Download - Mobile Privacy
![Page 1: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/1.jpg)
Sinan Bolel and Eric Jizba
Mobile Privacy
With some slides by Muhammad Naveed
![Page 2: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/2.jpg)
Outline
• Background and Motivation• Information Leaks through Shared Resources• Accidental Data Sharing
![Page 3: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/3.jpg)
Modern Operating Systems
Background and Motivation
![Page 4: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/4.jpg)
Changing use cases
• Rapid development of the way smartphones are being used today
• Increasingly used for even more taskso Phone calls, email, texting, navigation,
entertainment, etc.
![Page 5: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/5.jpg)
OS Modularity
• In the past, tools/apps shared next to nothingo Simple UNIX tools (i.e. grep)o Monolithic GUI applications (i.e. MS Office)
• Modern applications work together to complete larger, user-defined task
• Modern OSes run each application as a unique security principal
![Page 6: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/6.jpg)
Barcode Scanner App
Shopping App
Browser
Social Networking App
12
3
![Page 7: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/7.jpg)
Android OS and Security
Background and Motivation
![Page 8: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/8.jpg)
The Android OS• Android runs Linux kernel, defines its own application runtime• Java-based middleware API forces developers to design apps within a
component framework• Four component types: activity, service, content provider, broadcast
receiver.o These provide daemon-like functionality
Service: general purpose Content provider: database Broadcast receiver: listen for messages
• Binder framework provides access control and Inter-Process Communication (IPC) between components.o Apps use intent messages to interact with bindero Intent filters registered to receive messages addressed to specific action strings
![Page 9: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/9.jpg)
The Android OS
![Page 10: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/10.jpg)
Android Security• OS design takes security seriously.
• Built on sandbox and permission model.
o Each app is isolated from others by Linux user-based protection.
o Apps are required to explicitly ask for permissions to access the resources outside its sandbox before installation.
• Compared to even desktop OSes, this security design looks good.
![Page 11: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/11.jpg)
Malware on Android• Waves of Android-based malware
in recent years.
• Mobile Malware is mostly on Android
o 2013: 87%
o Now: 97%
o Largely from unregulated third party app stores
Middle East & Asia
o Apps in Google Play with malware: 0.1%
source: forbes.com
![Page 12: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/12.jpg)
Shared Resources for Apps• The design of the OS is based on unprotected shared resources
o Including those inherited from Linux
• No permissions required to access shared resources.
![Page 13: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/13.jpg)
Android Shared Resources• Examples of resources available to apps without permissions:
o Per-app data usage statisticso ARP informationo Speaker status (on or off)
• Examples of resources only available with permissions:o Camerao Locationo Internet
• Developers specify permissions in App Manifest file• Users approve permissions on install
![Page 14: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/14.jpg)
Basic Problem
Information Leaks
![Page 15: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/15.jpg)
What are information leaks?• Most leaks caused by implementation errors
o Either in Android or within mobile appso Prior studies focused on privacy implications
of data from sensorso e.g. motion sensor, microphone
• Privacy concernso Background information from shared resources
exposed by both the Android and Linux layers. o What can be inferred when this info is combined with
public data?
![Page 16: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/16.jpg)
Information Leaks: Basic Problemo Public resources are thought to be innocuouso Malicious apps able to access sensitive data
without permissions Stealthily collect sensitive data Deliver to remote server Analyze data and other public information (i.e. public tweets) to infer
user-specific information
![Page 17: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/17.jpg)
Information LeaksMain question:
“Assuming that Android’s security design has been faithfully implemented and apps are well protected by their developers, what can a malicious app still learn about the user’s private information without any permissions at all?”
![Page 18: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/18.jpg)
Stealthiness• Sensing LCD ON/OFF status from public resources• Data can be sent using browser (without any
permission), when the screen is OFF• To avoid being detected, browser can be redirected
to another website (e.g. google.com) by sending an Intent
19
![Page 19: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/19.jpg)
Main Ideas: Location Inference Attack
Information Leaks
![Page 20: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/20.jpg)
ARP Information• /proc/net/arp contains Address Resolution Protocol
(ARP) information
• /proc/net/arp contains BSSID (i.e. MAC address of the wireless interface) of the access point phone is connected to
• ARP information wasn’t considered sensitive in original Linux design
• Location privacy breach for Android due to increased mobility
21
![Page 21: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/21.jpg)
Attack
22
Running zero-permission app monitoring /proc/net/arp
App sends BSSID using browserAdversary controlled web-server
![Page 22: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/22.jpg)
BSSID based Location Services
23
BSSID to GPS coordinates mapping database
2 - GPS Coordinates
1 - BSSIDs
NavizonWe used Navizon app to access the BSSID to GPS coordinates mapping database.
![Page 23: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/23.jpg)
BSSID based Location Services
24
BSSID BSSID BSSID
BSSID BSSID BSSID1
BSSID collection by capturing WiFi broadcast beacons
2
BSSID to GPS mapping
3
BSSID to GPS coordinates mapping database
GPS
![Page 24: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/24.jpg)
Coverage
25http://www.navizon.com/navizon_coverage_wifi.htm
![Page 25: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/25.jpg)
Complete Attack
26
App sends BSSID by sending Intent to the browser
Adversary controlled web-server
BSSID to GPS coordinates mapping database
Running zero-permission app monitoring /proc/net/arp
![Page 26: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/26.jpg)
Evaluation
![Page 27: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/27.jpg)
Main Ideas: Driving Route Inference
Information Leaks
![Page 28: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/28.jpg)
Speaker ON/OFF StatusAudioManager.isMusicActive
29
![Page 29: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/29.jpg)
Speaker Status Logger
30
ON
OFF
30ms10ms 10ms60ms 40ms
Fingerprint
Segment 1: Head west on W Clark St toward N
Busey AveSegment 2: Turn left onto N Goodwin
Ave
![Page 30: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/30.jpg)
Attack
31
(source S1, destination D1)
(source S3, destination D3)
(source S4, destination D4)
(source S5, destination D5)
30
10
10
60
40
70
40
50
80
30
60
10
50
40
30
10
10
60
30
10
10
90
40
30ms10ms 60ms 40ms10ms
Fingerprint(source S2, destination D2)
![Page 31: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/31.jpg)
Fingerprint DatabaseCreation of fingerprint database needs driving from source to destination
We used driving simulator to drive 1000 routesSimulator takes approx. 3 mins for 15 mins driveScale-up strategy using text-to-speech engine
32
![Page 32: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/32.jpg)
Complete Attack
35
Zero-permission app sends fingerprint using browserAdversary controlled
web-server
Zero-permission app fingerprints Navigation app audio usage
(source S1, destination D1)
(source S3, destination D3)
(source S4, destination D4)
(source S5, destination D5)
30
10
10
60
40
70
40
50
80
30
60
10
50
40
30
10
10
60
30
10
10
90
40
(source S2, destination D2)
![Page 33: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/33.jpg)
Attack Evaluation
36
Routes similar to actual routes
Correct routes
![Page 34: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/34.jpg)
Main Ideas: Identity Inference Attack
Information Leaks
![Page 35: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/35.jpg)
Per-app Traffic UsagePer-app traffic usage on Android
Intentionally provided to monitor data usage of different apps
![Page 36: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/36.jpg)
Tweet Fingerprinting
39
Tweet event580-720B Increments
Download Tweets Request
541-544B Increments
![Page 37: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/37.jpg)
Attack
40
Timestamp 1
Timestamp 2Timestamp 3
Timestamp n..
…
![Page 38: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/38.jpg)
People who tweeted at Timestamp2 ± 60s
People who tweeted at Timestamp3 ± 60s
Attack
41
Timestamp 1Timestamp 2Timestamp 3
Timestamp n..
…People who tweeted at Timestamp1 ± 60s 1
+Twitter Public Stream
![Page 39: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/39.jpg)
Attack
42
Manual analysis of approx. 4000 twitter accounts
First and last name 79%
Location 32%
Bio 21%
![Page 40: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/40.jpg)
Identity breach is serious
43
![Page 41: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/41.jpg)
Complete Attack
44
Zero-permission app sends tweet’s timestamp using browser
Adversary controlled web-server
Zero-permission app fingerprints tweet event
![Page 42: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/42.jpg)
Attack Evaluation
45
![Page 43: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/43.jpg)
Main Ideas: Health and Investment
Information Leaks
![Page 44: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/44.jpg)
Input Response Size• Fingerprint selection
actions in app with data-usage sequences of response
• Number of responses: 204 conditions -> 32 categories
• Payload size -> uniquely id all 204
![Page 45: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/45.jpg)
Evaluation and Results
Information Leaks
![Page 46: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/46.jpg)
Mitigation• Access to ARP file can be restricted using Linux
permissions• Access to audio channel API can be restricted only to
system processes when sensitive apps (e.g. navigation) is running
• Hiding per-app traffic usage is challenging
49
![Page 47: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/47.jpg)
Traffic Usage Data• Rounding
• Round reported packet sizes up or down
• Aggregation• Rounding strategy leaks individual packet payload size• Aggregated traffic can be reported e.g. hourly, daily, weekly
instead of per packet increments
51
![Page 48: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/48.jpg)
Fingerprint Mitigation✴ Naive idea: Adding a permission‣ Users do not pay attention to the permissions
‣ Developers tend to ask more permissions than needed
✴ Our approach: App’s specified policy for network traffic usage release‣ NO_ACCESS‣ ROUNDING‣ AGGREGATION‣ NO_PROTECTION
52
![Page 49: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/49.jpg)
Results• Linux design assumptions should be reevaluated for
new scenarios• Android public resources can reveal much more
than imagined by the Android designers• Mitigation can be challenging depending upon the
utility of the public resource
53
![Page 50: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/50.jpg)
Open Issues
• Lots of apps built around the current security model
• Fixing existing design must be done carefully to:
o avoid undermining basic functions of existing apps
o strike a balance between system utility and data protection
![Page 51: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/51.jpg)
and Aquifer
Accidental Data Sharing
![Page 52: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/52.jpg)
Accidental Data Sharing
• Complete sandboxing of apps not adequate.
• Key challenge is controlling the user-directed workflow between apps and preventing accidental information disclosure.
o Photo of a whiteboard containing meeting notes inadvertently uploaded to a social networking site.
o Confidential document inadvertently stored on a cloud server when viewed.
![Page 53: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/53.jpg)
Example User Workflow
![Page 54: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/54.jpg)
Data intermediary problem• User shares data (i.e. a contract) with multiple apps to
accomplish the task (i.e. signing the contract)
• From the Email app’s perspective, the other apps are intermediary and the app cannot trust them with sensitive datao For now, we are only considering accidental data
disclosure and not malicious apps
• This problem was not exposed until application separation became prevalent
![Page 55: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/55.jpg)
Aquifer Policy Restrictions
• Export Restrictionso List of apps that are allowed to send data off deviceo Ex. the Email app could only list itself for the
contract
• Required Restrictionso List of apps that are required to send data off deviceo Ex. the docuSign could be listed to ensure any data
containing a signature goes through it before being exported
![Page 56: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/56.jpg)
Aquifer app survey
• Surveyed top 50 free Android apps from 10 categories (500 apps total) to determine the need of Aquifer
Characteristic Number of Apps
Data Sources 85 (17%)
Data intermediaries 140 (28%)
Value from Export Policy 70 (14%)
Value from Regulate Policy 78 (15.6%)
![Page 57: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/57.jpg)
Open Issues
• Aquifer policy may lead to usability failures• App developers would need to consider
Aquifer policyo Ex. Notify the user when data is classified to avoid
user confusion that could lead to access control violation
![Page 58: Mobile Privacy](https://reader036.vdocuments.us/reader036/viewer/2022062521/56816956550346895de102c3/html5/thumbnails/58.jpg)
Questions?