You Shouldn't Collect My Secrets: Thwarting Sensitive Keystroke Leakage in Mobile IME Apps

IME (input method editor) apps are the primary means of interaction on mobile touch screen devices and thus are usually granted with access to a wealth of private user input. In order to understand the (in)security of mobile IME apps, this paper first performs a systematic study and uncovers that many IME apps may (intentionally or unintentionally) leak users' sensitive data to the outside world (mainly due to the incentives of improving the user's experience). To thwart the threat of sensitive information leakage while retaining the benefits of an improved user experience, this paper then proposes I-BOX, an app-transparent oblivious sandbox that minimizes sensitive input leakage by confining untrusted IME apps to predefined security policies. Several key challenges have to be addressed due to the proprietary and closed-source nature of most IME apps and the fact that an IME app can arbitrarily store and transform user input before sending it out. By designing system-level transactional execution, I-BOX works seamlessly and transparently with IME apps. Specifically, I-BOX first checkpoints an IME app's state before the first keystroke of an input, monitors and analyzes the user's input, and rolls back the state to the checkpoint if it detects the potential danger that sensitive input may be leaked. A proof of concept I-BOX prototype has been built for Android and tested with a set of popular IME apps. Experimental results show that I-BOX is able to thwart the leakage of sensitive input for untrusted IME apps, while incurring very small runtime overhead and little impact on user experience.

[1]  William Enck,et al.  AppsPlayground: automatic security analysis of smartphone applications , 2013, CODASPY.

[2]  Angelos D. Keromytis,et al.  Using Rescue Points to Navigate Software Recovery (Short Paper) , 2007 .

[3]  Vitaly Shmatikov,et al.  TxBox: Building Secure, Efficient Sandboxes with System Transactions , 2011, 2011 IEEE Symposium on Security and Privacy.

[4]  Xinwen Zhang,et al.  Apex: extending Android permission model and enforcement with user-defined runtime constraints , 2010, ASIACCS '10.

[5]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[6]  Bennet S. Yee,et al.  Native Client: A Sandbox for Portable, Untrusted x86 Native Code , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[7]  Yutao Liu,et al.  Architecture support for guest-transparent VM protection from untrusted hypervisor and physical attacks , 2013, 2013 IEEE 19th International Symposium on High Performance Computer Architecture (HPCA).

[8]  Hao Chen,et al.  Investigating User Privacy in Android Ad Libraries , 2012 .

[9]  Yajin Zhou,et al.  Taming Information-Stealing Smartphone Applications (on Android) , 2011, TRUST.

[10]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[11]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[12]  Saman A. Zonouz,et al.  RESeED: Regular Expression Search over Encrypted Data in the Cloud , 2014, 2014 IEEE 7th International Conference on Cloud Computing.

[13]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[14]  Yajin Zhou,et al.  Dissecting Android Malware: Characterization and Evolution , 2012, 2012 IEEE Symposium on Security and Privacy.

[15]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[16]  Bi Wu,et al.  SpanDex: Secure Password Tracking for Android , 2014, USENIX Security Symposium.

[17]  Zhuoqing Morley Mao,et al.  AppProfiler: a flexible method of exposing privacy-related behavior in android applications to end users , 2013, CODASPY.

[18]  Yajin Zhou,et al.  Detecting Passive Content Leaks and Pollution in Android Applications , 2013, NDSS.

[19]  Yajin Zhou,et al.  Detecting repackaged smartphone applications in third-party android marketplaces , 2012, CODASPY '12.

[20]  Haibo Chen,et al.  CloudVisor: retrofitting protection of virtual machines in multi-tenant cloud with nested virtualization , 2011, SOSP.

[21]  Bryan Ford,et al.  Vx32: Lightweight User-level Sandboxing on the x86 , 2008, USENIX Annual Technical Conference.

[22]  Norman Hardy,et al.  The Confused Deputy: (or why capabilities might have been invented) , 1988, OPSR.

[23]  Vitaly Shmatikov,et al.  πBox: A Platform for Privacy-Preserving Apps , 2013 .

[24]  Timothy Fraser,et al.  Hardening COTS software with generic software wrappers , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[25]  Xi Wang,et al.  Intrusion Recovery Using Selective Re-execution , 2010, OSDI.

[26]  Nickolai Zeldovich,et al.  Practical and Effective Sandboxing for Non-root Users , 2013, USENIX ATC.

[27]  Yutao Liu,et al.  TinMan: eliminating confidential mobile data exposure with security oriented offloading , 2015, EuroSys.

[28]  Liviu Iftode,et al.  Enforcing authorization policies using transactional memory introspection , 2008, CCS.

[29]  Saman A. Zonouz,et al.  RESeED: A Tool for Regular Expression Search over Encrypted Data in Cloud Storage , 2014, 2014 14th IEEE/ACM International Symposium on Cluster, Cloud and Grid Computing.

[30]  Kevin Borders,et al.  Protecting Confidential Data on Personal Computers with Storage Capsules , 2009, USENIX Security Symposium.

[31]  Landon P. Cox,et al.  ScreenPass: secure password entry on touchscreen devices , 2013, MobiSys '13.

[32]  Rui Wang,et al.  Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[33]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[34]  Adam J. Aviv,et al.  Practicality of accelerometer side channels on smartphones , 2012, ACSAC '12.

[35]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[36]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[37]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[38]  Tao Xie,et al.  AppContext: Differentiating Malicious and Benign Mobile App Behaviors Using Context , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[39]  Jason Nieh,et al.  Transparent Checkpoint-Restart of Multiple Processes on Commodity Operating Systems , 2007, USENIX Annual Technical Conference.

[40]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[41]  Ian Goldberg,et al.  A Secure Environment for Untrusted Helper Applications ( Confining the Wily Hacker ) , 1996 .

[42]  Angelos D. Keromytis,et al.  Using Rescue Points to Navigate Software Recovery , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[43]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[44]  Donald E. Porter,et al.  Operating System Transactions , 2009, SOSP '09.

[45]  Rajesh Krishna Balan,et al.  The case for mobile forensics of private data leaks: towards large-scale user-oriented privacy protection , 2013, APSys.