Burn After Reading: Expunging Execution Footprints of Android Apps

Mobile apps nowadays are consuming and producing a mass of sensitive data. In response, a wide variety of privacy protection techniques and tools have been proposed since mobile users have the escalating privacy concerns. However, only a few privacy protection schemes consider how to thoroughly erase the runtime information of an app after its execution. Various traceable vestiges, called execution footprints, are kept by the device which could be used to steal and speculate user’s privacy. We argue that a mobile operating system should not only establish sound isolation between different apps but also need to provide a fine-grained execution footprint expunging mechanism to ensure using an app confidentially. To achieve this target, Mist, a modified Android OS, to generate fine-grained data expunging policies, is designed and implemented. Mist is a lightweight ephemeral container, which does not require the support of specialized hardware or operation mode and it will be disposed of securely when in use apps. In this container, Mist persistently tracks every message generated by the app and then it deletes them during and after the execution. Experiments based on 200 apps show that execution footprints still have been neglected by the Android OS even after the app removal. By utilizing the expunging mechanism Mist provided, those footprints are erased to guarantee a private and confidential execution.

[1]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[2]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[3]  Guoliang Xue,et al.  Unobservable Re-authentication for Smartphones , 2013, NDSS.

[4]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[5]  Xiangyu Zhang,et al.  Screen after Previous Screens: Spatial-Temporal Recreation of Android App Displays from Memory Images , 2016, USENIX Security Symposium.

[6]  Timothy Peters,et al.  DEFY: A Deniable, Encrypted File System for Log-Structured Storage , 2015, NDSS.

[7]  Vitaly Shmatikov,et al.  A Scanner Darkly: Protecting User Privacy from Perceptual Applications , 2013, 2013 IEEE Symposium on Security and Privacy.

[8]  Mohammad Mannan,et al.  On Implementing Deniable Storage Encryption for Mobile Devices , 2013, NDSS.

[9]  Juanru Li,et al.  Why Data Deletion Fails? A Study on Deletion Flaws and Data Remanence in Android Systems , 2017, ACM Trans. Embed. Comput. Syst..

[10]  Nan Zhang,et al.  Leave Me Alone: App-Level Protection against Runtime Information Gathering on Android , 2015, 2015 IEEE Symposium on Security and Privacy.

[11]  Hao Chen,et al.  TouchLogger: Inferring Keystrokes on Touch Screen from Smartphone Motion , 2011, HotSec.

[12]  Laurent Simon Security Analysis of Android Factory Resets , 2015 .

[13]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[14]  Giuseppe Cattaneo,et al.  A Novel Anti-forensics Technique for the Android OS , 2011, 2011 International Conference on Broadband and Wireless Computing, Communication and Applications.

[15]  Gabi Nakibly,et al.  Gyrophone: Recognizing Speech from Gyroscope Signals , 2014, USENIX Security Symposium.

[16]  Ivor Kollár Forensic RAM dump image analyzer , 2009 .

[17]  Hongyang Li,et al.  Screenmilker: How to Milk Your Android Screen for Secrets , 2014, NDSS.

[18]  Wenke Lee,et al.  UCognito: Private Browsing without Tears , 2015, CCS.

[19]  Yang Tang,et al.  CleanOS: Limiting Mobile Data Exposure with Idle Eviction , 2012, OSDI.

[20]  Xiao Zhang,et al.  Life after App Uninstallation: Are the Data Still Alive? Data Residue Attacks on Android , 2016, NDSS.

[21]  Srdjan Capkun,et al.  User-level secure deletion on log-structured file systems , 2012, ASIACCS '12.

[22]  Sandeep K. Shukla,et al.  Editorial: Distributed Public Ledgers and Block Chains - What Good Are They for Embedded Systems? , 2016, ACM Trans. Embed. Comput. Syst..

[23]  Dan Boneh,et al.  An Analysis of Private Browsing Modes in Modern Browsers , 2010, USENIX Security Symposium.

[24]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[25]  Haibo Chen,et al.  You Shouldn't Collect My Secrets: Thwarting Sensitive Keystroke Leakage in Mobile IME Apps , 2015, USENIX Security Symposium.

[26]  Kang G. Shin,et al.  Anatomization and Protection of Mobile Apps' Location Privacy Threats , 2015, USENIX Security Symposium.

[27]  Adam J. Lee,et al.  TPRIVEXEC: Private Execution in Virtual Memory , 2016, CODASPY.

[28]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[29]  Vitaly Shmatikov,et al.  Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels , 2012, OSDI.

[30]  Xiaofeng Wang,et al.  UIPicker: User-Input Privacy Identification in Mobile Applications , 2015, USENIX Security Symposium.

[31]  William K. Robertson,et al.  PrivExec: Private Execution as an Operating System Service , 2013, 2013 IEEE Symposium on Security and Privacy.

[32]  Yajin Zhou,et al.  AppShell: Making data protection practical for lost or stolen Android devices , 2016, NOMS 2016 - 2016 IEEE/IFIP Network Operations and Management Symposium.