1 / 25

TaintDroid : An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

TaintDroid : An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. 20104458 황동욱 20107093 최영재. Table of contents. Introduction to TaintDroid Android Architecture Dynamic Taint Analysis Performance & Findings Summary. Threat in privacy info.

seth
Download Presentation

TaintDroid : An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones 20104458 황동욱 20107093 최영재

  2. Table of contents • Introduction to TaintDroid • Android Architecture • Dynamic Taint Analysis • Performance & Findings • Summary

  3. Threat in privacy info. Is your private info. safe?

  4. Problem

  5. Problem (cont’d) • Current policy for private info. in Mobile-phone OS • Coarse-grained controls • Only regulate whether an application can access private information • No insight into how private information is actually used • Blindly trust that applications will handle their private data in proper way • Solution • Privacy data monitoring tools for smartphone • Monitor applications’ behavior to determine whether privacy sensitive information leaves the phone with the assumption that downloaded third-party applications are not trusted

  6. Introduction to TaintDroid

  7. Introduction to TaintDroid • Simple scenario • You have a lovely dog and it likes to walk around • How would you keep track of where it is and prevent it from getting lost? • Simple solution • Put a ring/tag/sensor along around its collarso it could be traced

  8. Introduction to TaintDroid • Analogous solution for mobile-phone OS Taint source Taint propagation Taint sink

  9. Introduction to TaintDroid • Automatically labels(taints) data from privacy-sensitive sources and applies labels as sensitive data propagates through program variables, files, and IPC. • Challenges • Smartphones are resource constrained • Third-party applications are entrusted with several types of privacy sensitive information • Context-based privacy information is dynamic and can be difficult to identify even when sent in the clear • Applications can share information

  10. Architecture of Android

  11. Dalvik virtual machine • Optimized for low memory requirements • Designed to run multiple VM instances efficiently • Relies on the Linux kernel for low-level management, and threading • Executes DalvikExecutables files(DEX) • Each process has its own VM • App code runs in isolation Java Source Code Java Source Code Java Byte Code Java Byte Code Dalvik Byte Code Java Byte Code Dalvik Executable Java VM Dalvik VM

  12. Binder IPC • Component-based processing and IPC framework • Passes parcel messages App. A App. B A’s features B’s features Image Scroller Call Application Layer Kernel Binder IPC ParcelMessage ParcelMessage

  13. Dynamic Taint Analysis • Tracks information dependencies from an origin • Taint source • Sensitive info isidentified and tagged • Taint propagation • Tracks possible “taints”of other data • Taint sink • Identifies potential sensitive data is leaked c =source() ... a = b + c ... network_send(a)

  14. Sensitive Data • Sources • Sensors: location, microphone, camera, accelerometer, etc. • Database: address book, SMS storages, etc. • Phone ID: IMEI, phone #, SIM card ID • Indirect Source: files or messages from other applications • Sinks • Direct : network interface • Indirect : file or message to other applications

  15. Sensitive Data • How do the taint data propagate? • Inside each application • Usually stays inside VM • Can escape VM via native methods • Between applications • File sharing • Message communication

  16. Tracking Taint Progression

  17. Taint Tags • Taint tags • a taint bit-vector stored with variables • propagated along with variables • Local variables and arguments • taint tags are stored adjacent to variables on the internal execution stack • needs double sized stacks • Arrays, Files, Messages • one taint tag per array/file/msg • minimizes overhead • but more false positives

  18. Challenge: Resource Constraint • TaintDroid • gives up instructional level tracking • tracks data flow only, not control flows • coarse granularity • use one tag for array/file/msg • higher false positive rate

  19. Performance • Memory overhead: 4.4% • IPC overhead: 27% • Macro-benchmark: • App load: 3% (2ms) • Address book: (< 20 ms) 5.5% create, 18% read • Phone call: 10% (10ms) • Take picture: 29% (0.5s)

  20. Application Study • Selected 30 applications with bias on popularity and access to location, camera, microphone and phone IDs

  21. Findings – Phone Information • 21 applications require permission to read phone state • 2 apps send phone number, IMSI, SIM card ID to their server • one application transmits the phone information every time the phone boots, before using the app even once

  22. Findings – Phone Identifiers • 9 applications sent IMEI and 7 did so without informing the user • Only 2 used IMEI in a legitimate way • One app’s EULA indicated the IMEI was sent • Another app sent the hash of the IMEI • Appeared to be sent to app developers ...

  23. Findings – Location Info • 15 of the 30 applications shared physical location with an ad server without user consent • admob.com, ad.qwapi.com, ads.mobclix.com, data.flurry.com • 3 of the applications used location data only to retrieve localized data at the request of the user • Most traffic was plaintext (e.g., AdMob HTTP GET)

  24. Findings – Summary • Of 105 flagged connections, only 37 clearly legitimate • Half of the applications shared user location data with ad servers • One third of the applications exposed important phone information • No false positives with TaintDroid

  25. Summary • TaintDroid provides efficient, system-wide, dynamic taint tracking and analysis for Android • Monitors app behavior to determine when privacy sensitive information leaves the phone • Future investigations • Provide direct feedback to users • Potential for real-time enforcement • Integration with expert rating systems

More Related