© 2011 peter hornyack these aren’t the droids you’re looking for peter hornyack, seungyeop han,...
TRANSCRIPT
© 2011 Peter Hornyack
These Aren’t the Droids You’re Looking For
Peter Hornyack, Seungyeop Han, Jaeyeon Jung,Stuart Schechter, David Wetherall
Retrofitting Android to Protect Data fromImperious Applications
© 2011 Peter HornyackCCS - October 17-21, 2011 2
Would you install this application?
Android permission system: Permissions requested by
application at install-time User must grant all
permissions or cancel installation
App developers hold the power: give users an ultimatum
© 2011 Peter HornyackCCS - October 17-21, 2011 3
Applications can’t be trusted
Recent academic research corroborates these findings
© 2011 Peter HornyackCCS - October 17-21, 2011 4
What is the threat?
Android applications that misappropriate the user’s privacy-sensitive data Transmit sensitive data that the user intends
application to use on-device only Transmit sensitive data to third parties
© 2011 Peter HornyackCCS - October 17-21, 2011 5
Measurement study of sensitive data usage
AppFence: a defense against misappropriation of sensitive data
Framework for evaluating impact on user’s experience
Evaluation of AppFence on 50 applications
Outline
Measurement study of sensitive data usage
AppFence: a defense against misappropriation of sensitive data
Framework for evaluating impact on user’s experience
Evaluation of AppFence on 50 applications
© 2011 Peter HornyackCCS - October 17-21, 2011 6
What is “sensitive data”?
device id
location
phone number
contacts
camera
accounts
logs
microphone
SMS messages
history & bookmarks
calendar
subscribed feeds
We identified 12 types of privacy-sensitive data on Android
© 2011 Peter HornyackCCS - October 17-21, 2011 7
How can we tell what apps are doing?
loc = getLocation(); //taint tag applied...loc_copy = loc; //taint propagated...network_send(loc_copy); //checked for taint
TaintDroid: dynamic taint tracking for Android applications [Enck10]
Gives us runtime detection of sensitive data transmission for unmodified apps
Apps can’t transform, obfuscate or encrypt data to remove taint We enhanced TaintDroid: added tracking for all 12 data types
(example taken from William Enck OSDI’10)
© 2011 Peter HornyackCCS - October 17-21, 2011 8
Our study of sensitive data usage
We performed an extensive study of sensitive data usage by Android apps 110 popular free apps from Android Market
Selected to cover all 12 sensitive data types Manually executed each app for ~5 minutes Used TaintDroid to measure types of sensitive data
sent out and destinations sent to
© 2011 Peter HornyackCCS - October 17-21, 2011 9
73 apps
Appears that some apps use sensitive data only for purpose of sharing with third parties
Do apps need my sensitive data?
What we found for location data (110 apps):
Location?
Android
Application
45 apps
Third parties
30 apps
Of these 30 apps,28 sent location only to third parties!
© 2011 Peter HornyackCCS - October 17-21, 2011 10
83 apps
Multiple apps send device ID to same third parties: risk of cross-application profiling is real
Could they be tracking me?
What we found for unique device IDs (110 apps):
Device ID?
Android
Application
31 apps
Third parties
14 apps
Just 3 third party destinations: mobclix, flurry, greystripe
© 2011 Peter HornyackCCS - October 17-21, 2011 11
What else do apps misappropriate?
Two apps sent out theuser’s phone number forno apparent reasonexcept tracking
Call blocking app sent out user’s entire contacts book, then asked user to opt-in
Host: mobile.dilbert.comCookie: pn=12067084513; im=310410118469136
Sensitive data intended only for on-device use may be sent off the device
Mr. Number
© 2011 Peter HornyackCCS - October 17-21, 2011 12
Outline
Measurement study of sensitive data usage
AppFence: a defense against misappropriation of sensitive data
Framework for evaluating impact on user’s experience
Evaluation of AppFence on 50 applications
© 2011 Peter HornyackCCS - October 17-21, 2011 13
How can we defend against these apps? Threat: applications may misappropriate users’
sensitive data
We have a tool, TaintDroid, that can monitor unmodified applications at runtime
Can we do something simple to unmodified applications to defend against this threat?
Our system: AppFence
© 2011 Peter HornyackCCS - October 17-21, 2011
AppFence uses two privacy controls
Two complementary privacy controls: Shadowing: app doesn’t get sensitive data at all Blocking: app gets sensitive data, but can’t send it out
14
Data shadowing
Exfiltration blocking
UnmodifiedApplication
Android
Sensitivedata
Sensitivedata
External servers
© 2011 Peter Hornyack
Without data shadowing:How data shadowing works
Unmodified Application
Phone #?(206) 555-4321
analytics.com
(206) 555-4321
(123) 456-7890
(123) 456-7890
CCS - October 17-21, 2011 15
Shadow data
With data shadowing:
Android
© 2011 Peter HornyackCCS - October 17-21, 2011 16
Three kinds of shadow data
Blank data e.g. contacts: {S. Han, 206-555-4321} {}
Fake data e.g. location: {47.653,-122.306} {41.887,-87.619}
Constructed data e.g. device ID = hash(app name, true device ID)
Consistent for each application, but different across applications
© 2011 Peter Hornyack
Android
How exfiltration blocking works
Unmodified Application
Phone #? (206) 555-4321
analytics.com
(206) 555-4321
CCS - October 17-21, 2011 17
Without exfiltration blocking:With exfiltration blocking:
Airplane mode: no network available
© 2011 Peter HornyackCCS - October 17-21, 2011 18
Outline
Measurement study of sensitive data usage
AppFence: a defense against misappropriation of sensitive data
Framework for evaluating impact on user’s experience
Evaluation of AppFence on 50 applications
© 2011 Peter HornyackCCS - October 17-21, 2011 19
Privacy controls may cause changes in application behavior
We decided to measure the impact of AppFence on the user’s experience
How can we measure this? Look for user-visible changes in application
behavior: side effects
What should we measure?
© 2011 Peter HornyackCCS - October 17-21, 2011 20
An example of a side effect
We look for user-visible changes in application screenshots:
© 2011 Peter HornyackCCS - October 17-21, 2011 21
Framework for measuring side effects Automate application execution by using an
Android GUI testing program Converts a script of high-level commands (e.g.
“press button,” “select from menu”) into GUI interactions
Captures screenshot after every command
A human detects side effects by comparing screenshots taken with and without AppFence enabled
© 2011 Peter HornyackCCS - October 17-21, 2011 22
How we check for side effects
Baseline AppFence Diff
© 2011 Peter HornyackCCS - October 17-21, 2011 23
Classifying applications
We classified each application based on the side effects observed: None Ads absent Less functional Broken
© 2011 Peter HornyackCCS - October 17-21, 2011 24
Side effect: none
Baseline AppFence Diff
© 2011 Peter HornyackCCS - October 17-21, 2011 25
Side effect: ads absent
Baseline AppFence Diff
© 2011 Peter HornyackCCS - October 17-21, 2011 26
Side effect: less functional
Baseline AppFence Diff
© 2011 Peter Hornyack 27
Side effect: broken
Baseline AppFence Diff
CCS - October 17-21, 2011
© 2011 Peter HornyackCCS - October 17-21, 2011 28
Outline
Measurement study of sensitive data usage
AppFence: a defense against misappropriation of sensitive data
Framework for evaluating impact on user’s experience
Evaluation of AppFence on 50 applications
© 2011 Peter HornyackCCS - October 17-21, 2011 29
Experiments
Selected 50 apps that sent out sensitive data
Wrote execution scripts for these apps Exercise main features and features likely to send
out sensitive data (average 24 commands)
Enable one AppFence privacy control, execute all applications (~3 hours computer time)
Check screenshots for side effects and classify applications (~30 minutes human time)
© 2011 Peter HornyackCCS - October 17-21, 2011 30
How did we configure privacy controls? To reveal the most side
effects: Data shadowing of all
sensitive data types Exfiltration blocking of all
types to all destinations
This imposes a policy on the app: sensitive data should never leave the device But don’t some apps have
legitimate need to send out data?
© 2011 Peter HornyackCCS - October 17-21, 2011 31
Choose least-
disruptive30 (60%)
3 (6%)
11 (22%)
6 (12%)
Side effects shown by 50 apps
Data shadowin
gExfiltration blocking
None 28 (56%) 16 (32%)
Ads absent 0 (0%) 11 (22%)
Less functional
14 (28%) 10 (20%)
Broken 8 (16%) 13 (26%) Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent We used profiling to choose; determining in
advance is challenging
Remember, we applied a single privacy control (one or the other) to all applications
Slightly more than half of the apps ran with limited or no side effects
Data shadowing was less disruptive than exfiltration blocking
© 2011 Peter HornyackCCS - October 17-21, 2011 32
So 34% of applications didn’t work? These apps had four kinds of functionality that
directly conflict with our configuration (sensitive data should never leave the device): Location broadcast (location) Geographic search (location) Find friends (contacts) Cross-application gaming profiles (device ID)
© 2011 Peter HornyackCCS - October 17-21, 2011 33
What does this mean for AppFence? Some applications force the user to choose
between functionality and privacy Protecting sensitive data will always cause side
effects for these applications
Remaining apps: AppFence can prevent misappropriation without side effects Choosing the least-disruptive privacy control in
advance is still an open problem Each control was less disruptive for certain sensitive
data types
© 2011 Peter HornyackCCS - October 17-21, 2011 34
When to use data shadowing
Data types such as device ID, location, phone number Aren’t presented directly to the user Must be transmitted off the device
Example application behaviors: Device ID sent along with login information Location collected at application launch
© 2011 Peter HornyackCCS - October 17-21, 2011 35
When to use exfiltration blocking
Data types such as contacts, SMS, calendar Presented to the user on the device Don’t need to be transmitted off the device
Example application behaviors: Selecting a contact to send a message to Adding reminders to calendar
© 2011 Peter HornyackCCS - October 17-21, 2011 36
Conclusion
AppFence breaks the power of the installation ultimatum
We revealed side effects by never allowing sensitive data to leave the device
Some apps: user must choose between functionality and privacy
Majority of apps: two privacy controls can prevent misappropriation without side effects
© 2011 Peter HornyackCCS - October 17-21, 2011 37
Questions?
Source code and execution scripts available at:
appfence.org
© 2011 Peter HornyackCCS - October 17-21, 2011 38