Automating Privacy Testing of Smartphone Applications

Smartphones have revolutionized mobile computing, but have created concerns that many third-party mobile applications do not properly handle users’ privacy-sensitiv e data. In this paper, we propose AppInspector, an automated privacy validation system that analyzes apps and generates reports of potential privacy risks. A key insight is that distinguishing acceptable disclosures from privac y violations often requires analyzing the context in which data is transmitted. Just knowing that sensitive data has left a device is insufficient. We describe our vision for making smartphone apps more secure through automated testing and outline key challenges such as detecting and analyzing privacy violations, ensuring thorough test coverage, and scaling to large numbers of apps.

[1]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[2]  George Candea,et al.  Cloud9: a software testing service , 2010, OPSR.

[3]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[4]  Koushik Sen,et al.  Heuristics for Scalable Dynamic Test Generation , 2008, 2008 23rd IEEE/ACM International Conference on Automated Software Engineering.

[5]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[6]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[7]  Christopher Krügel,et al.  PiOS: Detecting Privacy Leaks in iOS Applications , 2011, NDSS.

[8]  Dawson R. Engler,et al.  EXE: Automatically Generating Inputs of Death , 2008, TSEC.

[9]  George Candea,et al.  Automated software testing as a service , 2010, SoCC '10.

[10]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[11]  William Landi,et al.  Undecidability of static analysis , 1992, LOPL.

[12]  Stephen McCamant,et al.  DTA++: Dynamic Taint Analysis with Targeted Control-Flow Propagation , 2011, NDSS.

[13]  G. Ramalingam,et al.  The undecidability of aliasing , 1994, TOPL.

[14]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[15]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[16]  Alessandro Orso,et al.  Dytan: a generic dynamic taint analysis framework , 2007, ISSTA '07.

[17]  Dawson R. Engler,et al.  KLEE: Unassisted and Automatic Generation of High-Coverage Tests for Complex Systems Programs , 2008, OSDI.

[18]  Farnam Jahanian,et al.  CloudAV: N-Version Antivirus in the Network Cloud , 2008, USENIX Security Symposium.