TaintDroid is a system that provides dynamic taint tracking and analysis for Android. It tracks privacy sensitive information like location, contacts etc. at variable, message, method and file levels with 14% overhead. Testing 30 apps found 20 shared information unexpectedly, like sending device IDs or location to ad servers. TaintDroid effectively demonstrates the need for stronger mobile privacy but has limitations like requiring OS modifications and false positives. Future work aims to reduce false positives, integrate crowdsourcing and detect privacy information leakage attempts.
4. • Addresses of websites • Share with other companies
•URLS
• Verizon will use this information for
•Search Terms
•Business & Marketing Reports
• Location Details •Making relevant mobile ads
• App and Device usage
• Use of Verizon Products
• Demographic categories
•Gender
•Age
•Sports
•Frequent Diner
4
5. • “I know where you were and what you are Sharing: Exploiting P2P
Communications to Invade Users‟ Privacy”
• An attacker can Identify a person, their location and filesharing habits
5
7. • Collected children‟s • “Unsubtantiated • P2P File Sharing
personal and deceptive” exposed app users‟
information without personal
parental consent information without
authorization
• Violated COPPA
7
8. • Geolocational Privacy and Surveillance Act
• Creates rules to govern the interception and disclosure of geolocation
information
• Prohibits unlawfully intercepted geolocation information to be used as
evidence
8
9. • Require companies to tell users when location data is being collected
• Allow the users to decide whether or not to disclose this information to
third parties
9
11. • “With more than 58% of U.S. mobile users worried that their data can be
easily accessed by others, a privacy policy that helps establish and
maintain consumer trust is absolutely essential.”
• Create a framework for developers to use to provide clear and functional
privacy disclosures to consumers who use mobile applications.
11
12. Policy
maker
Policy
Language
Code
Guidance
Resources
12
13. Authors: William Enck, Peter Gilbert, Byung-Gon Chun, Landon P.Cox,
Jaeyeon Jung, Patrick McDaniel and Anmo N.Sheth.
Slide credits: William Enck, Steven Zittrower
13
14. • What is TaintDroid
• Why it‟s Important
• Implementation
• Costs and Tradeoffs
• Results
14
18. • Goals: Monitor app behavior to determine when privacy sensitive
information leaves the phone
• Challenges ..
• Smartphones are resource constrained
• Third-party applications are entrusted with several types of privacy sensitive
information
• Context-based privacy information is dynamic and can be difficult to identify
even when sent in the clear
• Applications can share information
18
19. Dynamic Taint Analysis
• Dynamic taint analysis is ais a technique that tracks
1. Dynamic taint analysis technique that tracks the information
information dependencies from an origin
dependencies from it origin.
• Conceptual idea:
2. Conceptual Ideas: c = t ai nt _sour ce( )
‣
a. Taint source
Taint source
...
‣
b. Taint propagation
Taint propagation
c. Taint sink a = b + c
‣ Taint sink
...
net wor k_send( a)
• Limitations: performance and granularity is a trade-off
ystems and Internet Infrastructure Security Laboratory (SIIS) Page 5
19
22. ‣ Patches state after native method invocation
‣ Extends tracking between applications and to storage
Message-level tracking
Alci n o
pi a Ce
p to d M
sg Alci n o
pi a Ce
p to d
Va
it l
ru Va
it l
ru Variable-level
Mie
an
ch Mie
an
ch tracking
Method-level
NvSt m rr s
a eye L a
t
i s i i
b e
tracking
File-level
N o Itr c
e r nf e
t k e
w a So a S a
e n r t rg
c dy o e
tracking
• Variables
Local variables, arguments, class static fields, class instances, and arrays
• TaintDroid is a firmware modification, not an app
• Messages
ystems and Internet Infrastructure Security Laboratory (SIIS) Page 6
Taint tag is upper bound of tainted variables in message
• Methods
Tracks and propagates system provided native libraries
• Files
One tag per-file, same logic as messages
22
24. • The authors modified the
Dalvik VM interpreter to
store and propagate taint
tags (a taint bit-vector) on
variables.
• Local variables and tags:
taint tags stored adjacent to
variables on the internal
execution stack.
-- 32-bit bitvector with
each variable
24
25. • Rules for passing taint
markers
• α←C : τα←0
• β←α:τβ←τα
• α„←α⊗β:τα←τα∪τβ
• …
• Govern steps 3, 7 of
TaintDroid Architecture
25
32. • Selected 30 applications with bias on popularity and access to
Internet, location, microphone, and camera
• 100 minutes, 22,594 packets, 1,130 TCP connections
• Of 105 flagged TCP connections, only 37 legitimate.
32
33. • 15 of the 30 applications shared physical location with an ad
server (admob.com, ad.qwapi.com, ads.mobclix.com,
data.flurry.com)
• Most traffic was plaintext (e.g., AdMob HTTP GET):
• In no case was sharing obvious to user or in EULA
• In some cases, periodic and occurred without app use
33
34. • 7 applications sent device (IMEI) and 2 apps sent phone
information (Phone #, IMSI*, ICC-ID) to a remote server without
informing the user.
One app‟s EULA indicated the IMEI was sent
Another app sent the hash of the IMEI
• Frequency was app-specific, e.g., one app sent phone
information every time the phone booted.
• Appeared to be sent to app developers ...
34
36. • Approach Limitations
• TaintDroid only tracks data flows (i.e. explicit flows).
• Malicious application can game out TaintDroid and exflitrate privacy sensitive
information through control flow.
• Taint Source Limitations
• IMSI contains country (MCC), network (MNC) and Station (MSIN) codes. All
tainted together, but heavily used in Android for configuration parameters.
Likely to cause false positives.
• Network only as sink . Sensitive information can propagate back from
network.
• Requires custom OS modification. No checks on native libraries
• Lack of evaluation data on power consumption
• User Interface: log is too technical and need further inspection
37
37. • TaintDroid provides efficient, system-wide, dynamic taint tracking and
analysis for Android
• 4 granularities of taint propagations
• Variable-level
• Message-level
• Method-level
• File-level
• 14% performance overhead on a CPU-bound microbenchmark.
• Identified 20 out of the 30 random selected applications to share
information in a way that was not expected.
• Findings demonstrated the effectiveness and value of enhancing Mobile
Privacy on smartphone platforms.
38
38. • Real-time tracking, filtering and enforcement
• Eliminate or reduce false-positives through better management of
variable-level tags
• Integrated with Expert rating system (crowd sourcing)
• Detection of bypass attempts
39