Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS and Information-flow Analysis for Privacy in Android
Droidcon 2013 - Berlin
Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Operating Systems and Distributed [email protected]
APEFS and Information-flow Analysis for Privacy in Android 2Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Background
► Google Play
► Centralized software platform
► About 800,000 apps in different categories
► Search for Apps → Find it → get Information about Permissions
►What does Permission mean?
► Apps run in sandboxes
► Declare permissions to use advanced features
► User must accept all presented permissions to install app
APEFS and Information-flow Analysis for Privacy in Android 3Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Hypothesis
► Permissions are only “irrelevant facts” for the user to accept when finally found “the right” App
►Why do we think so?
► 2 Live Wallpapers requesting many/all permissions► 6,660 downloads
in 6 months► No complains about the requested
permissions
► Own statistics
APEFS and Information-flow Analysis for Privacy in Android 4Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Statistics
► Statistics created with Apptistic (Project at University of Siegen)
► Apptistic analyzed ca. 250.000 Apps from Google Play
► Example 1:
► Filter:► Requested Permissions: Network & personal Data► Free / Name: “Wallpaper”
► Example 2:► Requested Permissions: Network & personal Data► Paid / Category “Games and Entertainment“
APEFS and Information-flow Analysis for Privacy in Android 5Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Statistics
► Example 1
► 1255 free Android Wallpapers using Network access and personal Data Permissions, 48 “phone calls”
APEFS and Information-flow Analysis for Privacy in Android 6Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Statistics
► By the way ...
APEFS and Information-flow Analysis for Privacy in Android 7Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Statistics
► Example 2
► 884 paid game Apps using Network Access and personal Data permissions
► 69 are in Top 100 Paid
APEFS and Information-flow Analysis for Privacy in Android 8Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Reasons
► Granularity of permissions
► User / developer don't understand meaning of permissions(e.g. “System tools” or “Storage” permissions)
► No color-coded labels to fast classify possible dangerousness or similar help
► Usage flow: 1. Searching → 2. Finding → 3. Security
APEFS and Information-flow Analysis for Privacy in Android 9Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Idea: APEFS
► Android PErmission Filter System
► New usage flow:
► Security → Searching → Finding
► Security defined by predefined filter
► Apps that not fit the security level are filtered out
► Strengthens the permissions
► Permissions are no longer another item to accept
► Using infrastructure given by Google
► Basic idea: Parsing websites for permissions
APEFS and Information-flow Analysis for Privacy in Android 10Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – App
► Let the user define his own security level
► Filter out Apps requesting Permission Groups:
► Charged Services
► Location, Personal Information
► Internet & Network
► SMS & MMS, Phone Calls► System Tools, SD-Card & Phone-Storage, Hardware► Miscellaneous
► Chart Search
► Apps and Games / Top Free, Top Paid, Top New Free ...
► Advanced App Search
► Search for a specific App
► Check installed Apps on the device for permissions
APEFS and Information-flow Analysis for Privacy in Android 11Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – Overview
WebsiteWebsite
► APEFS uses Playstore Website Data for Permission Information
► App-Installation by Google Play App
► Open Google Play on specific app via Intent:
new Intent(Intent.ACTION_VIEW) .setData(Uri.parse("market://details?id=com.test"));
► User is linked to the regular page► Download / Installation► Description & Screenshots► Comments ...
APEFS and Information-flow Analysis for Privacy in Android 12Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – App – Search
WebsiteWebsite 2. Result page (24 Apps)
3. Parse for package ids
1. Request Charts / Search
4. Request detail pagesbased on id
5. Detail pages
6. Parse for permissions
7. filter results
APEFS and Information-flow Analysis for Privacy in Android 13Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – HTML-Parsing
► 1. Parsing App overview page (24 Apps)
► 2. Parsing detail pages of each app
APEFS and Information-flow Analysis for Privacy in Android 14Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – HTML-Parsing
► Parsing using a library (e.g. JSOUP)
► Less error-prone
► computationally intensive
► Parsing with regular expressions
► Error-prone
► 452ms (per detailpage) faster than using JSOUP!
String htmlString = fetchHtml(url);Pattern exp = Pattern.compile("<div class\s*=\s*"doc-permission-description\">(.*?)</div>);Matcher m = exp.matcher(htmlString);
while(m.find()){String permissionName = m.group(1);/**processing permissions */}
APEFS and Information-flow Analysis for Privacy in Android 15Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – App
► App Search & Installation
APEFS and Information-flow Analysis for Privacy in Android 16Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – App
► App Search & Installation
APEFS and Information-flow Analysis for Privacy in Android 17Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
APEFS – Lessons Learned
►More than 20.000 downloads in less than 3 months
► Different Feedback
► acceptance as a good helper tool
► User starting to question requested permissions
► But also:►Misunderstanding of the idea – APEFS is no anti virus
tool (not yet)
► Using feedback for future work
► e.g. adding a blacklist or if applicable collaboration with detector tool
APEFS and Information-flow Analysis for Privacy in Android 18Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
App analysis
► Filter apps by permissions: ü
► Filter apps by “what they actually do”: current research
►Motivation:
► App requesting private data and network permissions
► Suspicion: app sends private data to the internet
► APEFS: decision only based on permissions
► Information-flow Analysis
► Try to define sensitive data (secrets) and detect leaks
► Proof if a secret is possibly passed to a leak
APEFS and Information-flow Analysis for Privacy in Android 19Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Information-flow analysis
► Special type of data flow analysis
► Determine possible flows from defined sources to output channels
APPAPP
ID
Contacts
Mails
...
Internet
SMS
Bluetooth
...
APEFS and Information-flow Analysis for Privacy in Android 20Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Information-flow Analysis
► Using Soot: a Java Optimization Framework
► Supports interprocedural data-flow analysis with pointer analysis
► SPARK & PADDLE
► Works on
► Java-bytecode directly ► it's own internal representations jimple, dimple ..
► Jimple: typed 3-adress-representation
► Soot & Android
► .apk-files can be decompiled to jimple► using dexpler (now integrated in Soot)
APEFS and Information-flow Analysis for Privacy in Android 21Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Control flow graph
► 1. Use Soot to build a Call Graph with all called methods of the program
► (Current Work: no libraries or system calls)
► 2. Create a Control flow Graph for each method
// Building CFGUnitGraph graph = new ExceptionalUnitGraph(body);
// do for every code block (statement) inside this graph...for (Unit statement : graph) { … }
APEFS and Information-flow Analysis for Privacy in Android 22Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Information-flow Analysis
► 3. Define & create different Sets to accomplish a transfer function for
► each code block B and Variable v► Gen(B) – B possible saves critical information in v► Kill(B) – B definitely DON'T saves
critical information in v► Copy(B) – B possible saves critical information from
another variable x to v► Leak(B) – B possible leaks v
► each method M of a Program P and Variables v► Gen(M) – it exists a Path inside this Method on
which sensitive information is saved in v► Kill(M), Copy(M), Leak(M) - ...
APEFS and Information-flow Analysis for Privacy in Android 23Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Information-flow Analysis
► 4. Define transfer function for critical and leak set
► Forward flow Analysis to find critical data
► Backward flow Analysis to find leaks
5. Create intersection of critical_in and leak_out→ If not empty: Some data is leaked!
APEFS and Information-flow Analysis for Privacy in Android 24Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Points-to Sets
► Points-to Sets (PTS) used as an addition to first analysis
► Try to find pointer targets to check for critical data
►We define a PTS for a variable v as:
► PTS(v) = a set of all objects, v could possible point to
► Therefore we need new definitions of sets and transfer functions including PTS
► Points-to Analysis in Soot with the help of SPARK and Paddle
static void setSparkPointsToAnalysis()
soot.PointsToAnalysis pta = Scene.v().getPointsToAnalysis();PointsToSet pts1 = pta.reachingObjects(local);
Problem: Analysis using Points-to Analysis takes much more time...
APEFS and Information-flow Analysis for Privacy in Android 25Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Information-flow Analysis - Problems
► Problem of static analysis:
► Very conservative
►May result in many false positives► Detects leak of information, but there is none
► Idea: runtime assertions
► Developer can check after compiling where flows are detected
► Can use assertions to tell there is no flow
► Assertion checked at run-time► If not fulfilled → App terminated
APEFS and Information-flow Analysis for Privacy in Android 26Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Runtime Assertions - Example
String s = “Test”;
if (x > 0) { s = getSecret();}if (y < 0) { leak(s);}
Secret will be leaked, if x > 0 and y < 0!Analysis Result: Secret is leaked!
APEFS.assert(!(x > 0 && y < 0));
Secret cannot be leakedAnalysis Result: No secret leaked!
APEFS and Information-flow Analysis for Privacy in Android 27Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Connection of Analysis to APEFS
► Extend security level
► Sensitive data and permissible flows
► Problem: Analysis only possible on .apk-Package
► Two ways to realize:
► Create own market► Easy to access packages► Problem of acceptance
► Apps specify flows in accessible metadata► Published through self-defined permissions► Problem: no guarantee for correct metadata► Digital signature or analysis on device
APEFS and Information-flow Analysis for Privacy in Android 28Julia Dauwe, Simon Meurer & Roland WismüllerUniversity of Siegen
Conclusion and future work
► APEFS:
► Filter Android apps by permissions / security level► Based on Google's infrastructure
► New usage flow: Security → Searching → Finding
► Limitation: Filter only by permissions
► Information flow analysis
► Determine flows of information to possible leaks► Including points-to analysis
► Reduce false positives with e.g. runtime assertions
► Try to speed up analysis
Top Related