TaintDroid is a system that provides dynamic taint tracking and analysis for Android. It tracks privacy sensitive information like location, contacts etc. at variable, message, method and file levels with 14% overhead. Testing 30 apps found 20 shared information unexpectedly, like sending device IDs or location to ad servers. TaintDroid effectively demonstrates the need for stronger mobile privacy but has limitations like requiring OS modifications and false positives. Future work aims to reduce false positives, integrate crowdsourcing and detect privacy information leakage attempts.

1. Nitisha Desai, Sean Wang and Jiang Zhu
November 23rd, 2011
1

2. • Privacy in the news
• TaintDroid
2

3. 3

4. • Addresses of websites • Share with other companies
•URLS
• Verizon will use this information for
•Search Terms
•Business & Marketing Reports
• Location Details •Making relevant mobile ads
• App and Device usage
• Use of Verizon Products
• Demographic categories
•Gender
•Age
•Sports
•Frequent Diner
4

5. • “I know where you were and what you are Sharing: Exploiting P2P
Communications to Invade Users‟ Privacy”
• An attacker can Identify a person, their location and filesharing habits
5

6. 6

7. • Collected children‟s • “Unsubtantiated • P2P File Sharing
personal and deceptive” exposed app users‟
information without personal
parental consent information without
authorization
• Violated COPPA
7

8. • Geolocational Privacy and Surveillance Act
• Creates rules to govern the interception and disclosure of geolocation
information
• Prohibits unlawfully intercepted geolocation information to be used as
evidence
8

9. • Require companies to tell users when location data is being collected
• Allow the users to decide whether or not to disclose this information to
third parties
9

10. 10

11. • “With more than 58% of U.S. mobile users worried that their data can be
easily accessed by others, a privacy policy that helps establish and
maintain consumer trust is absolutely essential.”
• Create a framework for developers to use to provide clear and functional
privacy disclosures to consumers who use mobile applications.
11

12. Policy
maker
Policy
Language
Code
Guidance
Resources
12

13. Authors: William Enck, Peter Gilbert, Byung-Gon Chun, Landon P.Cox,
Jaeyeon Jung, Patrick McDaniel and Anmo N.Sheth.
Slide credits: William Enck, Steven Zittrower
13

14. • What is TaintDroid
• Why it‟s Important
• Implementation
• Costs and Tradeoffs
• Results
14

15. 15

16. GPS/Location Data
Camera/Photos/Microphone
Contacts
SMS Messages
SIM Identifiers (IMSI, ICC-ID, IMEI)

18. • Goals: Monitor app behavior to determine when privacy sensitive
information leaves the phone
• Challenges ..
• Smartphones are resource constrained
• Third-party applications are entrusted with several types of privacy sensitive
information
• Context-based privacy information is dynamic and can be difficult to identify
even when sent in the clear
• Applications can share information
18

19. Dynamic Taint Analysis
• Dynamic taint analysis is ais a technique that tracks
1. Dynamic taint analysis technique that tracks the information
information dependencies from an origin
dependencies from it origin.
• Conceptual idea:
2. Conceptual Ideas: c = t ai nt _sour ce( )
‣
a. Taint source
Taint source
...
‣
b. Taint propagation
Taint propagation
c. Taint sink a = b + c
‣ Taint sink
...
net wor k_send( a)
• Limitations: performance and granularity is a trade-off
ystems and Internet Infrastructure Security Laboratory (SIIS) Page 5
19

20. 20

21. TaintDroid Architecture map courtesy of
TaintDroid: An Information-Flow…
Interpreted Code
Trusted Applications Untrusted Applications
8
Trusted Library
Taint Source 1 Taint Sink
2 3 6 7 9
Taint Map
Taint Map
Userspace
Dalvik VM Dalvik VM
Interpreter Interpreter
4
Binder IPC Library Binder IPC Library
Binder Hook Binder Hook
5
Kernel
Binder Kernel Module
21

22. ‣ Patches state after native method invocation
‣ Extends tracking between applications and to storage
Message-level tracking
Alci n o
pi a Ce
p to d M
sg Alci n o
pi a Ce
p to d
Va
it l
ru Va
it l
ru Variable-level
Mie
an
ch Mie
an
ch tracking
Method-level
NvSt m rr s
a eye L a
t
i s i i
b e
tracking
File-level
N o Itr c
e r nf e
t k e
w a So a S a
e n r t rg
c dy o e
tracking
• Variables
Local variables, arguments, class static fields, class instances, and arrays
• TaintDroid is a firmware modification, not an app
• Messages
ystems and Internet Infrastructure Security Laboratory (SIIS) Page 6
Taint tag is upper bound of tainted variables in message
• Methods
Tracks and propagates system provided native libraries
• Files
One tag per-file, same logic as messages
22

23. Sources Sinks
• Low-bandwidth • Network Calls
Sensors
• File-system Writes
• High-bandwidth
Sensors
• Information
Databases
• Devices Identifiers
23

24. • The authors modified the
Dalvik VM interpreter to
store and propagate taint
tags (a taint bit-vector) on
variables.
• Local variables and tags:
taint tags stored adjacent to
variables on the internal
execution stack.
-- 32-bit bitvector with
each variable
24

25. • Rules for passing taint
markers
• α←C : τα←0
• β←α:τβ←τα
• α„←α⊗β：τα←τα∪τβ
• …
• Govern steps 3, 7 of
TaintDroid Architecture
25

26. 26

27. 27

28. • 14% overall overhead. Smallest for arithmetic and logic operations;
greatest for string operations
• 4.4% memory overhead
28

29. 25 21.88 MB
21.06 MB
19.48 MB
18.92 MB
20
15
10.89 ms Android
8.58 ms TaintDroid
10
5
0
App Load Time Address Book © Address Book ®
27% slower 3.5% more memory
29

30. 30%
25%
20%
15%
10%
5%
0%
App Load Addres Book Addres Book Phone Call Take Picture
Time (create) (read)
63:65 348:367 101:119 96:106 1718:2216
(Android: TaintDriod in ms)
30

31. 31

32. • Selected 30 applications with bias on popularity and access to
Internet, location, microphone, and camera
• 100 minutes, 22,594 packets, 1,130 TCP connections
• Of 105 flagged TCP connections, only 37 legitimate.
32

33. • 15 of the 30 applications shared physical location with an ad
server (admob.com, ad.qwapi.com, ads.mobclix.com,
data.flurry.com)
• Most traffic was plaintext (e.g., AdMob HTTP GET):
• In no case was sharing obvious to user or in EULA
• In some cases, periodic and occurred without app use
33

34. • 7 applications sent device (IMEI) and 2 apps sent phone
information (Phone #, IMSI*, ICC-ID) to a remote server without
informing the user.
One app‟s EULA indicated the IMEI was sent
Another app sent the hash of the IMEI
• Frequency was app-specific, e.g., one app sent phone
information every time the phone booted.
• Appeared to be sent to app developers ...
34

35. 35

36. • Approach Limitations
• TaintDroid only tracks data flows (i.e. explicit flows).
• Malicious application can game out TaintDroid and exflitrate privacy sensitive
information through control flow.
• Taint Source Limitations
• IMSI contains country (MCC), network (MNC) and Station (MSIN) codes. All
tainted together, but heavily used in Android for configuration parameters.
Likely to cause false positives.
• Network only as sink . Sensitive information can propagate back from
network.
• Requires custom OS modification. No checks on native libraries
• Lack of evaluation data on power consumption
• User Interface: log is too technical and need further inspection
37

37. • TaintDroid provides efficient, system-wide, dynamic taint tracking and
analysis for Android
• 4 granularities of taint propagations
• Variable-level
• Message-level
• Method-level
• File-level
• 14% performance overhead on a CPU-bound microbenchmark.
• Identified 20 out of the 30 random selected applications to share
information in a way that was not expected.
• Findings demonstrated the effectiveness and value of enhancing Mobile
Privacy on smartphone platforms.
38

38. • Real-time tracking, filtering and enforcement
• Eliminate or reduce false-positives through better management of
variable-level tags
• Integrated with Expert rating system (crowd sourcing)
• Detection of bypass attempts
39

39. • http://appanalysis.org/demo/TaintDroid_controller.swf
40

40. nitisha@cmu.edu
sean.wang@sv.cmu.edu
jiang.zhu@sv.cmu.edu
41

41. Thank you.