Abstract
Mobile devices have become an indispensable part of our daily lives. Practically, most of our everyday communication is performed through mobile devices which host third party apps and provide for various means of interaction with diverse levels of security. Android is by far the most widely used mobile operating system, with a user base in the scale of billions. However, while Android Open Source Project (AOSP) is paving the way for all manufacturers, Android market is so fragmented that those who are using the latest version are only a small minority. Moreover, Android comes in several flavours as manufacturers tailor it to their needs. However, this tailoring often prevents users from getting the latest updates. In fact, as we show, manufacturers may not follow the security and privacy guidelines of AOSP, exposing their users to unexpected threats. In this work we study a yet unpatched vulnerability by most major manufacturers, and partially fixed in AOSP, which allows for an adversary to extract important information from the victim’s device. To this end, we showcase that unprivileged apps, without actually using any permissions, can harvest a considerable amount of valuable user information. This is achieved by monitoring and exploiting the file and folder metadata of the most well-known messaging apps in Android, which have been hitherto considered secure, deriving thereby usage statistics in order to elicit user profiles, social connections, credentials or other sensitive information.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
For instance see Samsung: https://security.samsungmobile.com/securityUpdate.smsb.
- 3.
- 4.
References
Y. Aafer, W. Du, H. Yin, Droidapiminer: mining API-level features for robust malware detection in android, in International Conference on Security and Privacy in Communication Systems (Springer, 2013), pp. 86–103
E. Alepis, C. Patsakis, Trapped by the UI: the android case, in International Symposium on Research in Attacks, Intrusions, and Defenses (Springer, 2017), pp. 334–354
E. Alepis, C. Patsakis, Unravelling security issues of runtime permissions in android (J. Hardw. Syst, Secur, 2018)
Y. Amit, Accessibility clickjacking the next evolution in android malware that impacts more than 500 million devices (2016). https://www.skycure.com/blog/accessibility-clickjacking/
Android Developer, Permission changes. https://developer.android.com/about/versions/nougat/android-7.0-changes.html. Accessed 07 Feb 2018
Android Developer. Android 7.0 behavior changes (2017). https://developer.android.com/about/versions/nougat/android-7.0-changes.html
D. Arp, M. Spreitzenbarth, M. Hubner, H. Gascon, K. Rieck, C.E.R.T. Siemens, Drebin: effective and explainable detection of android malware in your pocket. NDSS 14, 23–26 (2014)
A. Bianchi, J. Corbetta, L. Invernizzi, Y. Fratantonio, C. Kruegel, G. Vigna, What the app is that? deception and countermeasures in the android user interface, in Proceedings of the 2015 IEEE Symposium on Security and Privacy (IEEE Computer Society, 2015), pp. 931–948
Check Point Mobile Research Team, Android permission security flaw (2017). https://blog.checkpoint.com/2017/05/09/android-permission-security-flaw/. Accessed 09 Sep 2017
Q.A. Chen, Z. Qian, Z.M. Mao, Peeking into your app without actually seeing it: UI state inference and novel android attacks, in 23rd USENIX Security Symposium (USENIX Security 14) (San Diego, CA, USENIX Association, 2014), pp. 1037–1052
ElevenPaths, An innovative tool for the monitoring and analysis of mobile threats. https://www.elevenpaths.com/technology/tacyt/index.html
P. Faruki, A. Bharmal, V. Laxmi, V. Ganmoor, M.S. Gaur, M. Conti, M. Rajarajan, Android security: a survey of issues, malware penetration, and defenses. IEEE Commun Surv Tutor 17(2), 998–1022
A.P. Felt, M. Finifter, E. Chin, S. Hanna, D. Wagner, A survey of mobile malware in the wild, in Proceedings of the 1st ACM workshop on Security and Privacy in Smartphones and Mobile Devices (ACM, 2011), pp. 3–14
Y. Fratantonio, C. Qian, S. Chung, W. Lee, Cloak and dagger: from two permissions to complete control of the UI feedback loop, in Proceedings of the IEEE Symposium on Security and Privacy (Oakland) (, San Jose CA, 2017)
Google, AOSP source code for filesystem\(\_\)config. https://android.googlesource.com/platform/system/core/+/master/libcutils/include/private/android_filesystem_config.h
M. Grace, Y. Zhou, Q. Zhang, S. Zou, X. Jiang, Riskranker: scalable and accurate zero-day android malware detection, in Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services (ACM, 2012), pp. 281–294
K. Nohl, J. Lell. Mind the Gap—Uncovering the Android Patch Gap through Binary-only Patch Analysis (2018)
E.J. Kartaltepe, J.A. Morales, S. Xu, R. Sandhu, Social network-based botnet command-and-control: emerging threats and countermeasures, in International Conference on Applied Cryptography and Network Security (Springer, 2010), pp. 511–528
Avantika Mathur, Mingming Cao, Suparna Bhattacharya, Andreas Dilger, Alex Tomas, Laurent Vivier, The new ext4 filesystem: current status and future plans. Proc. Linux Symp. 2, 21–33 (2007)
K. Nohl, Mobile self-defense (snoopsnitch), in Proceedings of Chaos Computer Security Conference (2014)
Ed O’Keefe, https://www.washingtonpost.com/news/post-politics/wp/2013/06/06/transcript-dianne-feinstein-saxby-chambliss-explain-defend-nsa-phone-records-program/?utm_term=.f2e1466faae2 (2013)
C. Patsakis, E. Alepis, Knock-knock: the unbearable lightness of android notifications, in Proceedings of the 4th International Conference on Information Systems Security and Privacy, ICISSP 2018, Funchal, Madeira-Portugal, January 22–24, 2018, ed. by P. Mori, S. Furnell, O. Camp (SciTePress, 2018), pp. 52–61
N. Peiravian, X. Zhu, Machine learning for android malware detection using permission and API calls, in 2013 IEEE 25th International Conference on Tools with Artificial Intelligence (ICTAI) (IEEE, 2013), pp. 300–305
Android Police, https://www.androidpolice.com/2017/11/12/google-will-remove-play-store-apps-use-accessibility-services-anything-except-helping-disabled-users/ (2017)
C. Spensky, J. Stewart, A. Yerukhimovich, R. Shay, A. Trachtenberg, R. Housley, R.K. Cunningham, Sok: privacy on mobile devices–it’s complicated. Proc. Privacy Enhanc. Technol. 2016(3), 96–116 (2016)
Statista, Global market share held by the leading smartphone operating systems in sales to end users from 1st quarter 2009 to 2nd quarter 2018. https://www.statista.com/statistics/266136/global-market-share-held-by-smartphone-operating-systems/
T. Vidas, D. Votipka, N. Christin, All your droid are belong to us: a survey of current android attacks, in Proceedings of the 5th USENIX Conference on Offensive Technologies (USENIX Association, 2011), pp. 10–10
D.-J. Wu, C.-H. Mao, T.-E. Wei, H.-M. Lee, K.-P. Wu, Droidmat: android malware detection through manifest and API calls tracing, in 2012 Seventh Asia Joint Conference on Information Security (Asia JCIS) (IEEE, 2012), pp. 62–69
L. Ying, Y. Cheng, Y. Lu, Y. Gu, P. Su, D. Feng, Attacks and defence on android free floating windows, in Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security (ACM, 2016), pp 759–770
Y. Zhou, W. Zhi, W. Zhou, X. Jiang, Hey, you, get off of my market: detecting malicious apps in official and alternative android markets. NDSS 25, 50–52 (2012)
Acknowledgements
The authors would like to thank ElevenPaths for their valuable feedback and granting them access to Tacyt.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Kapetanios, C., Polyzos, T., Alepis, E., Patsakis, C. (2021). This is Just Metadata: From No Communication Content to User Profiling, Surveillance and Exploitation. In: Tsihrintzis, G., Virvou, M. (eds) Advances in Core Computer Science-Based Technologies. Learning and Analytics in Intelligent Systems, vol 14. Springer, Cham. https://doi.org/10.1007/978-3-030-41196-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-030-41196-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41195-4
Online ISBN: 978-3-030-41196-1
eBook Packages: EngineeringEngineering (R0)