AWare: Preventing Abuse of Privacy-Sensitive Sensors via Operation Bindings

System designers have long struggled with the challenge of determining how to control when untrusted applications may perform operations using privacy-sensitive sensors securely and effectively. Current systems request that users authorize such operations once (i.e., on install or first use), but malicious applications may abuse such authorizations to collect data stealthily using such sensors. Proposed research methods enable systems to infer the operations associated with user input events, but malicious applications may still trick users into allowing unexpected, stealthy operations. To prevent users from being tricked, we propose to bind applications’ operation requests to the associated user input events and how they were obtained explicitly, enabling users to authorize operations on privacy-sensitive sensors unambiguously and reuse such authorizations. To demonstrate this approach, we implement the AWare authorization framework for Android, extending the Android Middleware to control access to privacy-sensitive sensors. We evaluate the effectiveness of AWare in: (1) a laboratory-based user study, finding that at most 7% of the users were tricked by examples of four types of attacks when using AWare, instead of 85% on average for prior approaches; (2) a field study, showing that the user authorization effort increases by only 2.28 decisions on average per application; (3) a compatibility study with 1,000 of the most-downloaded Android applications, demonstrating that such applications can operate effectively under AWare.

[1]  Dan Grossman,et al.  AUDACIOUS: User-Driven Access Control with Unmodified Operating Systems , 2016, CCS.

[2]  Ananthram Swami,et al.  Agility maneuvers to mitigate inference attacks on sensed location data , 2016, MILCOM 2016 - 2016 IEEE Military Communications Conference.

[3]  Helen J. Wang,et al.  Enabling Fine-Grained Permissions for Augmented Reality Applications with Recognizers , 2013, USENIX Security Symposium.

[4]  David J. Crandall,et al.  PlaceRaider: Virtual Theft in Physical Spaces with Smartphones , 2012, NDSS.

[5]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[6]  Seungyeop Han,et al.  Short paper: enhancing mobile application permissions with runtime feedback and constraints , 2012, SPSM '12.

[7]  Jonathan S. Shapiro,et al.  Design of the EROS Trusted Window System , 2004, USENIX Security Symposium.

[8]  David A. Wagner,et al.  Android permissions: user attention, comprehension, and behavior , 2012, SOUPS.

[9]  Yubin Xia,et al.  Building trusted path on untrusted device drivers for mobile devices , 2014, APSys.

[10]  Bill McCarty,et al.  Selinux: NSA's Open Source Security Enhanced Linux , 2004 .

[11]  Srdjan Capkun,et al.  Detecting Mobile Application Spoofing Attacks by Leveraging User Visual Similarity Perception , 2017, IACR Cryptol. ePrint Arch..

[12]  James Newsome,et al.  Building Verifiable Trusted Path on Commodity x86 Computers , 2012, 2012 IEEE Symposium on Security and Privacy.

[13]  Yuqiong Sun,et al.  AuDroid: Preventing Attacks on Audio Channels in Mobile Devices , 2015, ACSAC.

[14]  Don R. Hush,et al.  Query by image example: The CANDID approach , 1995 .

[15]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[16]  Norman M. Sadeh,et al.  Expectation and purpose: understanding users' mental models of mobile app privacy through crowdsourcing , 2012, UbiComp.

[17]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[18]  Stephen Smalley,et al.  Security Enhanced (SE) Android: Bringing Flexible MAC to Android , 2013, NDSS.

[19]  Jon Howell,et al.  What You See is What They Get: Protecting users from unwanted use of microphones, cameras, and other sensors , 2010 .

[20]  Michael Backes,et al.  Android security framework: extensible multi-layered access control on Android , 2014, ACSAC '14.

[21]  Wenliang Du,et al.  Touchjacking Attacks on Web in Android, iOS, and Windows Phone , 2012, FPS.

[22]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[23]  Helen J. Wang,et al.  Clickjacking: Attacks and Defenses , 2012, USENIX Security Symposium.

[24]  Sean W. Smith,et al.  Trusted paths for browsers , 2002, TSEC.

[25]  Helen J. Wang,et al.  User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems , 2012, 2012 IEEE Symposium on Security and Privacy.

[26]  Stuart E. Schechter,et al.  Common Pitfalls in Writing about Security and Privacy Human Subjects Experiments, and How to Avoid Them , 2013 .

[27]  Wayne Salamon,et al.  Implementing SELinux as a Linux Security Module , 2003 .

[28]  Carl A. Gunter,et al.  Draco: A System for Uniform and Fine-grained Access Control for Web Code on Android , 2016, CCS.

[29]  D. Scott McCrickard,et al.  Attuning notification design to user goals and attention costs , 2003, Commun. ACM.

[30]  Apu Kapadia,et al.  Soundcomber: A Stealthy and Context-Aware Sound Trojan for Smartphones , 2011, NDSS.

[31]  Nazar Abbas Saqib,et al.  On Detection and Prevention of Clickjacking Attack for OSNs , 2013, 2013 11th International Conference on Frontiers of Information Technology.

[32]  Fangzhe Chang,et al.  User-level resource-constrained sandboxing , 2000 .

[33]  Jeffrey Picciotto,et al.  Compartmented Model Workstation: Results Through Prototyping , 1987, 1987 IEEE Symposium on Security and Privacy.

[34]  Christopher Krügel,et al.  What the App is That? Deception and Countermeasures in the Android User Interface , 2015, 2015 IEEE Symposium on Security and Privacy.

[35]  William K. Robertson,et al.  Overhaul: Input-Driven Access Control for Better Privacy on Traditional Operating Systems , 2016, 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[36]  Diomidis Spinellis,et al.  Sandboxing Applications , 2001, USENIX Annual Technical Conference, FREENIX Track.

[37]  David A. Wagner,et al.  Android Permissions Remystified: A Field Study on Contextual Integrity , 2015, USENIX Security Symposium.

[38]  Yulong Zhang,et al.  Towards Discovering and Understanding Task Hijacking in Android , 2015, USENIX Security Symposium.