PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices

More and more people rely on mobile devices to access the Internet, which also increases the amount of private information that can be gathered from people's devices. Although today's smartphone operating systems are trying to provide a secure environment, they fail to provide users with adequate control over and visibility into how third-party applications use their private data. Whereas there are a few tools that alert users when applications leak private information, these tools are often hard to use by the average user or have other problems. To address these problems, we present PrivacyGuard, an open-source VPN-based platform for intercepting the network traffic of applications. PrivacyGuard requires neither root permissions nor any knowledge about VPN technology from its users. PrivacyGuard does not significantly increase the trusted computing base since PrivacyGuard runs in its entirety on the local device and traffic is not routed through a remote VPN server. We implement PrivacyGuard on the Android platform by taking advantage of the VPNService class provided by the Android SDK. PrivacyGuard is configurable, extensible, and useful for many different purposes. We investigate its use for detecting the leakage of multiple types of sensitive data, such as a phone's IMEI number or location data. PrivacyGuard also supports modifying the leaked information and replacing it with crafted data for privacy protection. According to our experiments, PrivacyGuard can detect more leakage incidents by applications and advertisement libraries than TaintDroid. We also demonstrate that PrivacyGuard has reasonable overhead on network performance and almost no overhead on battery consumption.

[1]  Marco Gruteser,et al.  A Field Study of Run-Time Location Access Disclosures on Android Smartphones , 2014 .

[2]  Hao Chen,et al.  RetroSkeleton: retrofitting android apps , 2013, MobiSys '13.

[3]  Todd D. Millstein,et al.  Dr. Android and Mr. Hide: fine-grained permissions in android applications , 2012, SPSM '12.

[4]  Seungyeop Han,et al.  These aren't the droids you're looking for: retrofitting android to protect data from imperious applications , 2011, CCS '11.

[5]  Michael D. Ernst,et al.  Collaborative Verification of Information Flow for a High-Assurance App Store , 2014, Software Engineering & Management.

[6]  Byung-Gon Chun,et al.  TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones , 2014, Commun. ACM.

[7]  Daniel Zappala,et al.  TLS Proxies: Friend or Foe? , 2014, Internet Measurement Conference.

[8]  Kang G. Shin,et al.  Location Privacy Protection for Smartphone Users , 2014, CCS.

[9]  Zhen Huang,et al.  Short paper: a look at smartphone permission models , 2011, SPSM '11.

[10]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[11]  Daniel Zappala,et al.  POSTER: TLS Proxies: Friend or Foe? , 2014, CCS.

[12]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[13]  Suman Nath,et al.  PUMA: programmable UI-automation for large-scale dynamic analysis of mobile apps , 2014, MobiSys.

[14]  Roksana Boreli,et al.  On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[15]  Julia Rubin,et al.  A Bayesian Approach to Privacy Enforcement in Smartphones , 2014, USENIX Security Symposium.

[16]  Michael Backes,et al.  AppGuard - Enforcing User Requirements on Android Apps , 2013, TACAS.

[17]  Arnaud Legout,et al.  ReCon: Revealing and Controlling Privacy Leaks in Mobile Network Traffic , 2015, ArXiv.

[18]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[19]  Emiliano De Cristofaro,et al.  Danger is my middle name: experimenting with SSL vulnerabilities in Android apps , 2015, WISEC.

[20]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[21]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[22]  Lorrie Faith Cranor,et al.  Your Location has been Shared 5,398 Times!: A Field Study on Mobile App Privacy Nudging , 2015, CHI.