50 Ways to Leak Your Data: An Exploration of Apps' Circumvention of the Android Permissions System

Modern smartphone platforms implement permission-based models to protect access to sensitive data and system resources. However, apps can circumvent the permission model and gain access to protected data without user consent by using both covert and side channels. Side channels present in the implementation of the permission system allow apps to access protected data and system resources without permission; whereas covert channels enable communication between two colluding apps so that one app can share its permission-protected data with another app lacking those permissions. Both pose threats to user privacy. In this work, we make use of our infrastructure that runs hundreds of thousands of apps in an instrumented environment. This testing environment includes mechanisms to monitor apps' runtime behaviour and network traffic. We look for evidence of side and covert channels being used in practice by searching for sensitive data being sent over the network for which the sending app did not have permissions to access it. We then reverse engineer the apps and third-party libraries responsible for this behaviour to determine how the unauthorized access occurred. We also use software fingerprinting methods to measure the static prevalence of the technique that we discover among other apps in our corpus. Using this testing environment and method, we uncovered a number of side and covert channels in active use by hundreds of popular apps and third-party SDKs to obtain unauthorized access to both unique identifiers as well as geolocation data. We have responsibly disclosed our findings to Google and have received a bug bounty for our work.

[1]  Christopher Krügel,et al.  Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis , 2017, NDSS.

[2]  Gabi Nakibly,et al.  Gyrophone: Recognizing Speech from Gyroscope Signals , 2014, USENIX Security Symposium.

[3]  Patrick C. K. Hung,et al.  Privacy Preservation Framework for Smart Connected Toys , 2017 .

[4]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[5]  Muttukrishnan Rajarajan,et al.  Evaluation of Android Anti-malware Techniques against Dalvik Bytecode Obfuscation , 2014, 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications.

[6]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[7]  L. Jackson ‘Won’t Somebody Think of the Children?’ Emotions, child poverty, and post-humanitarian possibilities for social justice education , 2014 .

[8]  Suman Nath,et al.  Brahmastra: Driving Apps to Test the Security of Third-Party Components , 2014, USENIX Security Symposium.

[9]  Yanick Fratantonio,et al.  ANDRUBIS -- 1,000,000 Apps Later: A View on Current Android Malware Behaviors , 2014, 2014 Third International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[10]  Giorgio Giacinto,et al.  Stealth attacks: An extended insight into the obfuscation effects on Android malware , 2015, Comput. Secur..

[11]  Steve Uhlig,et al.  IP geolocation databases: unreliable? , 2011, CCRV.

[12]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[13]  Walid Dabbous,et al.  Meddle: middleboxes for increased transparency and control of mobile traffic , 2012, CoNEXT Student '12.

[14]  Narseo Vallina-Rodriguez,et al.  Studying TLS Usage in Android Apps , 2018, ANRW.

[15]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[16]  Roksana Boreli,et al.  On the effectiveness of dynamic taint analysis for protecting against private information leaks on Android-based devices , 2013, 2013 International Conference on Security and Cryptography (SECRYPT).

[17]  Hubert Ritzdorf,et al.  Analysis of the communication between colluding applications on modern smartphones , 2012, ACSAC '12.

[18]  Guevara Noubir,et al.  An autonomic and permissionless Android covert channel , 2017, WISEC.

[19]  Urs Hengartner,et al.  PrivacyGuard: A VPN-based Platform to Detect Information Leakage on Android Devices , 2015, SPSM@CCS.

[20]  Bin Liu,et al.  Automated Analysis of Privacy Requirements for Mobile Apps , 2016, NDSS.

[21]  Narseo Vallina-Rodriguez,et al.  Apps, Trackers, Privacy, and Regulators: A Global Study of the Mobile Tracking Ecosystem , 2018, NDSS.

[22]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[23]  Haoyu Wang,et al.  Identifying and Analyzing the Privacy of Apps for Kids , 2016, HotMobile.

[24]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[25]  Carla E. Brodley,et al.  IP Covert Channel Detection , 2009, TSEC.

[26]  Klara Nahrstedt,et al.  Identity, location, disease and more: inferring your secrets from android public resources , 2013, CCS.

[27]  Alastair R. Beresford,et al.  SensorID: Sensor Calibration Fingerprinting for Smartphones , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[28]  Porfirio Tramontana,et al.  MobiGUITAR: Automated Model-Based Testing of Mobile Apps , 2015, IEEE Software.

[29]  Vincent Roca,et al.  Short paper: WifiLeaks: underestimated privacy implications of the access_wifi_state android permission , 2014, WiSec '14.

[30]  Christopher Krügel,et al.  EdgeMiner: Automatically Detecting Implicit Control Flow Transitions through the Android Framework , 2015, NDSS.

[31]  Yuan Zhang,et al.  AppIntent: analyzing sensitive data transmission in android for privacy leakage detection , 2013, CCS.

[32]  Jacques Klein,et al.  FlowDroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps , 2014, PLDI.

[33]  Luke Deshotels,et al.  Inaudible Sound as a Covert Channel in Mobile Devices , 2014, WOOT.

[34]  Butler W. Lampson,et al.  A note on the confinement problem , 1973, CACM.

[35]  D.P.M. Comber,et al.  Title: The Technical or the Reflective PG Cert: do you get what you pay for ? , 2003 .

[36]  Alessandra Gorla,et al.  Mining Apps for Abnormal Usage of Sensitive Data , 2015, 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering.

[37]  Minas Gjoka,et al.  AntMonitor: A System for Monitoring from Mobile Devices , 2015, C2BD@SIGCOMM.

[38]  Ross J. Anderson,et al.  Don’t Interrupt Me While I Type: Inferring Text Entered Through Gesture Typing on Android Keyboards , 2016, Proc. Priv. Enhancing Technol..

[39]  Gary McGraw,et al.  Static Analysis for Security , 2004, IEEE Secur. Priv..

[40]  David A. Wagner,et al.  The Feasibility of Dynamically Granted Permissions: Aligning Mobile Privacy with User Preferences , 2017, 2017 IEEE Symposium on Security and Privacy (SP).

[41]  Cecilia Mascolo,et al.  Don't kill my ads!: balancing privacy in an ad-supported mobile application market , 2012, HotMobile '12.

[42]  Stefan Mangard,et al.  Systematic Classification of Side-Channel Attacks: A Case Study for Mobile Devices , 2016, IEEE Communications Surveys & Tutorials.

[43]  Zhen Huang,et al.  PScout: analyzing the Android permission specification , 2012, CCS.

[44]  Yuan Tian,et al.  UnLocIn: Unauthorized location inference on smartphones without being caught , 2013, 2013 International Conference on Privacy and Security in Mobile Systems (PRISMS).

[45]  Rosdiadee Nordin,et al.  A New Sensors-Based Covert Channel on Android , 2014, TheScientificWorldJournal.

[46]  Narseo Vallina-Rodriguez,et al.  “Won’t Somebody Think of the Children?” Examining COPPA Compliance at Scale , 2018, Proc. Priv. Enhancing Technol..

[47]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[48]  Narseo Vallina-Rodriguez,et al.  Bug Fixes, Improvements,... and Privacy Leaks , 2018 .

[49]  Arnaud Legout,et al.  ReCon: Revealing and Controlling PII Leaks in Mobile Network Traffic , 2015, MobiSys.

[50]  Paul C. Kocher,et al.  Differential Power Analysis , 1999, CRYPTO.

[51]  Christopher Vendome,et al.  CrashScope: A Practical Tool for Automated Testing of Android Applications , 2017, 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C).

[52]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[53]  H. Nissenbaum Privacy as contextual integrity , 2004 .

[54]  Gabi Nakibly,et al.  PowerSpy: Location Tracking Using Mobile Device Power Analysis , 2015, USENIX Security Symposium.

[55]  Jeff H. Perkins,et al.  Information Flow Analysis of Android Applications in DroidSafe , 2015, NDSS.

[56]  Maya Cakmak,et al.  Toys that Listen: A Study of Parents, Children, and Internet-Connected Toys , 2017, CHI.

[57]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[58]  Hao Chen,et al.  AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale , 2012, TRUST.

[59]  Narseo Vallina-Rodriguez,et al.  Do You Get What You Pay For? Comparing the Privacy Behaviors of Free vs. Paid Apps , 2019, IEEE S&P 2019.

[60]  Pavol Zavarsky,et al.  Risk Mitigation Strategies for Mobile Wi-Fi Robot Toys from Online Pedophiles , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[61]  Narseo Vallina-Rodriguez,et al.  Haystack: In Situ Mobile Traffic Analysis in User Space , 2015, ArXiv.

[62]  David A. Wagner,et al.  Turtle Guard: Helping Android Users Apply Contextual Privacy Preferences , 2017, SOUPS.

[63]  D. T. Lee,et al.  Securing web application code by static analysis and runtime protection , 2004, WWW '04.

[64]  K. Yi,et al.  Static Analyzer for Detecting Privacy Leaks in Android Applications , 2012 .