AndroidLeaks: Automatically Detecting Potential Privacy Leaks in Android Applications on a Large Scale
As mobile devices become more widespread and powerful, they store more sensitive data, which includes not only users’ personal information but also the data collected via sensors throughout the day. When mobile applications have access to this growing amount of sensitive information, they may leak it carelessly or maliciously.
Google’s Android operating system provides a permissions-based security model that restricts an application’s access to the user’s private data. Each application statically declares the sensitive data and functionality that it requires in a manifest, which is presented to the user upon installation. However, it is not clear to the user how sensitive data is used once the application is installed. To combat this problem, we present AndroidLeaks, a static analysis framework for automatically finding potential leaks of sensitive information in Android applications on a massive scale. AndroidLeaks drastically reduces the number of applications and the number of traces that a security auditor has to verify manually.
We evaluate the efficacy of AndroidLeaks on 24,350 Android applications from several Android markets. AndroidLeaks found 57,299 potential privacy leaks in 7,414 Android applications, out of which we have manually verified that 2,342 applications leak private data including phone information, GPS location, WiFi data, and audio recorded with the microphone. AndroidLeaks examined these applications in 30 hours, which indicates that it is capable of scaling to the increasingly large set of available applications.
KeywordsPrivate Data Android Application Native Code Privacy Leak Java Source Code
Unable to display preview. Download preview PDF.
- 1.Android developer reference, http://d.android.com/ (accessed March 30, 2012)
- 2.Android security and permissions, http://d.android.com/guide/topics/security/security.html (accessed March 30, 2012)
- 3.Bitblaze, http://bitblaze.cs.berkeley.edu/
- 4.Go Apk. Go apk market, http://market.goapk.com (accessed March 2011)
- 5.AppBrain. Number of available android applications, http://www.appbrain.com/stats/number-of-android-apps (accessed August 15, 2011)
- 6.Bornstein, D.: Dalvik vm internals (2008), http://goo.gl/knN9n (accessed March 18, 2011)
- 7.IBM T.J. Watson Research Center. T.j. watson libraries for analysis (wala) (March 2011) (accessed March 30, 2012)Google Scholar
- 8.The Nielsen Company. Who is winning the u.s. smartphone battle?, http://blog.nielsen.com/nielsenwire/online_mobile/who-is-winning-the-u-s-smartphone-battle (accessed March 17, 2011)
- 9.Egele, M., Kruegel, C., Kirda, E., Vigna, G.: Pios: Detecting privacy leaks in ios applications. In: Proceedings of the Network and Distributed System Security Symposium (2011)Google Scholar
- 10.Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In: Proceedings of the 9th USENIX Conference on Operating Systems Design and Implementation, pp. 1–6. USENIX Association (2010)Google Scholar
- 11.Enck, W., Octeau, D., McDaniel, P., Chaudhuri, S.: A study of android application security. In: Proc. of the 20th USENIX Security Symposium (2011)Google Scholar
- 12.Felt, A.P., Chin, E., Hanna, S., Song, D., Wagner, D.: Android permissions demystified. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 627–638. ACM (2011)Google Scholar
- 13.Fuchs, A.P., Chaudhuri, A., Foster, J.S.: Scandroid: Automated security certification of android applications. Univ. of Maryland (2009) (manuscript), http://www.cs.umd.edu/~avik/projects/scandroidascaa
- 14.Google. Google play , http://market.android.com (accessed March, 2011)
- 15.Apple Inc. App store review guidelines, http://developer.apple.com/appstore/guidelines.html (accessed March 30, 2012)
- 16.Pachal, P.: Google removes 21 malware apps from android market (March 2011), http://www.pcmag.com/article2/0,2817,2381252,00.asp (accessed March 18, 2011)
- 17.pxb1988. dex2jar: A tool for converting android’s .dex format to java’s .class format, https://code.google.com/p/dex2jar/ (accessed March 30, 2012)
- 18.SlideMe. Slideme: Android community and application marketplace, http://slideme.org/ (accessed March 30, 2012)
- 19.Tripp, O., Pistoia, M., Fink, S.J., Sridharan, M., Weisman, O.: Taj: effective taint analysis of web applications. In: ACM Sigplan Notices, vol. 44, pp. 87–97. ACM (2009)Google Scholar
- 20.Yin, S.: ’most sophisticated’ android trojan surfaces in china (December 2010), http://www.pcmag.com/article2/0,2817,2374926,00.asp (accessed March 18, 2011)