380 likes | 464 Views
These Aren’t the Droids You’re Looking For. Retrofitting Android to Protect Data from Imperious Applications. Peter Hornyack , Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall. Would you install this application?. Android permission system:
E N D
These Aren’t the Droids You’re Looking For Retrofitting Android to Protect Data from Imperious Applications Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall
Would you install this application? • Android permission system: • Permissions requested by application at install-time • User must grant all permissions or cancel installation • App developers hold the power: give users an ultimatum CCS - October 17-21, 2011
Applications can’t be trusted • Recent academic research corroborates these findings CCS - October 17-21, 2011
What is the threat? • Android applications that misappropriatethe user’s privacy-sensitive data • Transmit sensitive data that the user intends application to use on-device only • Transmit sensitive data to third parties CCS - October 17-21, 2011
Outline • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications CCS - October 17-21, 2011
What is “sensitive data”? • We identified 12 types of privacy-sensitive data on Android CCS - October 17-21, 2011
How can we tell what apps are doing? • TaintDroid: dynamic taint tracking for Android applications [Enck10] loc = getLocation(); //taint tag applied ... loc_copy = loc; //taint propagated ... network_send(loc_copy); //checked for taint • Apps can’t transform, obfuscate or encrypt data to remove taint • We enhanced TaintDroid: added tracking for all 12 data types Gives us runtime detection of sensitive data transmission for unmodified apps (example taken from William Enck OSDI’10) CCS - October 17-21, 2011
Our study of sensitive data usage • We performed an extensive study of sensitive data usage by Android apps • 110 popular free apps from Android Market • Selected to cover all 12 sensitive data types • Manually executed each app for ~5 minutes • Used TaintDroid to measure types of sensitive data sent out and destinationssent to CCS - October 17-21, 2011
Do apps need my sensitive data? What we found for location data (110 apps): Appears that some apps use sensitive data only for purpose of sharing with third parties Application Third parties 30 apps 45 apps Location? Of these 30 apps,28 sent location only to third parties! 73 apps Android CCS - October 17-21, 2011
Could they be tracking me? What we found for unique device IDs (110 apps): Multiple apps send device ID to same third parties: risk of cross-application profiling is real Application Third parties 14 apps 31 apps Device ID? Just 3 third party destinations: mobclix, flurry, greystripe 83 apps Android CCS - October 17-21, 2011
What else do apps misappropriate? • Two apps sent out theuser’s phone number forno apparent reasonexcept tracking • Call blocking app sent out user’s entire contacts book, then asked user to opt-in Host: mobile.dilbert.comCookie: pn=12067084513; im=310410118469136 Mr. Number Sensitive data intended only for on-device use may be sent off the device CCS - October 17-21, 2011
Outline • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications CCS - October 17-21, 2011
How can we defend against these apps? • Threat: applications may misappropriate users’ sensitive data • We have a tool, TaintDroid, that can monitor unmodified applications at runtime • Can we do something simple to unmodified applications to defend against this threat? Our system: AppFence CCS - October 17-21, 2011
AppFence uses two privacy controls • Two complementaryprivacy controls: • Shadowing: app doesn’t get sensitive data at all • Blocking: app gets sensitive data, but can’t send it out Unmodified Application External servers Sensitive data Sensitive data Android Exfiltration blocking Data shadowing CCS - October 17-21, 2011
How data shadowing works Without data shadowing: With data shadowing: Unmodified Application analytics.com (206) 555-4321 (123) 456-7890 (206) 555-4321 Phone #? • Shadow data (123) 456-7890 Android CCS - October 17-21, 2011
Three kinds of shadow data • Blank data • e.g. contacts: {S. Han, 206-555-4321} {} • Fake data • e.g. location: {47.653,-122.306} {41.887,-87.619} • Constructed data • e.g. device ID = hash(app name, true device ID) • Consistent for each application, but different across applications CCS - October 17-21, 2011
How exfiltration blocking works Without exfiltration blocking: With exfiltration blocking: Unmodified Application analytics.com (206) 555-4321 Airplane mode: no network available Phone #? (206) 555-4321 Android CCS - October 17-21, 2011
Outline • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications CCS - October 17-21, 2011
What should we measure? • Privacy controls may cause changes in application behavior • We decided to measure the impact of AppFence on the user’sexperience • How can we measure this? • Look for user-visiblechanges in application behavior: side effects CCS - October 17-21, 2011
An example of a side effect • We look for user-visible changes in application screenshots: CCS - October 17-21, 2011
Framework for measuring side effects • Automate application execution by using an Android GUI testing program • Converts a script of high-level commands (e.g. “press button,” “select from menu”) into GUI interactions • Captures screenshot after every command • A human detects side effects by comparing screenshots taken with and without AppFence enabled CCS - October 17-21, 2011
How we check for side effects Baseline AppFence Diff CCS - October 17-21, 2011
Classifying applications • We classified each application based on the side effects observed: • None • Ads absent • Less functional • Broken CCS - October 17-21, 2011
Side effect: none Baseline AppFence Diff CCS - October 17-21, 2011
Side effect: ads absent Baseline AppFence Diff CCS - October 17-21, 2011
Side effect: less functional Baseline AppFence Diff CCS - October 17-21, 2011
Side effect: broken Baseline AppFence Diff CCS - October 17-21, 2011
Outline • Measurement study of sensitive data usage • AppFence: a defense against misappropriation of sensitive data • Framework for evaluating impact on user’s experience • Evaluation of AppFence on 50 applications CCS - October 17-21, 2011
Experiments • Selected 50 apps that sent out sensitive data • Wrote execution scripts for these apps • Exercise main features and features likely to send out sensitive data (average 24 commands) • Enable one AppFence privacy control, execute all applications (~3 hours computer time) • Check screenshots for side effects and classify applications (~30 minutes human time) CCS - October 17-21, 2011
How did we configure privacy controls? • To reveal the most side effects: • Data shadowing of all sensitive data types • Exfiltration blocking of all types to all destinations • This imposes a policy on the app: sensitive data should never leave the device • But don’t some apps have legitimate need to send out data? CCS - October 17-21, 2011
Side effects shown by 50 apps • Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent • We used profiling to choose; determining in advance is challenging • Remember, we applied a single privacy control (one or the other) to all applications • Slightly more than half of the apps ran with limited or no side effects • Data shadowing was less disruptive than exfiltration blocking CCS - October 17-21, 2011
So 34% of applications didn’t work? • These apps had four kinds of functionality that directly conflict with our configuration (sensitive data should never leave the device): • Location broadcast (location) • Geographic search (location) • Find friends (contacts) • Cross-application gaming profiles (device ID) CCS - October 17-21, 2011
What does this mean for AppFence? • Some applications force the user to choose between functionality and privacy • Protecting sensitive data will always cause side effects for these applications • Remaining apps: AppFence can prevent misappropriation without side effects • Choosing the least-disruptive privacy control in advance is still an open problem • Each control was less disruptive for certain sensitive data types CCS - October 17-21, 2011
When to use data shadowing • Data types such as device ID, location, phone number • Aren’t presented directly to the user • Must be transmitted off the device • Example application behaviors: • Device ID sent along with login information • Location collected at application launch CCS - October 17-21, 2011
When to use exfiltration blocking • Data types such as contacts, SMS, calendar • Presented to the user on the device • Don’t need to be transmitted off the device • Example application behaviors: • Selecting a contact to send a message to • Adding reminders to calendar CCS - October 17-21, 2011
Conclusion • AppFence breaks the power of the installation ultimatum • We revealed side effects by never allowing sensitive data to leave the device • Some apps: user must choose between functionality and privacy • Majority of apps: two privacy controls can prevent misappropriation without side effects CCS - October 17-21, 2011
Questions? Source code and execution scripts available at: appfence.org CCS - October 17-21, 2011