An approach to evaluate the effectiveness of privacy  protection in Android system

doi:10.3969/j.issn.0253-2778.2014.10.009

Abstract

Abstract: To protect private data in smart phones, Android enforces a permission-based security policy. PrivacyMiner, a tool for evaluating the effectiveness of privacy protection in Android, was designed. First, 22 categories of private data in smart phones were identified, which were then checked to see if Android could efficiently protect them from malware. PrivacyMiner was applied to 12 revisions of Android source code, and it was found that 7 categories of private data were not well protected, as Malware can read them and send them out without any permission. These vulnerabilities were verified on 6 Android devices with 6 revisions of Android, from 2.1 up to 4.4.2. Our findings were confirmed by the Android Security Team from Google.

Key words: Android, privacy protection, evaluation, taint analysis, static analysis

CLC Number:

TP39

ZENG Shuke, ZHANG Yang, CHENG Liang, DENG Yi, FENG Dengguo. An approach to evaluate the effectiveness of privacy protection in Android system[J]. Journal of University of Science and Technology of China, 2014, 44(10): 853-861.

References

［1］ Apple Press Info. Apple s App Store Marks Historic 50 Billionth Download ［EB/OL］. http://www.apple.com/pr/library/2013/05/16Apples-App-Store-Marks-Historic-50-Billionth-Download.html.
［2］ There have been 900 million Android activations, 48 billion app installs to date ［EB/OL］. http://www.engadget.com/2013/05/15/900-million-android-activations/.
［3］ Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones ［C］// Proceedings of the 9th USENIX conference on Operating systems design and implementation. Berkley, USA: ACM Press. 2010, 10: 255-270.
［4］ Enck W, Octeau D, McDaniel P, et al. A study of android application security ［C］// Proceedings of the 20th USENIX conference on Security. Berkley, USA: ACM Press 2011: 21.
［5］ Orthacker C, Teufl P, Kraxberger S, et al. Android security permissions — Can we trust them? ［C］// International ICST Conference on Security and Privacy in Mobile Information and Communication Systems. Aalborg, Denmark: Springer, 2012: 40-51.
［6］ Zhou Y J, Jiang X X. Dissecting android malware: Characterization and evolution ［C］// Proceedings of the 2012 IEEE Symposium on Security and Privacy. San Francisco, USA: IEEE Press, 2012: 95-109.
［7］ Chia P H, Yamamoto Y, Asokan N. Is this app safe? A large scale study on application permissions and risk signals ［C］// Proceedings of the 21st International Conference on World Wide Web. Lyon, France: ACM Press, 2012: 311-320.
［8］ Android Company. Permissions in Android ［EB/OL］. http://developer.android.com/reference/android/Manifest.permission.html.
［9］ Felt A P, Ha E, Egelman S, et al. Android permissions: User attention, comprehension, and behavior ［C］// Proceedings of the 8th Symposium on Usable Privacy and Security. University of California, Berkeley, USA: ACM Press, 2012: Article No.3(1-14).
［10］ Lane M. Does the android permission system provide adequate information privacy protection for end-users of mobile apps? ［C］// Proceedings of the 10th Australian Information Security Management Conference. Perth, Australia: ePrint, 2012: 66-73.
［11］ Chin E. Felt A P, Greenwood K, et al. Analyzing Inter-application communication in android ［C］// Proceedings of the 9th International Conference on Mobile systems, applications, and services. Bethesda, USA: ACM Press, 2011: 239-252.
［12］ Kantola D, Chin E, He W D, et al. Reducing attack surfaces for intra-application communication in android ［C］// Proceedings of the second ACM workshop on Security and privacy in SmartPhones and Mobile Devices. Raleigh, USA: ACM Press, 2012: 69-80.
［13］ Grace M, Zhou Y J, Wang Z, et al. Systematic detection of capability leaks in stock android SmartPhones ［C］// Proceedings of the 19th Network and Distributed System Security Symposium. San Diego, USA: ACM Press, 2012.
［14］ Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale ［C］// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
［15］ Wei X T, Gomez L, Neamtiu L, et al. Permission evolution in the android ecosystem ［C］// Proceedings of the 28th Annual Computer Security Applications Conference.Orlando, USA: ACM Press, 2012: 31-40.
［16］ Barrera D, Kayacik H G, van Oorschot P C, et al. A methodology for empirical analysis of permission-based security models and its application to android ［C］// Proceedings of the 17th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2010: 73-84.
［17］ Au K W Y, Zhou Y F, Huang Z, et al. PScout: analyzing the Android permission specification ［C］// Proceedings of the 2012 ACM conference on Computer and Communications Security. Raleigh, USA: ACM Press, 2012: 217-228.
［18］ Zhou W, Zhou Y J, Jiang X X, et al. Detecting repackaged SmartPhone applications in third-party android marketplaces ［C］// Proceedings of the Second ACM Conference on Data and Application Security and Privacy. San Antonio, USA: ACM Press, 2012: 317-326.
［19］ Zhou W, Zhang X W, Jiang X X. AppInk: Watermarking android apps for repackaging deterrence ［C］// Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security. Hangzhou, China: ACM Press, 2013: 1-12.
［20］ Felt A P, Chin E, Hanna S, et ala. Android permissions demystified ［C］// Proceedings of the 18th ACM Conference on Computer and Communications Security. Chicago, USA:ACM Press, 2011: 627-638.
［21］ Chan P F, Hui C K, Yiu S M. DroidChecker: Analyzing android applications for capability leak ［C］// Proceedings of the fifth ACM Conference on Security and Privacy in Wireless and Mobile Networks. Tucson, USA: ACM Press, 2012: 125-136.
［22］ Gibler C, Crussell J, Erickson J, et al. AndroidLeaks: Automatically detecting potential privacy leaks in android applications on a large scale ［C］// Proceedings of the 5th International Conference on Trust and Trustworthy Computing. Vienna, Austria: Springer, 2012: 291-307.
［23］ Enck W, Gilbert P, Chun B, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on SmartPhones ［C］// Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation. Vancouver, Canada: USENIX Association, 2010, 10: 255-270.
［24］ Yang Z M, Yang M. Leakminer: Detect information leakage on android with static taint analysis ［C］// Third World Congress on Software Engineering. Wuhan, China: IEEE Press, 2012: 101-104.
［25］ Yan L K, Yin H. Droidscope: Seamlessly reconstructing the OS and dalvik semantic views for dynamic android malware analysis ［C］// Proceedings of the 21st USENIX Security Symposium. Berkeley, USA: USENIX Association, 2012: 29.
［26］ Yang Z M, Yang M, Zhang Y, et al. Appintent: Analyzing sensitive data transmission in android for privacy leakage detection ［C］// Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Scottsdale, USA, ACM Press, 2013: 1 043-1 054.

[1]	. Differential privacy protection method for deep learning based on WGAN feedback [J]. Journal of University of Science and Technology of China, 2020, 50(8): 1064-1071.
[2]	WANG Fei, LENG Qing, WEI Jiuchang. Evaluation on natural disaster relief efficiency of international humanitarian organizations [J]. Journal of University of Science and Technology of China, 2019, 49(5): 412-421.
[3]	ZHAO Yajuan, LI Shaobo. Selection of tender evaluation methods based on product differentiation [J]. Journal of University of Science and Technology of China, 2018, 48(8): 683-690.
[4]	DU Xiaoping , ZHAO Kaiqi, YUAN Wei, YANG Qinghong, ZHANG Jianwei. Comprehensive evaluation of small and medium enterprises [J]. Journal of University of Science and Technology of China, 2018, 48(6): 467-476.
[5]	WEN Jiexiong, TIAN Wei, BI Quanfu, LI Xuebin, LU Detang. A new data inversion analysis method based on digital filtered pump-stop data of hydraulic fracturing [J]. Journal of University of Science and Technology of China, 2018, 48(5): 392-399.
[6]	CHEN Zhenguo, TIAN Liqin, LIN Chuang. Data reliable assurance model of Internet of Things based on the trust evaluation of perceived source [J]. Journal of University of Science and Technology of China, 2017, 47(4): 297-303.
[7]	XU Xueli, ZHAO Xuejing. Application of sparse spectral clustering algorithm in high-dimensional data [J]. Journal of University of Science and Technology of China, 2017, 47(4): 311-319.
[8]	PAN Qingxian, DONG Hongbin, HAN Qilong, WANG Yingjie, DING Rui. A computing method for attribute importance based on BP neural network [J]. Journal of University of Science and Technology of China, 2017, 47(1): 18-25.
[9]	ZHAO Yajuan. Reliability analysis of group experts and testing of evaluation outcomes [J]. Journal of University of Science and Technology of China, 2016, 46(2): 165-172.
[10]	HUANG Hui, LU Yuliang, LIU Lintao, ZHAO Jun. A research on control-flow taint information directed symbolic execution [J]. Journal of University of Science and Technology of China, 2016, 46(1): 21-27.
[11]	SHI Peibei, LIU Guiquan, WANG Zhong, WEI Bing. A hierarchical classification model for class-imbalanced data [J]. Journal of University of Science and Technology of China, 2015, 45(1): 61-68.
[12]	ZHU Qian, LI Xia. A fusion method for TH-1 images based on fast discrete curvelet transforms [J]. Journal of University of Science and Technology of China, 2013, 43(8): 639-644.
[13]	LIU Jianwei, LI Weiyu, SUN Yu. Security issues and solutions on social networks [J]. Journal of University of Science and Technology of China, 2011, 41(7): 565-575.

An approach to evaluate the effectiveness of privacy protection in Android system

PDF (PC)

Knowledge

Abstract

Cite this article

share this article

References

Related Articles 13

Recommended Articles

Metrics

Comments