A Lightweight Dynamic Enforcement of Privacy Protection for Android

Zi-Peng Zhang; Ming Fu; Xin-Yu Feng

doi:10.1007/s11390-019-1949-1

AI Chat Paper

Note: Please note that the following content is generated by AMiner AI. SciOpen does not take any responsibility related to this content.

Chat more with AI

| Sign up

Browse by Subject

Search for peer-reviewed journals with full access.

Journals A - Z

About Us

Discover the SciOpen Platform and Achieve Your Research Goals with Ease.

About Us

Publish with Us

Support

Search articles, authors, keywords, DOl and etc.

Published Date

Reset Search

{{expandStatus?'Exit ':''}}Advanced Search

Journals A - Z

About Us

Publish with Us

Support

Article Link

Cite

EndNote(RIS) BibTeX

Collect

Submit Manuscript

Show Outline

Outline

Show full outline

Hide outline

Outline

Show full outline

Hide outline

Regular Paper

A Lightweight Dynamic Enforcement of Privacy Protection for Android

Zi-Peng Zhang^¹, Ming Fu^², Xin-Yu Feng^³(

)

School of Computer Science and Technology, University of Science and Technology of China, Hefei 230026, China

OS Kernel Laboratory, Huawei Technologies Co., Ltd., Shanghai 200135, China

State Key Laboratory for Novel Software Technology, Nanjing University, Nanjing 210023, China

Show Author Information

Abstract

Inter-process communication (IPC) provides a message passing mechanism for information exchange between applications. It has been long believed that IPCs can be abused by malware writers to launch collusive information leak using two or more applications. Much work on privacy protection focuses on the simple information leak caused by the individual applications and lacks effective approaches to preventing the collusive information leak caused by IPCs between multiple processes. In this paper, we propose a hybrid approach to prevent the collusive information leak based on information flow control. Our approach combines static information flow analysis and dynamic runtime checking together. Information leak caused by individual processes is prevented through static information flow control, and dynamic checking is done at runtime to prevent the collusive information leak. Such a combination may effectively reduce the runtime overhead of pure dynamic checking, and reduce false-alarms in pure static analysis. We develop this approach based on an abstract and simplified programming model, and formalize a novel definition of the leak-freedom property as our target security property. A simulation-based proof technique is used to prove that our approach is able to guarantee leak-freedom. All proofs are mechanized in Coq.

Keywords

privacy protection dynamic runtime checking static information flow control Android verification

Electronic Supplementary Material

Download File(s)

jcst-34-4-901-Highlights.pdf (45.5 KB)

References

[1]

Arzt S, Rasthofer S, Fritz C, Bodden E, Bartel A, Klein J, le Traon Y, Octeau D, McDaniel P. FlowDroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for Android apps. In Proc. the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2014, pp.259-269.

Crossref

[2]

Enck W, Gilbert P, Chun B G, Cox L P, Jung J, McDaniel P, Sheth A N. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones. In Proc. the 9th USENIX Conference on Operating Systems Design and Implementation, October 2010, pp.393-407.

[3]

Gibler C, Crussell J, Erickson J, Chen H. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. In Proc. the 5th International Conference on Trust and Trustworthy Computing, June 2012, pp.291-307.

Crossref

[4]

Sakamoto S, Okuda K, Nakatsuka R, Yamauchi T. Droid-Track: Tracking information diffusion and preventing information leakage on Android. In Proc. the 2013 Multimedia and Ubiquitous Engineering, May 2013, pp.243-251.

Crossref

[5]

Sun M, Wei T, Lui J C S. TaintART: A practical multilevel information-flow tracking system for Android runtime. In Proc. the 2016 ACM SIGSAC Conference on Computer and Communications Security, October 2016, pp.331-342.

Crossref

[6]

Xia M, Gong L, Lyu Y, Qi Z, Liu X. Effective real-time Android application auditing. In Proc. the 2015 IEEE Symposium on Security and Privacy, May 2015, pp.899-914.

Crossref

[7]

Yang Z, Yang M, Zhang Y, Gu G, Ning P, Wang X S. AppIntent: Analyzing sensitive data transmission in Android for privacy leakage detection. In Proc. the 2013 ACM SIGSAC Conference on Computer and Communications Security, November 2013, pp.1043-1054.

Crossref

[8]

Zhao Z, Colon O F C. “TrustDroid^TM”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking. In Proc. the 7th International Conference on Malicious and Unwanted Software, October 2012, pp.135-143.

Crossref

[9]

Octeau D, McDaniel P, Jha S, Bartel A, Bodden E, Klein J, le Traon Y. Effective inter-component communication mapping in Android with Epicc: An essential step towards holistic security analysis. In Proc. the 22nd USENIX Conference on Security, August 2013, pp.543-558.

[10]

Volpano D M, Smith G. Probabilistic noninterference in a concurrent language. In Proc. the 11th IEEE Computer Security Foundations Workshop, June 1998, pp.34-43.

[11]

Smith G, Volpano D M. Secure information flow in a multi-threaded imperative language. In Proc. the 25th ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages, January 1998, pp.355-364.

Crossref

[12]

Sabelfeld A, Sands D. Probabilistic noninterference for multi-threaded programs. In Proc. the 13th IEEE Computer Security Foundations Workshop, July 2000, pp.200-214.

[13]

Zdancewic S, Myers A C. Observational determinism for concurrent program security. In Proc. the 16th IEEE Computer Security Foundations Workshop, June 2003, pp.29-43.

[14]

Mantel H, Sudbrock H. Flexible scheduler-independent security. In Proc. the 15th European Symposium on Research in Computer Security, September 2010, pp.116-133.

Crossref

[15]

Mantel H, Sands D, Sudbrock H. Assumptions and guarantees for compositional noninterference. In Proc. the 24th IEEE Computer Security Foundations Symposium, June 2011, pp.218-232.

Crossref

[16]

Goguen J A, Meseguer J. Security policies and security models. In Proc. the 1982 IEEE Symposium on Security and Privacy, April 1982, pp.11-20.

Crossref

[17]

Goguen J A, Meseguer J. Unwinding and inference control. In Proc. the 1984 IEEE Symposium on Security and Privacy, April 1984, pp.75-87.

Crossref

[18]

Liang H, Feng X, Fu M. A rely-guarantee-based simulation for verifying concurrent program transformations. In Proc. the 39th ACMSIGPLAN-SIGACT Symposium on Principles of Programming Languages, January 2012, pp.455-468.

Crossref

[19]

Liang H, Feng X. Modular verification of linearizability with non-fixed linearization points. In Proc. the 2013 ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2013, pp.459-470.

Crossref

[20]

Zhang Z, Feng X. AndroidLeaker: A hybrid checker for collusive leak in Android applications. In Proc. the 3rd International Symposium on Dependable Software Engineering Theories, Tools, and Applications, October 2017, pp.164-180.

Crossref

[21]

Xiao X, Tillmann N, Fähndrich M, de Halleux J, Moskal M. User-aware privacy control via extended static-information-flow analysis. In Proc. the 2012 IEEE/ACM International Conference on Automated Software Engineering, September 2012, pp.80-89.

Crossref

[22]

Mann C, Starostin A. A framework for static detection of privacy leaks in Android applications. In Proc. the 27th Annual ACM Symposium on Applied Computing, March 2012, pp.1457-1462.

Crossref

[23]

Kim J, Yoon Y, Yi K, Shin J. ScanDal: Static analyzer for detecting privacy leaks in Android applications. In Proc. the 2012 Mobile Security Technologies, May 2012.

[24]

Lu L, Li Z, Wu Z, Lee W, Jiang G. CHEX: Statically vetting Android apps for component hijacking vulnerabilities. In Proc. the 2012 ACM Conference on Computer and Communications Security, October 2012, pp.229-240.

Crossref

[25]

Xu R, Saïdi H, Anderson R. Aurasium: Practical policy enforcement for Android applications. In Proc. the 21st USENIX Conference on Security Symposium, August 2012, pp.539-552.

[26]

Yang Z, Yang M. LeakMiner: Detect information leakage on Android with static taint analysis. In Proc. the 3rd World Congress on Software Engineering, November 2012, pp.101-104.

Crossref

[27]

Chin E, Felt A P, Greenwood K, Wagner D. Analyzing inter-application communication in Android. In Proc. the 9th International Conference on Mobile Systems, Applications, and Services, June 2011, pp. 239-252.

Crossref

[28]

Nadkarni A, Enck W. Preventing accidental data disclosure in modern operating systems. In Proc. the 2013 ACM Conference on Computer and Communications Security, November 2013, pp.1029-1042.

Crossref

[29]

Felt A P, Wang H J, Moshchuk A, Hanna S, Chin E. Permission re-delegation: Attacks and defenses. In Proc. the 20th USENIX Conference on Security, August 2011, Article No. 22.

[30]

Chaudhuri A. Language-based security on Android. In Proc. the 2009 Workshop on Programming Languages and Analysis for Security, June 2009, pp.1-7.

Crossref

[31]

Russo A, Sabelfeld A. Securing interaction between threads and the scheduler. In Proc. the 19th IEEE Computer Security Foundations Workshop, July 2006, pp.177-189.

[32]

Russo A, Sabelfeld A. Securing interaction between threads and the scheduler in the presence of synchronization. The Journal of Logic and Algebraic Programming, 2009, 78(7): 593-618.

Crossref Google Scholar

[33]

Askarov A, Chong S, Mantel H. Hybrid monitors for concurrent noninterference. In Proc. the 28th IEEE Computer Security Foundations Symposium, July 2015, pp.137-151.

Crossref

[34]

Russo A, Sabelfeld A. Security for multithreaded programs under cooperative scheduling. In Proc. the 6th International Andrei Ershov Memorial Conference on Perspectives of Systems Informatics, June 2006, pp.474-480.

Crossref

[35]

Costanzo D, Shao Z, Gu R. End-to-end verification of information-flow security for C and assembly programs. In Proc. the 37th ACM SIGPLAN Conference on Programming Language Design and Implementation, June 2016, pp.648-664.

Crossref

Journal of Computer Science and Technology

Volume 34 Issue 4,
July 2019

Pages 901-923

DOI: 10.1007/s11390-019-1949-1

Cite this article:

Zhang Z-P, Fu M, Feng X-Y. A Lightweight Dynamic Enforcement of Privacy Protection for Android. Journal of Computer Science and Technology, 2019, 34(4): 901-923. https://doi.org/10.1007/s11390-019-1949-1

306

Views

Crossref

N/A

Web of Science

Scopus

CSCD

Google Scholar
Citation

Altmetrics

Received: 29 August 2018

Revised: 15 April 2019

Published: 19 July 2019