THESE AREN’T THE DROIDS YOU’RE LOOKING FOR Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall Retrofitting Android to Protect Data from Imperious Applications SIL765 Jagjeet Singh Dhaliwal (2008CS50212) Manav Goel (2008CS50215)
These Aren’t the Droids You’re Looking For. Retrofitting Android to Protect Data from Imperious Applications. Peter Hornyack, Seungyeop Han, Jaeyeon Jung, Stuart Schechter, David Wetherall. SIL765 Jagjeet Singh Dhaliwal (2008CS50212) Manav Goel (2008CS50215). - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
THESE AREN’T THE DROIDS YOU’RE LOOKING FOR
Peter Hornyack, Seungyeop Han, Jaeyeon Jung,Stuart Schechter, David Wetherall
Retrofitting Android to Protect Data fromImperious Applications
Choose the control that caused least-severe side effects for each app: 33 apps (66%) had no side effects or ads absent We used profiling to choose; determining in
advance is challenging
Remember, we applied a single privacy control (one or the other) to all applications
Slightly more than half of the apps ran with limited or no side effects
Data shadowing was less disruptive than exfiltration blocking
So 34% of applications didn’t work?• These apps had four kinds of functionality that directly
conflict with our configuration (sensitive data should never leave the device):• Location broadcast (location)• Geographic search (location)• Find friends (contacts)• Cross-application gaming profiles (device ID)
When to use data shadowing• Data types such as device ID, location, phone number
• Aren’t presented directly to the user• Must be transmitted off the device
• Example application behaviors:• Device ID sent along with login information• Location collected at application launch
When to use exfiltration blocking• Data types such as contacts, SMS, calendar
• Presented to the user on the device• Don’t need to be transmitted off the device
• Example application behaviors:• Selecting a contact to send a message to• Adding reminders to calendar
Conclusion• AppFence breaks the power of the installation ultimatum• We revealed side effects by never allowing sensitive data
to leave the device• Some apps: user must choose between functionality and
privacy• Majority of apps: two privacy controls can prevent
misappropriation without side effects
Further Work• Extending the Taint sources to include compression using
Java.util.zip
• Extending Data shadowing to offer finer-granularity controls such as shadowing location with a nearby but less private place, e.g. the city center.