Droidcon2013 apefs and information flow-analysis for privacy-dauwe_uni_siegen
1. Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS and Information-flow Analysis for
Privacy in Android
Droidcon 2013 - Berlin
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Operating Systems and Distributed Systems
julia.dauwe@uni-siegen.de
2. APEFS and Information-flow Analysis for Privacy in Android 2
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Background
► Google Play
► Centralized software platform
► About 800,000 apps in
different categories
► Search for Apps → Find it
→ get Information about
Permissions
► What does Permission mean?
► Apps run in sandboxes
► Declare permissions to use
advanced features
► User must accept all presented
permissions to install app
3. APEFS and Information-flow Analysis for Privacy in Android 3
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Hypothesis
► Permissions are only “irrelevant facts”
for the user to accept when finally found
“the right” App
► Why do we think so?
► 2 Live Wallpapers requesting
many/all permissions
► 6,660 downloads
in 6 months
► No complains about the requested
permissions
► Own statistics
4. APEFS and Information-flow Analysis for Privacy in Android 4
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Statistics
► Statistics created with Apptistic
(Project at University of Siegen)
► Apptistic analyzed ca. 250.000 Apps from Google Play
► Example 1:
► Filter:
► Requested Permissions: Network & personal Data
► Free / Name: “Wallpaper”
► Example 2:
► Requested Permissions: Network & personal Data
► Paid / Category “Games and Entertainment“
5. APEFS and Information-flow Analysis for Privacy in Android 5
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Statistics
► Example 1
► 1255 free Android Wallpapers using Network access and personal
Data Permissions, 48 “phone calls”
6. APEFS and Information-flow Analysis for Privacy in Android 6
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Statistics
► By the way ...
7. APEFS and Information-flow Analysis for Privacy in Android 7
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Statistics
► Example 2
► 884 paid game Apps using Network Access
and personal Data permissions
► 69 are in Top 100 Paid
8. APEFS and Information-flow Analysis for Privacy in Android 8
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Reasons
► Granularity of permissions
► User / developer don't understand meaning of permissions
(e.g. “System tools” or “Storage” permissions)
► No color-coded labels to fast classify possible
dangerousness or similar help
► Usage flow: 1. Searching → 2. Finding → 3. Security
9. APEFS and Information-flow Analysis for Privacy in Android 9
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Idea: APEFS
► Android PErmission Filter System
► New usage flow:
► Security → Searching → Finding
► Security defined by predefined filter
► Apps that not fit the security level are filtered out
► Strengthens the permissions
► Permissions are no longer another item to accept
► Using infrastructure given by Google
► Basic idea: Parsing websites for permissions
10. APEFS and Information-flow Analysis for Privacy in Android 10
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – App
► Let the user define his own security level
► Filter out Apps requesting Permission Groups:
► Charged Services
► Location, Personal Information
► Internet & Network
► SMS & MMS, Phone Calls
► System Tools, SD-Card & Phone-Storage, Hardware
► Miscellaneous
► Chart Search
► Apps and Games / Top Free, Top Paid, Top New Free ...
► Advanced App Search
► Search for a specific App
► Check installed Apps on the device for permissions
11. APEFS and Information-flow Analysis for Privacy in Android 11
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – Overview
WebsiteWebsite
► APEFS uses Playstore Website Data
for Permission Information
► App-Installation by Google Play App
► Open Google Play on
specific app via Intent:
new Intent(Intent.ACTION_VIEW)
.setData(Uri.parse("market://details?
id=com.test"));
► User is linked to the regular page
► Download / Installation
► Description & Screenshots
► Comments ...
12. APEFS and Information-flow Analysis for Privacy in Android 12
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – App – Search
WebsiteWebsite 2. Result page (24 Apps)
3. Parse for
package ids
1. Request
Charts / Search
4. Request detail pages
based on id
5. Detail pages
6. Parse for
permissions
7. filter results
13. APEFS and Information-flow Analysis for Privacy in Android 13
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – HTML-Parsing
► 1. Parsing App overview page (24 Apps)
► 2. Parsing detail pages of each app
14. APEFS and Information-flow Analysis for Privacy in Android 14
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – HTML-Parsing
► Parsing using a library (e.g. JSOUP)
► Less error-prone
► computationally intensive
► Parsing with regular expressions
► Error-prone
► 452ms (per detailpage) faster than using JSOUP!
String htmlString = fetchHtml(url);
Pattern exp = Pattern.compile("<div classs*=s*
"doc-permission-description">(.*?)</div>);
Matcher m = exp.matcher(htmlString);
while(m.find()){
String permissionName = m.group(1);
/**processing permissions */
}
15. APEFS and Information-flow Analysis for Privacy in Android 15
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – App
► App Search & Installation
16. APEFS and Information-flow Analysis for Privacy in Android 16
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – App
► App Search & Installation
17. APEFS and Information-flow Analysis for Privacy in Android 17
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
APEFS – Lessons Learned
► More than 20.000 downloads in less than 3 months
► Different Feedback
► acceptance as a good helper tool
► User starting to question requested permissions
► But also:
► Misunderstanding of the idea – APEFS is no anti virus
tool (not yet)
► Using feedback for future work
► e.g. adding a blacklist or if applicable collaboration with
detector tool
18. APEFS and Information-flow Analysis for Privacy in Android 18
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
App analysis
► Filter apps by permissions: ü
► Filter apps by “what they actually do”: current research
► Motivation:
► App requesting private data and network permissions
► Suspicion: app sends private data to the internet
► APEFS: decision only based on permissions
► Information-flow Analysis
► Try to define sensitive data (secrets) and detect leaks
► Proof if a secret is possibly passed to a leak
19. APEFS and Information-flow Analysis for Privacy in Android 19
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Information-flow analysis
► Special type of data flow analysis
► Determine possible flows from defined sources to output
channels
APPAPP
ID
Contacts
Mails
...
Internet
SMS
Bluetooth
...
20. APEFS and Information-flow Analysis for Privacy in Android 20
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Information-flow Analysis
► Using Soot: a Java Optimization Framework
► Supports interprocedural data-flow analysis with
pointer analysis
► SPARK & PADDLE
► Works on
► Java-bytecode directly
► it's own internal representations jimple, dimple ..
► Jimple: typed 3-adress-representation
► Soot & Android
► .apk-files can be decompiled to jimple
► using dexpler (now integrated in Soot)
21. APEFS and Information-flow Analysis for Privacy in Android 21
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Control flow graph
► 1. Use Soot to build a Call Graph with all called methods of
the program
► (Current Work: no libraries or system calls)
► 2. Create a Control flow Graph
for each method
// Building CFG
UnitGraph graph = new
ExceptionalUnitGraph(body);
// do for every code block (statement)
inside this graph...
for (Unit statement : graph) { … }
22. APEFS and Information-flow Analysis for Privacy in Android 22
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Information-flow Analysis
► 3. Define & create different Sets to accomplish a transfer
function for
► each code block B and Variable v
► Gen(B) – B possible saves critical information in v
► Kill(B) – B definitely DON'T saves
critical information in v
► Copy(B) – B possible saves critical information from
another variable x to v
► Leak(B) – B possible leaks v
► each method M of a Program P and Variables v
► Gen(M) – it exists a Path inside this Method on
which sensitive information is saved in v
► Kill(M), Copy(M), Leak(M) - ...
23. APEFS and Information-flow Analysis for Privacy in Android 23
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Information-flow Analysis
► 4. Define transfer function for critical and leak set
► Forward flow Analysis to find critical data
► Backward flow Analysis to find leaks
5. Create intersection of critical_in and leak_out
→ If not empty: Some data is leaked!
24. APEFS and Information-flow Analysis for Privacy in Android 24
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Points-to Sets
► Points-to Sets (PTS) used as an addition to first analysis
► Try to find pointer targets to check for critical data
► We define a PTS for a variable v as:
► PTS(v) = a set of all objects, v could possible point to
► Therefore we need new definitions of sets and transfer
functions including PTS
► Points-to Analysis in Soot with the help of SPARK and
Paddle
static void setSparkPointsToAnalysis()
soot.PointsToAnalysis pta = Scene.v().getPointsToAnalysis();
PointsToSet pts1 = pta.reachingObjects(local);
Problem: Analysis using Points-to Analysis takes much
more time...
25. APEFS and Information-flow Analysis for Privacy in Android 25
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Information-flow Analysis - Problems
► Problem of static analysis:
► Very conservative
► May result in many false positives
► Detects leak of information, but there is none
► Idea: runtime assertions
► Developer can check after compiling where flows are
detected
► Can use assertions to tell there is no flow
► Assertion checked at run-time
► If not fulfilled → App terminated
26. APEFS and Information-flow Analysis for Privacy in Android 26
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Runtime Assertions - Example
String s = “Test”;
if (x > 0) {
s = getSecret();
}
if (y < 0) {
leak(s);
}
Secret will be leaked, if x > 0 and y < 0!
Analysis Result: Secret is leaked!
APEFS.assert(!(x > 0 && y < 0));
Secret cannot be leaked
Analysis Result: No secret leaked!
27. APEFS and Information-flow Analysis for Privacy in Android 27
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Connection of Analysis to APEFS
► Extend security level
► Sensitive data and permissible flows
► Problem: Analysis only possible on .apk-Package
► Two ways to realize:
► Create own market
► Easy to access packages
► Problem of acceptance
► Apps specify flows in accessible metadata
► Published through self-defined permissions
► Problem: no guarantee for correct metadata
► Digital signature or analysis on device
28. APEFS and Information-flow Analysis for Privacy in Android 28
Julia Dauwe, Simon Meurer & Roland Wismüller
University of Siegen
Conclusion and future work
► APEFS:
► Filter Android apps by permissions / security level
► Based on Google's infrastructure
► New usage flow: Security → Searching → Finding
► Limitation: Filter only by permissions
► Information flow analysis
► Determine flows of information to possible leaks
► Including points-to analysis
► Reduce false positives with e.g. runtime assertions
► Try to speed up analysis