AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale

  • Clint Gibler
  • Jonathan Crussell
  • Jeremy Erickson
  • Hao Chen
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7344)

Abstract

As mobile devices become more widespread and powerful, they store more sensitive data, which includes not only users’ personal information but also the data collected via sensors throughout the day. When mobile applications have access to this growing amount of sensitive information, they may leak it carelessly or maliciously.

Google’s Android operating system provides a permissions-based security model that restricts an application’s access to the user’s private data. Each application statically declares the sensitive data and functionality that it requires in a manifest, which is presented to the user upon installation. However, it is not clear to the user how sensitive data is used once the application is installed. To combat this problem, we present AndroidLeaks, a static analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale. AndroidLeaks drastically reduces the number of applications and the number of traces that a security auditor has to verify manually.

We evaluate the efficacy of AndroidLeaks on 24,350 Android applications from several Android markets. AndroidLeaks found 57,299 potential privacy leaks in 7,414 Android applications, out of which we have manually verified that 2,342 applications leak private data including phone information, GPS location, WiFi data, and audio recorded with the microphone. AndroidLeaks examined these applications in 30 hours, which indicates that it is capable of scaling to the increasingly large set of available applications.

Keywords

Private Data Android Application Native Code Privacy Leak Java Source Code 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Android developer reference, http://d.android.com/ (accessed March 30, 2012)
  2. 2.
    Android security and permissions, http://d.android.com/guide/topics/security/security.html (accessed March 30, 2012)
  3. 3.
  4. 4.
    Go Apk. Go apk market, http://market.goapk.com (accessed March 2011)
  5. 5.
    AppBrain. Number of available android applications, http://www.appbrain.com/stats/number-of-android-apps (accessed August 15, 2011)
  6. 6.
    Bornstein, D.: Dalvik vm internals (2008), http://goo.gl/knN9n (accessed March 18, 2011)
  7. 7.
    IBM T.J. Watson Research Center. T.j. watson libraries for analysis (wala) (March 2011) (accessed March 30, 2012)Google Scholar
  8. 8.
    The Nielsen Company. Who is winning the u.s. smartphone battle?, http://blog.nielsen.com/nielsenwire/online_mobile/who-is-winning-the-u-s-smartphone-battle (accessed March 17, 2011)
  9. 9.
    Egele, M., Kruegel, C., Kirda, E., Vigna, G.: Pios: Detecting privacy leaks in ios applications. In: Proceedings of the Network and Distributed System Security Symposium (2011)Google Scholar
  10. 10.
    Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)Google Scholar
  11. 11.
    Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proc. of the 20th USENIX Security Symposium (2011)Google Scholar
  12. 12.
    Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)Google Scholar
  13. 13.
    Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: Automated security certification of android applications. Univ. of Maryland (2009) (manuscript), http://www.cs.umd.edu/~avik/projects/scandroidascaa
  14. 14.
    Google. Google play , http://market.android.com (accessed March, 2011)
  15. 15.
    Apple Inc. App store review guidelines, http://developer.apple.com/appstore/guidelines.html (accessed March 30, 2012)
  16. 16.
    Pachal, P.: Google removes 21 malware apps from android market (March 2011), http://www.pcmag.com/article2/0,2817,2381252,00.asp (accessed March 18, 2011)
  17. 17.
    pxb1988. dex2jar: A tool for converting android’s .dex format to java’s .class format, https://code.google.com/p/dex2jar/ (accessed March 30, 2012)
  18. 18.
    SlideMe. Slideme: Android community and application marketplace, http://slideme.org/ (accessed March 30, 2012)
  19. 19.
    Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. In: ACM Sigplan Notices, vol. 44, pp. 87–97. ACM (2009)Google Scholar
  20. 20.
    Yin, S.: ’most sophisticated’ android trojan surfaces in china (December 2010), http://www.pcmag.com/article2/0,2817,2374926,00.asp (accessed March 18, 2011)
  21. 21.
    Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming Information-Stealing Smartphone Applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Clint Gibler
    • 1
  • Jonathan Crussell
    • 1
    • 2
  • Jeremy Erickson
    • 1
    • 2
  • Hao Chen
    • 1
  1. 1.University of CaliforniaDavisUSA
  2. 2.Sandia National LabsLivermoreUSA

Personalised recommendations