Comparing Mobile Privacy Protection through Cross-Platform Applications

With the rapid growth of the mobile market, security of mobile platforms is receiving increasing attention from both research community as well as the public. In this paper, we make the first attempt to establish a baseline for security comparison between the two most popular mobile platforms. We investigate applications that run on both Android and iOS and examine the difference in the usage of their security sensitive APIs (SS-APIs). Our analysis over 2,600 applications shows that iOS applications consistently access more SS-APIs than their counterparts on Android. The additional privileges gained on iOS are often associated with accessing private resources such as device ID, camera, and users’ contacts. A possible explanation for this difference in SS-API usage is that privileges obtained by an application on the current iOS platform are invisible to end users. Our analysis shows that: 1) third-party libraries (specifically advertising and analytic libraries) on iOS invoke more SS-APIs than those on Android; 2) Android application developers avoid requesting unnecessary privileges which will be shown in the permission list during application installation. Considering the fact that an Android application may gain additional privileges with privilege-escalation attacks and iOS provides a more restricted privilege set accessible by third-party applications, our results do not necessarily imply that Android provides better privacy protection than iOS. However, our evidence suggests that Apple’s application vetting process may not be as effective as Android’s privilege notification mechanism, particularly in protecting sensitive resources from third-party applications.

[1]  Atanas Rountev,et al.  Improving static resolution of dynamic class loading in Java using dynamically gathered environment information , 2009, Automated Software Engineering.

[2]  Ahmad-Reza Sadeghi,et al.  Towards Taming Privilege-Escalation Attacks on Android , 2012, NDSS.

[3]  J. Foster,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[4]  Swarat Chaudhuri,et al.  A Study of Android Application Security , 2011, USENIX Security Symposium.

[5]  Shashi Shekhar,et al.  AdSplit: Separating Smartphone Advertising from Applications , 2012, USENIX Security Symposium.

[6]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[7]  Gerard Salton,et al.  A vector space model for automatic indexing , 1975, CACM.

[8]  David W. Binkley,et al.  Program slicing , 2008, 2008 Frontiers of Software Maintenance.

[9]  Steve Hanna,et al.  Android permissions demystified , 2011, CCS '11.

[10]  David A. Wagner,et al.  Analyzing inter-application communication in Android , 2011, MobiSys '11.

[11]  Yajin Zhou,et al.  Hey, You, Get Off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets , 2012, NDSS.

[12]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[13]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[14]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[15]  Helen J. Wang,et al.  Permission Re-Delegation: Attacks and Defenses , 2011, USENIX Security Symposium.

[16]  Patrick D. McDaniel,et al.  Understanding Android Security , 2009, IEEE Security & Privacy Magazine.

[17]  Yajin Zhou,et al.  Systematic Detection of Capability Leaks in Stock Android Smartphones , 2012, NDSS.

[18]  Avik Chaudhuri,et al.  SCanDroid: Automated Security Certification of Android , 2009 .

[19]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[20]  Ross J. Anderson,et al.  Aurasium: Practical Policy Enforcement for Android Applications , 2012, USENIX Security Symposium.

[21]  Paul C. van Oorschot,et al.  A methodology for empirical analysis of permission-based security models and its application to android , 2010, CCS '10.

[22]  Patrick D. McDaniel,et al.  Semantically Rich Application-Centric Security in Android , 2009, 2009 Annual Computer Security Applications Conference.

[23]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[24]  David A. Wagner,et al.  AdDroid: privilege separation for applications and advertisers in Android , 2012, ASIACCS '12.

[25]  Ahmad-Reza Sadeghi,et al.  Privilege Escalation Attacks on Android , 2010, ISC.

[26]  Vladimir I. Levenshtein,et al.  Binary codes capable of correcting deletions, insertions, and reversals , 1965 .