Advertisement

Taming Information-Stealing Smartphone Applications (on Android)

  • Yajin Zhou
  • Xinwen Zhang
  • Xuxian Jiang
  • Vincent W. Freeh
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6740)

Abstract

Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users’ personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user’s needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Keywords

smartphone applications Android privacy mode 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Beresford, A.R., Rice, A., Skehin, N., Sohan, R.: MockDroid: Trading Privacy for Application Functionality on Smartphones. In: 12th Workshop on Mobile Computing Systems and Applications (2011)Google Scholar
  5. 5.
    Bernheim Brush, A.J., Krumm, J., Scott, J.: Exploring End User Preferences for Location Obfuscation, Location-Based Services, and the Value of Location. In: 12th ACM International Conference on Ubiquitous Computing (2010)Google Scholar
  6. 6.
    Chaudhuri, A.: Language-Based Security on Android. In: 4th ACM SIGPLAN Workshop on Programming Languages and Analysis for Security (2009)Google Scholar
  7. 7.
    Desmet, L., Joosen, W., Massacci, F., Philippaerts, P., Piessens, F., Siahaan, I., Vanoverberghe, D.: Security by Contract on the.NET Platform. Information Security Technical Report 13(1), 25–32 (2008)CrossRefGoogle Scholar
  8. 8.
    Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: 18th Annual Network and Distributed System Security Symposium (2011)Google Scholar
  9. 9.
    Enck, W., Gilbert, P., Chun, B.-G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: 9th USENIX Symposium on Operating Systems Design and Implementation (2010)Google Scholar
  10. 10.
    Enck, W., Ongtang, M., McDaniel, P.: On Lightweight Mobile Phone Application Certification. In: 16th ACM Conference on Computer and Communications Security (2009)Google Scholar
  11. 11.
    Enck, W., Ongtang, M., McDaniel, P.: Understanding Android Security. IEEE Security & Privacy 7(1), 50–57 (2009)CrossRefGoogle Scholar
  12. 12.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: SCanDroid: Automated Security Certification of Android Applications (2009), http://www.cs.umd.edu/~avik/papers/scandroidascaa.pdf
  13. 13.
    Mahaffey, K., Hering, J.: App Attack: Surviving the Explosive Growth of Mobile Apps (2010)Google Scholar
  14. 14.
    Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In: 5th ACM Symposium on Information, Computer and Communications Security (2010)Google Scholar
  15. 15.
    Ongtang, M., McLaughlin, S.E., Enck, W., McDaniel, P.D.: Semantically Rich Application-Centric Security in Android. In: 25th Annual Computer Security Applications Conference (2009)Google Scholar
  16. 16.
    Shabtai, A., Fledel, Y., Kanonov, U., Elovici, Y., Dolev, S., Glezer, C.: Google Android: A Comprehensive Security Assessment. IEEE Security & Privacy 8(2), 35–44 (2010)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Yajin Zhou
    • 1
  • Xinwen Zhang
    • 2
  • Xuxian Jiang
    • 1
  • Vincent W. Freeh
    • 1
  1. 1.Department of Computer ScienceNC State UniversityUSA
  2. 2.Huawei America Research CenterCanada

Personalised recommendations