Abstract
As Android has become the most prevalent operating system in mobile devices, privacy concerns in the Android platform are increasing. A mechanism for efficient runtime enforcement of information-flow security policies in Android apps is desirable to confine privacy leakage. The prior works towards this problem require firmware modification (i.e., modding) and incur considerable runtime overhead. Besides, no effective mechanism is in place to distinguish malicious privacy leakage from those of legitimate uses. In this paper, we take a bytecode rewriting approach. Given an unknown Android app, we selectively insert instrumentation code into the app to keep track of private information and detect leakage at runtime. To distinguish legitimate and malicious leaks, we model the user’s decisions with a context-aware policy enforcement mechanism. We have implemented a prototype called Capper and evaluated its efficacy on confining privacy-breaching apps. Our evaluation on 4723 real-world Android applications demonstrates that Capper can effectively track and mitigate privacy leaks. Moreover, after going through a series of optimizations, the instrumentation code only represents a small portion (4.48 % on average) of the entire program. The runtime overhead introduced by Capper is also minimal, merely 1.5 % for intensive data propagation.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Capper is short for Context-Aware Privacy Policy Enforcement with Re-writing.
References
Enck W, Octeau D, McDaniel P, Chaudhuri S (2011) A study of Android application security. In: Proceedings of the 20th usenix security symposium, August 2011
Enck W, Gilbert P, Chun BG, Cox LP, Jung J, McDaniel P, Sheth AN (2010) TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX symposium on operating systems design and implementation (OSDI’10), October 2010
Hornyack P, Han S, Jung J, Schechter S, Wetherall D (2011) These aren’t the droids you’re looking for: retrofitting Android to protect data from imperious applications. In: Proceedings of CCS, 2011
Zhou Y, Jiang X (2012) Dissecting Android malware: characterization and evolution. In: Proceedings of the 33rd IEEE symposium on security and privacy (Oakland’12), May 2012
Zhou Y, Wang Z, Zhou W, Jiang X (2012) Hey, you, get off of my market: detecting malicious apps in official and alternative Android markets. In: Proceedings of 19th annual network and distributed system security symposium (NDSS’12), February 2012
Wu C, Zhou Y, Patel K, Liang Z, Jiang X (2014) AirBag: boosting smartphone resistance to malware infection. In: Proceedings of the 21th annual network and distributed system security symposium (NDSS’14), February 2014
Lu L, Li Z, Wu Z, Lee W, Jiang G (2012) CHEX: statically vetting Android apps for component hijacking vulnerabilities. In: Proceedings of the 2012 ACM conference on computer and communications security (CCS’12), October 2012
Gibler C, Crussell J, Erickson J, Chen H (2012) AndroidLeaks: automatically detecting potential privacy leaks in Android applications on a large scale. In: Proceedings of the 5th international conference on Trust and Trustworthy Computing, 2012
Kim J, Yoon Y, Yi K, Shin J (2012) Scandal: Static Analyzer for Detecting Privacy Leaks in Android Applications. In: Mobile Security Technologies (MoST) 2012
Mann C, Starostin A (2012) A framework for static detection of privacy leaks in Android applications. In: Proceedings of the 27th annual ACM symposium on applied computing, 2012
Yang Z, Yang M, Zhang Y, Gu G, Ning P, Wang XS (2013) AppIntent: analyzing sensitive data transmission in Android for privacy leakage detection. In: Proceedings of the 20th ACM conference on computer and communications security (CCS’13), November 2013
Ongtang M, McLaughlin S, Enck W, McDaniel P (2009) Semantically rich application-centric security in Android. In: Proceedings of ACSAC, 2009
Enck W, Ongtang M, McDaniel P (2009) On lightweight mobile phone application certification. In: Proceedings of the 16th ACM conference on computer and communications security (CCS’09), November 2009
Conti M, Nguyen VTN, Crispo B (2011) Crepe: context-related policy enforcement for Android. In: Proceedings of the 13th international conference on information security, 2011
Zhou Y, Zhang X, Jiang X, Freeh VW (2011) Taming information-stealing smartphone applications (on Android). In: Proceedings of the 4th international conference on Trust and trustworthy computing, 2011
Nauman M, Khan S, Zhang X (2010) Apex: extending Android permission model and enforcement with user-defined runtime constraints. In: Proceedings of the 5th ACM symposium on information, computer and communications security, 2010
Beresford AR, Rice A, Skehin N, Sohan R (2011) Mockdroid: trading privacy for application functionality on smartphones. In: Proceedings of the 12th workshop on mobile computing systems and applications, 2011
Lange M, Liebergeld S, Lackorzynski A, Warg A, Peter M (2011) L4Android: a generic operating system framework for secure smartphones. In: Proceedings of the 1st ACM workshop on security and privacy in smartphones and mobile devices, 2011
Andrus J, Dall C, Hof AV, Laadan O, Nieh J (2011) Cells: a virtual mobile smartphone architecture. In: Proceedings of SOSP, 2011
Shekhar S, Dietz M, Wallach DS (2012) Adsplit: separating smartphone advertising from applications. In: Proceedings of the 20th usenix security symposium, August 2012
Xu R, Sadi H, Anderson R (2012) Aurasium: practical policy enforcement for Android applications. In: Proceedings of the 21th usenix security symposium, August 2012
Livshits B, Jung J (2013) Automatic mediation of privacy-sensitive resource access in smartphone applications. In: Proceedings of the 22th usenix security symposium, 2013
Soot: A Java Optimization Framework (2016) http://www.sable.mcgill.ca/soot/
Felt AP, Wang HJ, Moshchuk A, Hanna S, Chin E (2011) Permission re-delegation: attacks and defenses. In: Proceedings of the 20th USENIX security symposium, 2011
Grace M, Zhou Y, Wang Z, Jiang X (2012) Systematic detection of capability leaks in stock Android smartphones. In: Proceedings of the 19th network and distributed system security symposium, 2012
Zhou Y, Jiang X (2013) Detecting passive content leaks and pollution in Android applications. In: Proceedings of the 20th network and distributed system security symposium, 2013
Davi L, Dmitrienko A, Sadeghi AR, Winandy M (2011) Privilege escalation attacks on Android. In: Proceedings of the 13th international conference on information security, Berlin, Heidelberg, 2011
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2016 The Author(s)
About this chapter
Cite this chapter
Zhang, M., Yin, H. (2016). Efficient and Context-Aware Privacy Leakage Confinement. In: Android Application Security. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-47812-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-47812-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47811-1
Online ISBN: 978-3-319-47812-8
eBook Packages: Computer ScienceComputer Science (R0)