Abstract
As mobile devices become more widespread and powerful, they store more sensitive data, which includes not only users’ personal information but also the data collected via sensors throughout the day. When mobile applications have access to this growing amount of sensitive information, they may leak it carelessly or maliciously.
Google’s Android operating system provides a permissions-based security model that restricts an application’s access to the user’s private data. Each application statically declares the sensitive data and functionality that it requires in a manifest, which is presented to the user upon installation. However, it is not clear to the user how sensitive data is used once the application is installed. To combat this problem, we present AndroidLeaks, a static analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale. AndroidLeaks drastically reduces the number of applications and the number of traces that a security auditor has to verify manually.
We evaluate the efficacy of AndroidLeaks on 24,350 Android applications from several Android markets. AndroidLeaks found 57,299 potential privacy leaks in 7,414 Android applications, out of which we have manually verified that 2,342 applications leak private data including phone information, GPS location, WiFi data, and audio recorded with the microphone. AndroidLeaks examined these applications in 30 hours, which indicates that it is capable of scaling to the increasingly large set of available applications.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Android developer reference, http://d.android.com/ (accessed March 30, 2012)
Android security and permissions, http://d.android.com/guide/topics/security/security.html (accessed March 30, 2012)
Bitblaze, http://bitblaze.cs.berkeley.edu/
Go Apk. Go apk market, http://market.goapk.com (accessed March 2011)
AppBrain. Number of available android applications, http://www.appbrain.com/stats/number-of-android-apps (accessed August 15, 2011)
Bornstein, D.: Dalvik vm internals (2008), http://goo.gl/knN9n (accessed March 18, 2011)
IBM T.J. Watson Research Center. T.j. watson libraries for analysis (wala) (March 2011) (accessed March 30, 2012)
The Nielsen Company. Who is winning the u.s. smartphone battle?, http://blog.nielsen.com/nielsenwire/online_mobile/who-is-winning-the-u-s-smartphone-battle (accessed March 17, 2011)
Egele, M., Kruegel, C., Kirda, E., Vigna, G.: Pios: Detecting privacy leaks in ios applications. In: Proceedings of the Network and Distributed System Security Symposium (2011)
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)
Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proc. of the 20th USENIX Security Symposium (2011)
Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)
Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: Automated security certification of android applications. Univ. of Maryland (2009) (manuscript), http://www.cs.umd.edu/~avik/projects/scandroidascaa
Google. Google play , http://market.android.com (accessed March, 2011)
Apple Inc. App store review guidelines, http://developer.apple.com/appstore/guidelines.html (accessed March 30, 2012)
Pachal, P.: Google removes 21 malware apps from android market (March 2011), http://www.pcmag.com/article2/0,2817,2381252,00.asp (accessed March 18, 2011)
pxb1988. dex2jar: A tool for converting android’s .dex format to java’s .class format, https://code.google.com/p/dex2jar/ (accessed March 30, 2012)
SlideMe. Slideme: Android community and application marketplace, http://slideme.org/ (accessed March 30, 2012)
Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. In: ACM Sigplan Notices, vol. 44, pp. 87–97. ACM (2009)
Yin, S.: ’most sophisticated’ android trojan surfaces in china (December 2010), http://www.pcmag.com/article2/0,2817,2374926,00.asp (accessed March 18, 2011)
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming Information-Stealing Smartphone Applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Gibler, C., Crussell, J., Erickson, J., Chen, H. (2012). AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale. In: Katzenbeisser, S., Weippl, E., Camp, L.J., Volkamer, M., Reiter, M., Zhang, X. (eds) Trust and Trustworthy Computing. Trust 2012. Lecture Notes in Computer Science, vol 7344. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-30921-2_17
Download citation
DOI: https://doi.org/10.1007/978-3-642-30921-2_17
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-30920-5
Online ISBN: 978-3-642-30921-2
eBook Packages: Computer ScienceComputer Science (R0)