Advertisement

Smart Cities and Open WiFis: When Android OS Permissions Cease to Protect Privacy

  • Gabriella Verga
  • Salvatore Calcagno
  • Andrea Fornaia
  • Emiliano TramontanaEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11874)

Abstract

The wide-spread availability of open WiFi networks on smart cities can be considered an advanced service for citizens. However, a device connecting to WiFi network access points gives away its location. On the one hand, the access point provider could collect and analyse the ids of connecting devices, and people choose whether to connect depending on the degree of trust to the provider. On the other hand, an app running on the device could sense the presence of nearby WiFi networks, and this could have some consequences on user privacy. Based on permission levels and mechanisms proper of Android OS, this paper proposes an approach whereby an app attempting to connect to WiFi networks could reveal to a third part the presence of some known networks, thus a surrogate for the geographical location of the user, while she is unaware of it. This is achieved without resorting to GPS readings, hence without needing dangerous-level permissions. We propose a way to counteract such a weakness in order to protect user privacy.

Keywords

Android OS Privacy Permission levels WiFi networks Big data 

Notes

Acknowledgement

This work has been supported by project CREAMS—Codes Recognising and Eluding Attacks and Meddling on Systems—funded by Università degli Studi di Catania, Piano della Ricerca 2016/2018 Linea di intervento 2.

References

  1. 1.
    Achara, J.P., Cunche, M., Roca, V., Francillon, A.: Short paper: WifiLeaks: underestimated privacy implications of the access\(\_\)wifi\(\_\)state android permission. In: Proceedings of ACM Conference on Security and Privacy in Wireless and Mobile Networks (2014)Google Scholar
  2. 2.
    Arzt, S., et al.: Flowdroid: precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. ACM Sigplan Not. 49(6), 259–269 (2014)CrossRefGoogle Scholar
  3. 3.
    Ascia, G., et al.: Making android apps data-leak-safe by data flow analysis and code injection. In: Proceedings of IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE), pp. 205–210 (2016)Google Scholar
  4. 4.
    Burguera, I., Zurutuza, U., Nadjm-Tehrani, S.: Crowdroid: behavior-based malware detection system for android. In: Proceedings of ACM Workshop on Security and Privacy in Smartphones and Mobile Devices, pp. 15–26 (2011)Google Scholar
  5. 5.
    Conti, M., Dragoni, N., Lesyk, V.: A survey of man in the middle attacks. IEEE Commun. Surv. Tutor. 18(3), 2027–2051 (2016)CrossRefGoogle Scholar
  6. 6.
    Demir, L.: Wi-fi tracking: what about privacy. Master thesis, Grenoble (2013)Google Scholar
  7. 7.
    Di Stefano, A., Fornaia, A., Tramontana, E., Verga, G.: Detecting android malware according to observations on user activities. In: Proceedings of IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE) (2018)Google Scholar
  8. 8.
    Dondyk, E., Zou, C.C.: Denial of convenience attack to smartphones using a fake Wi-Fi access point. In: Proceedings of IEEE Consumer Communications and Networking Conference (CCNC), pp. 164–170 (2013)Google Scholar
  9. 9.
    Fahl, S., Harbach, M., Muders, T., Baumgärtner, L., Freisleben, B., Smith, M.: Why eve and mallory love android: an analysis of android SSL (in) security. In: Proceedings of ACM Conference on Computer and Communications Security (2012)Google Scholar
  10. 10.
    Faruki, P., et al.: Android security: a survey of issues, malware penetration, and defenses. IEEE Commun. Surv. Tutor. 17(2), 998–1022 (2014)CrossRefGoogle Scholar
  11. 11.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of ACM Conference on Computer and Communications Security (2011)Google Scholar
  12. 12.
    Fernandes, E., Jung, J., Prakash, A.: Security analysis of emerging smart home applications. In: Proceedings of IEEE Symposium on Security and Privacy (SP) (2016)Google Scholar
  13. 13.
    Google: Android. developer.android.com/topic/libraries/support-library (2019)Google Scholar
  14. 14.
    Krupp, B., Sridhar, N., Zhao, W.: SPE: security and privacy enhancement framework for mobile devices. IEEE Trans. Dependable Secure Comput. 14(4), 433–446 (2015)CrossRefGoogle Scholar
  15. 15.
    Kywe, S.M., Li, Y., Petal, K., Grace, M.: Attacking android smartphone systems without permissions. In: Proceedings of IEEE Conference on Privacy, Security and Trust (PST), pp. 147–156 (2016)Google Scholar
  16. 16.
    Mustafa, H., Xu, W.: CETAD: detecting evil twin access point attacks in wireless hotspots. In: Proceedings of IEEE Conference on Communication and Network Security (2014)Google Scholar
  17. 17.
    Park, M.W., Choi, Y.H., Eom, J.H., Chung, T.M.: Dangerous Wi-Fi access point: attacks to benign smartphone applications. Pers. Ubiquit. Comput. 18(6), 1373–1386 (2014)CrossRefGoogle Scholar
  18. 18.
    Poese, I., Uhlig, S., Kaafar, M.A., Donnet, B., Gueye, B.: Ip geolocation databases: unreliable? ACM SIGCOMM Comput. Comm. Review 41(2), 53–56 (2011)CrossRefGoogle Scholar
  19. 19.
    Sarma, B.P., Li, N., Gates, C., Potharaju, R., Nita-Rotaru, C., Molloy, I.: Android permissions: a perspective combining risks and benefits. In: Proceedings of ACM Symposium on Access Control Models and Technologies, pp. 13–22 (2012)Google Scholar
  20. 20.
    Shabtai, A., Kanonov, U., Elovici, Y., Glezer, C., Weiss, Y.: “Andromaly”: a behavioral malware detection framework for android devices. J. Intell. Inform. Syst. 38(1), 161–190 (2012)CrossRefGoogle Scholar
  21. 21.
    Tramontana, E., Verga, G.: Mitigating privacy-related risks for android users. In: Proceedings of IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises (WETICE) (2019)Google Scholar
  22. 22.
    Verga, G., Fornaia, A., Calcagno, S., Tramontana, E.: Yet another way to unknowingly gather people coordinates and its countermeasures. In: Montella, R., et al. (eds.) Proceedings of International Conference on Internet and Distributed Computing Systems (IDCS). LNCS, vol. 11874. Springer (2019)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Gabriella Verga
    • 1
  • Salvatore Calcagno
    • 1
  • Andrea Fornaia
    • 1
  • Emiliano Tramontana
    • 1
    Email author
  1. 1.Dipartimento di Matematica e InformaticaUniversity of CataniaCataniaItaly

Personalised recommendations