© 2011 peter hornyack these aren’t the droids you’re looking for peter hornyack, seungyeop han,...

© 2011 Peter Hornyack

These Aren’t the Droids You’re Looking For

Peter Hornyack, Seungyeop Han, Jaeyeon Jung,Stuart Schechter, David Wetherall

Retrofitting Android to Protect Data fromImperious Applications

© 2011 Peter HornyackCCS - October 17-21, 2011 2

Would you install this application?

Android permission system: Permissions requested by

application at install-time User must grant all

permissions or cancel installation

App developers hold the power: give users an ultimatum


Applications can’t be trusted

Recent academic research corroborates these findings


What is the threat?

Android applications that misappropriate the user’s privacy-sensitive data Transmit sensitive data that the user intends

application to use on-device only Transmit sensitive data to third parties


Measurement study of sensitive data usage

AppFence: a defense against misappropriation of sensitive data

Framework for evaluating impact on user’s experience

Evaluation of AppFence on 50 applications

Outline






What is “sensitive data”?

device id

location

phone number

contacts

camera

accounts

logs

microphone

SMS messages

history & bookmarks

calendar

subscribed feeds

We identified 12 types of privacy-sensitive data on Android


How can we tell what apps are doing?

loc = getLocation(); //taint tag applied...loc_copy = loc; //taint propagated...network_send(loc_copy); //checked for taint

TaintDroid: dynamic taint tracking for Android applications [Enck10]

Gives us runtime detection of sensitive data transmission for unmodified apps

Apps can’t transform, obfuscate or encrypt data to remove taint We enhanced TaintDroid: added tracking for all 12 data types

(example taken from William Enck OSDI’10)


Our study of sensitive data usage

We performed an extensive study of sensitive data usage by Android apps 110 popular free apps from Android Market

Selected to cover all 12 sensitive data types Manually executed each app for ~5 minutes Used TaintDroid to measure types of sensitive data

sent out and destinations sent to


73 apps

Appears that some apps use sensitive data only for purpose of sharing with third parties

Do apps need my sensitive data?

What we found for location data (110 apps):

Location?

Android

Application

45 apps

Third parties

30 apps

Of these 30 apps,28 sent location only to third parties!


83 apps

Multiple apps send device ID to same third parties: risk of cross-application profiling is real

Could they be tracking me?

What we found for unique device IDs (110 apps):

Device ID?

Android

Application

31 apps

Third parties

14 apps

Just 3 third party destinations: mobclix, flurry, greystripe


What else do apps misappropriate?

Two apps sent out theuser’s phone number forno apparent reasonexcept tracking

Call blocking app sent out user’s entire contacts book, then asked user to opt-in

Host: mobile.dilbert.comCookie: pn=12067084513; im=310410118469136

Sensitive data intended only for on-device use may be sent off the device

Mr. Number


Outline






How can we defend against these apps? Threat: applications may misappropriate users’

sensitive data

We have a tool, TaintDroid, that can monitor unmodified applications at runtime

Can we do something simple to unmodified applications to defend against this threat?

Our system: AppFence

© 2011 Peter HornyackCCS - October 17-21, 2011

AppFence uses two privacy controls

Two complementary privacy controls: Shadowing: app doesn’t get sensitive data at all Blocking: app gets sensitive data, but can’t send it out

14

Data shadowing

Exfiltration blocking

UnmodifiedApplication

Android

Sensitivedata

Sensitivedata

External servers


Without data shadowing:How data shadowing works

Unmodified Application

Phone #?(206) 555-4321

analytics.com

(206) 555-4321

(123) 456-7890

(123) 456-7890

CCS - October 17-21, 2011 15

Shadow data

With data shadowing:

Android


Three kinds of shadow data

Blank data e.g. contacts: {S. Han, 206-555-4321} {}

Fake data e.g. location: {47.653,-122.306} {41.887,-87.619}

Constructed data e.g. device ID = hash(app name, true device ID)

Consistent for each application, but different across applications


Android

How exfiltration blocking works

Unmodified Application

Phone #? (206) 555-4321

analytics.com

(206) 555-4321

CCS - October 17-21, 2011 17

Without exfiltration blocking:With exfiltration blocking:

Airplane mode: no network available


Outline






Privacy controls may cause changes in application behavior

We decided to measure the impact of AppFence on the user’s experience

How can we measure this? Look for user-visible changes in application

behavior: side effects

What should we measure?


An example of a side effect

We look for user-visible changes in application screenshots:


Framework for measuring side effects Automate application execution by using an

Android GUI testing program Converts a script of high-level commands (e.g.

“press button,” “select from menu”) into GUI interactions

Captures screenshot after every command

A human detects side effects by comparing screenshots taken with and without AppFence enabled


How we check for side effects

Baseline AppFence Diff


Classifying applications

We classified each application based on the side effects observed: None Ads absent Less functional Broken


Side effect: none



Side effect: ads absent



Side effect: less functional



Outline






Experiments

Selected 50 apps that sent out sensitive data

Wrote execution scripts for these apps Exercise main features and features likely to send

out sensitive data (average 24 commands)

Enable one AppFence privacy control, execute all applications (~3 hours computer time)

Check screenshots for side effects and classify applications (~30 minutes human time)


How did we configure privacy controls? To reveal the most side

effects: Data shadowing of all

sensitive data types Exfiltration blocking of all

types to all destinations

This imposes a policy on the app: sensitive data should never leave the device But don’t some apps have

legitimate need to send out data?


Choose least-

disruptive30 (60%)

3 (6%)

11 (22%)

6 (12%)

Side effects shown by 50 apps

Data shadowin

gExfiltration blocking

None 28 (56%) 16 (32%)

Ads absent 0 (0%) 11 (22%)

Less functional

14 (28%) 10 (20%)

Broken 8 (16%) 13 (26%) Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent We used profiling to choose; determining in

advance is challenging

Remember, we applied a single privacy control (one or the other) to all applications

Slightly more than half of the apps ran with limited or no side effects

Data shadowing was less disruptive than exfiltration blocking


So 34% of applications didn’t work? These apps had four kinds of functionality that

directly conflict with our configuration (sensitive data should never leave the device): Location broadcast (location) Geographic search (location) Find friends (contacts) Cross-application gaming profiles (device ID)


What does this mean for AppFence? Some applications force the user to choose

between functionality and privacy Protecting sensitive data will always cause side

effects for these applications

Remaining apps: AppFence can prevent misappropriation without side effects Choosing the least-disruptive privacy control in

advance is still an open problem Each control was less disruptive for certain sensitive

data types


When to use data shadowing

Data types such as device ID, location, phone number Aren’t presented directly to the user Must be transmitted off the device

Example application behaviors: Device ID sent along with login information Location collected at application launch


When to use exfiltration blocking

Data types such as contacts, SMS, calendar Presented to the user on the device Don’t need to be transmitted off the device

Example application behaviors: Selecting a contact to send a message to Adding reminders to calendar


Conclusion

AppFence breaks the power of the installation ultimatum

We revealed side effects by never allowing sensitive data to leave the device

Some apps: user must choose between functionality and privacy

Majority of apps: two privacy controls can prevent misappropriation without side effects


Questions?

Source code and execution scripts available at:

appfence.org

© 2011 peter hornyack these aren’t the droids you’re looking for peter hornyack, seungyeop han,...

Documents