y, Jiang X (2012) Dissecting Android malware: characterization and evolution. In: Proceedings of the 33rd IEEE symposium on security and privacy (Oakland’12), May 2012

    Google Scholar 

  5. Zhou Y, Wang Z, Zhou W, Jiang X (2012) Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: Proceedings of 19th annual network and distributed system security symposium (NDSS’12), February 2012

    Google Scholar 

  6. Wu C, Zhou Y, Patel K, Liang Z, Jiang X (2014) AirBag: boosting smartphone resistance to malware infection. In: Proceedings of the 21th annual network and distributed system security symposium (NDSS’14), February 2014

    Google Scholar 

  7. Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) CHEX: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on computer and communications security (CCS’12), October 2012

    Google Scholar 

  8. Gibler C, Crussell J, Erickson J, Chen H (2012) AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale. In: Proceedings of the 5th international conference on Trust and Trustworthy Computing, 2012

    Google Scholar 

  9. Kim J, Yoon Y, Yi K, Shin J (2012) Scandal: Static Analyzer for Detecting Privacy Leaks in Android Applications. In: Mobile Security Technologies (MoST) 2012

    Google Scholar 

  10. Mann C, Starostin A (2012) A framework for static detection of privacy leaks in Android applications. In: Proceedings of the 27th annual ACM symposium on applied computing, 2012

    Google Scholar 

  11. Yang Z, Yang M, Zhang Y, Gu G, Ning P, Wang XS (2013) AppIntent: analyzing sensitive data transmission in Android for privacy leakage detection. In: Proceedings of the 20th ACM conference on computer and communications security (CCS’13), November 2013

    Google Scholar 

  12. Ongtang M, McLaughlin S, Enck W, McDaniel P (2009) Semantically rich application-centric security in Android. In: Proceedings of ACSAC, 2009

    Google Scholar 

  13. Enck W, Ongtang M, McDaniel P (2009) On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on computer and communications security (CCS’09), November 2009

    Google Scholar 

  14. Conti M, Nguyen VTN, Crispo B (2011) Crepe: context-related policy enforcement for Android. In: Proceedings of the 13th international conference on information security, 2011

    Google Scholar 

  15. Zhou Y, Zhang X, Jiang X, Freeh VW (2011) Taming information-stealing smartphone applications (on Android). In: Proceedings of the 4th international conference on Trust and trustworthy computing, 2011

    Google Scholar 

  16. Nauman M, Khan S, Zhang X (2010) Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM symposium on information, computer and communications security, 2010

    Google Scholar 

  17. Beresford AR, Rice A, Skehin N, Sohan R (2011) Mockdroid: trading privacy for application functionality on smartphones. In: Proceedings of the 12th workshop on mobile computing systems and applications, 2011

    Google Scholar 

  18. Lange M, Liebergeld S, Lackorzynski A, Warg A, Peter M (2011) L4Android: a generic operating system framework for secure smartphones. In: Proceedings of the 1st ACM workshop on security and privacy in smartphones and mobile devices, 2011

    Google Scholar 

  19. Andrus J, Dall C, Hof AV, Laadan O, Nieh J (2011) Cells: a virtual mobile smartphone architecture. In: Proceedings of SOSP, 2011

    Google Scholar 

  20. Shekhar S, Dietz M, Wallach DS (2012) Adsplit: separating smartphone advertising from applications. In: Proceedings of the 20th usenix security symposium, August 2012

    Google Scholar 

  21. Xu R, Sadi H, Anderson R (2012) Aurasium: practical policy enforcement for Android applications. In: Proceedings of the 21th usenix security symposium, August 2012

    Google Scholar 

  22. Livshits B, Jung J (2013) Automatic mediation of privacy-sensitive resource access in smartphone applications. In: Proceedings of the 22th usenix security symposium, 2013

    Google Scholar 

  23. Soot: A Java Optimization Framework (2016) http://www.sable.mcgill.ca/soot/

  24. Felt AP, Wang HJ, Moshchuk A, Hanna S, Chin E (2011) Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX security symposium, 2011

    Google Scholar 

  25. Grace M, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th network and distributed system security symposium, 2012

    Google Scholar 

  26. Zhou Y, Jiang X (2013) Detecting passive content leaks and pollution in Android applications. In: Proceedings of the 20th network and distributed system security symposium, 2013

    Google Scholar 

  27. Davi L, Dmitrienko A, Sadeghi AR, Winandy M (2011) Privilege escalation attacks on Android. In: Proceedings of the 13th international conference on information security, Berlin, Heidelberg, 2011

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Computer Security Department, NEC Laboratories America, Inc., Princeton, NJ, USA

    Mu Zhang

  2. University of California, Riverside, Riverside, CA, USA

    Heng Yin

Authors
  1. Mu Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Heng Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2016 The Author(s)

About this chapter

Cite this chapter

Zhang, M., Yin, H. (2016). Efficient and Context-Aware Privacy Leakage Confinement. In: Android Application Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-47812-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-47812-8_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-47811-1

  • Online ISBN: 978-3-319-47812-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation