Yajin Zhou,Kapil Singh,Xuxian Jiang

DOI: https://doi.org/10.1109/noms.2016.7502850

2016-01-01

Abstract:Mobile apps continue to consume increasing amounts of sensitive data, such as banking credentials and classified documents. At the same time, the number of smartphone thefts is increasing at a rapid speed. As a result, there is an imperative need to protect sensitive data on lost or stolen mobile devices. In this work, we develop a practical solution to protect sensitive data on mobile devices. Our solution enables adaptive protection by pro-actively stepping up or stepping down data security based on perceived contextual risk of the device. We realize our solution for the Android platform in the form of a system called AppShell. AppShell does not require root privilege, nor need any modification to the underlying framework, and hence is a ready-to-deploy solution. It supports both in-memory and on-disk data protection by transparently encrypting the data, and discarding the encryption key, when required, for enhanced protection. We implement a working prototype of AppShell and evaluate it against several popular Android apps. Our results show that AppShell can successfully protect sensitive data in the lost devices with a reasonable performance overhead.

Yajin Zhou,Xinwen Zhang,Xuxian Jiang,Vincent W. Freeh

DOI: https://doi.org/10.1007/978-3-642-21599-5_7

2011-01-01

Abstract:Smartphones have been becoming ubiquitous and mobile users are increasingly relying on them to store and handle personal information. However, recent studies also reveal the disturbing fact that users' personal information is put at risk by (rogue) smartphone applications. Existing solutions exhibit limitations in their capabilities in taming these privacy-violating smartphone applications. In this paper, we argue for the need of a new privacy mode in smartphones. The privacy mode can empower users to flexibly control in a fine-grained manner what kinds of personal information will be accessible to an application. Also, the granted access can be dynamically adjusted at runtime in a fine-grained manner to better suit a user's needs in various scenarios (e.g., in a different time or location). We have developed a system called TISSA that implements such a privacy mode on Android. The evaluation with more than a dozen of information-leaking Android applications demonstrates its effectiveness and practicality. Furthermore, our evaluation shows that TISSA introduces negligible performance overhead.

Yajin Zhou,Kunal Patel,Lei Wu,Zhi Wang,Xuxian Jiang

DOI: https://doi.org/10.1145/2714576.2714598

2015-01-01

Abstract:ABSTRACTUsers of Android phones increasingly entrust personal information to third-party apps. However, recent studies reveal that many apps, even benign ones, could leak sensitive information without user awareness or consent. Previous solutions either require to modify the Android framework thus significantly impairing their practical deployment, or could be easily defeated by malicious apps using a native library. In this paper, we propose AppCage, a system that thoroughly confines the run-time behavior of third-party Android apps without requiring framework modifications or root privilege. AppCage leverages two complimentary user-level sandboxes to interpose and regulate an app's access to sensitive APIs. Specifically, dex sandbox hooks into the app's Dalvik virtual machine instance and redirects each sensitive framework API to a proxy which strictly enforces the user-defined policies, and native sandbox leverages software fault isolation to prevent the app's native libraries from directly accessing the protected APIs or subverting the dex sandbox. We have implemented a prototype of AppCage. Our evaluation shows that AppCage can successfully detect and block attempts to leak private information by third-party apps, and the performance overhead caused by AppCage is negligible for apps without native libraries and minor for apps with them.

Jinku Li,Yangtian Ye,Yajin Zhou,Jianfeng Ma

DOI: https://doi.org/10.1109/access.2018.2804321

IF: 3.9

2018-01-01

IEEE Access

Abstract:Short message service (SMS) authorization codes play an important role in the application ecosystem, as a number of transactions (e.g., personal identification and online banking) require users to provide a code for authorization purposes. However, authorization codes in SMS messages can be stolen and forwarded by attackers, which introduces serious security concerns. In this paper, we propose CodeTracker, a lightweight approach to track and protect SMS authorization codes. Specifically, we leverage the taint tracking technique to mark the authorization code with taint tags at the origin of the incoming SMS messages (taint sources), and then, we propagate the tags in the system. To this end, we modify the related array structure, array operations, string operations, inter-process communication mechanism, and file operations for secondary storage of SMS authorization codes to ensure that the taint tags cannot be removed. When the authorization code is sent out via either SMS messages or network connections (taint sinks), we extract the taint tag of the data and enforce pre-defined security policies to prevent the code from being leaked. We have developed a prototype of CodeTracker on Android's ART virtual machine and used 1, 218 SMS-stealing Android malware samples to evaluate the system. The evaluation results show that CodeTracker can effectively track and protect SMS authorization codes with a small performance overhead (<;2% on average).

Chiachih Wu,Yajin Zhou,Kunal Patel,Zhenkai Liang,Xuxian Jiang

DOI: https://doi.org/10.14722/ndss.2014.23164

2014-01-01

Abstract:Recent years have experienced explosive growth of smartphone sales. Inevitably, the rise in the popularity of smartphones also makes them an attractive target for attacks. In light of these threats, current mobile platform providers have developed various server-side vetting processes to block malicious applications (“apps”). While helpful, they are still far from ideal in achieving their goals. To make matters worse, the presence of alternative (less-regulated) mobile marketplaces also opens up new attack vectors, which necessitate client-side solutions (e.g., mobile anti-virus software) to run on mobile devices. However, existing client-side solutions still exhibit limitations in their capability or deployability. In this paper, we present AirBag, a lightweight OS-level virtualization approach to enhance the popular Android platform and boost our defense capability against mobile malware infection. Assuming a trusted smartphone OS kernel and the fact that untrusted apps will be eventually installed onto users’ phones, AirBag is designed to isolate and prevent them from infecting our normal systems (e.g., corrupting the phone firmware) or stealthily leaking private information. More specifically, by dynamically creating an isolated runtime environment with its own dedicated namespace and virtualized system resources, AirBag not only allows for transparent execution of untrusted apps, but also effectively mediates their access to various system resources or phone functionalities (e.g., SMSs or phone calls). We have implemented a proof-of-concept prototype on three representative mobile devices, i.e., Google Nexus One, Nexus 7, and Samsung Galaxy S III. The evaluation results with a number of untrusted apps, including real-world mobile malware, demonstrate its practicality and effectiveness.

Yajin Zhou,Kapil Singh,Xuxian Jiang

DOI: https://doi.org/10.1007/978-3-319-08593-7_4

2014-01-01

Abstract:Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an user's geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an app's interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including user's banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data. In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owner's policies at strategic exit points. Based on this approach, we design and implement a system, called <Literal>DataChest</Literal>. We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.

Tong Sun,Borui Li,Yixiao Teng,Yi Gao,Wei Dong

DOI: https://doi.org/10.1109/ipsn61024.2024.00021

2024-01-01

Abstract:Internet of Things (IoT) applications have recently been widely used in safety-critical scenarios. To prevent sensitive information leaks, IoT device vendors provide hardware-assisted protections, called Trusted Execution Environments (TEEs), like ARM Trust-Zone. Programming a TEE-based application requires separate code for two components, significantly slowing down the development process. Existing solutions tackle this issue by automatic code partition while not successfully applying it in two complicated scenarios: adding trusted logic and interactions with secure peripherals.We propose dTEE, a declarative approach to secure IoT applications based on TrustZone. dTEE proposes a rapid approach that enables developers to declare tiered-sensitive variables and functions of existing applications. Besides, dTEE automatically transforms device drivers into trusted ones. We evaluate dTEE on four real-world IoT applications and seven micro-benchmarks. Results show that dTEE achieves high expressiveness for supporting 50% more applications than existing approaches and reduces 90% of the lines of code against handcrafted development.

Tao Feng,Nicholas DeSalvo,Lei Xu,Xi Zhao,Xi Wang,Weidong Shi

DOI: https://doi.org/10.4108/icst.mobicase.2014.257767

2014-01-01

Abstract:With the rise of Internet connected mobile devices, applications have migrated from PCs to mobile computing platforms. An important aspect, payment processing, faces new security challenges from these developments. Inasmuch, these advancements demand efforts from researchers and industry to meet increasing security needs. Threats can ensue from data loss, theft from lost, stolen, or decommissioned devices, information-stealing malware, and password peeping. We propose a secure framework for sensitive session driven applications which combines biometric-based continuous and implicit tracking of user identities, and TrustZone. This framework is accomplished through monitoring fingerprint authentication logs as well as detecting events when the phone has left the user's hands, all while in TrustZone, a platform for secure computation and storage on mobile devices. This solution leverages multiple onboard sensors as well as the ARM architecture to accomplish these feats. We conducted two user-studies acquiring smartphone users' usage statistics to investigate security and usability needs of our identity-tracking solution. To monitor these subtle gestures in real-world uncontrolled environments, multi-session data collection has been conducted to iteratively improve system performance. The evaluation results have demonstrated the feasibility of this framework as a secure session-based payment system.

Yutao Tang,Zhengrui Qin,Zhiqiang Lin,Yue Li,Shanhe Yi,Fengyuan Xu,Qun Li

DOI: https://doi.org/10.1109/tc.2022.3152074

IF: 3.183

2022-01-01

IEEE Transactions on Computers

Abstract:Increasingly, many security and privacy-sensitive applications are running on mobile platforms. However, as mobile operating systems are becoming increasingly sophisticated, they are vulnerable to various attacks. In addressing the need of running high assurance mobile apps in a secure environment even though the operating systems are untrusted, this paper presents vTrust, a new mobile app trusted execution environment, which offloads the general execution and storage of a mobile app to a trusted remote server (e.g., a VM running in a cloud) and secures the I/O between the server and the mobile device with the aid of a trusted hypervisor on the mobile device. Specifically, vTrust establishes an encrypted I/O channel between the local hypervisor and the remote server. In this way, any sensitive data flowing through the mobile OS, which the hypervisor hosts, is encrypted from the perspective of the local mobile OS. To enhance the performance of vTrust, we have also designed multiple optimizations, such as output data compression and selective sensor data transmission. We have implemented vTrust, and our evaluation shows that it has limited impact on both user experience and the application performance.

engineering, electrical & electronic,computer science, hardware & architecture

Wenhao Li,Mingyang Ma,Jinchen Han,Yubin Xia,Binyu Zang,Cheng-Kang Chu,Tieyan Li

DOI: https://doi.org/10.1145/2637166.2637225

2014-01-01

Abstract:Mobile devices are frequently used as terminals to interact with many security-critical services such as mobile payment and online banking. However, the large client software stack and the continuous proliferation of malware expose such interaction under various threats, including passive attacks like phishing and active ones like direct code manipulation. This paper proposes TrustUI, a new trusted path design for mobile devices that enables secure interaction between end users and services based on ARM's TrustZone technology. TrustUI is built with a combination of key techniques including cooperative randomization of the trusted path and secure delegation of network interaction. With such techniques, TrustUI not only requires no trust of the commodity software stack, but also takes a step further by excluding drivers for user-interacting devices like touch screen from its trusted computing base (TCB). Hence, TrustUI has a much smaller TCB, requires no access to device driver code, and may easily adapt to many devices. A prototype of TrustUI has been implemented on a Samsung Exynos 4412 board and evaluation shows that TrustUI provides strong protection of users interaction.

Fan Wu,Chung-han Chen,Dwayne Clarke

DOI: https://doi.org/10.14569/ijacsa.2014.050907

IF: 0.9

2014-01-01

International Journal of Advanced Computer Science and Applications

Abstract:Nowadays, many mobile devices such as phones and tablets are used in the workplace. A large amount of data is being transferred from one person to another. Data transfer is used for several different fields. Many companies and institutions are focusing on research and development on the way to further protect sensitive data. However, sensitive data still get leaks on mobile devices. To analyze how sensitive data get leak, a simulation on transferring sensitive data is developed. In this paper, we present the analysis of mobile security problem dealing with sensitive data from getting out. The goals in our research are for users to have a greater understanding on how data is being transferred and prevention sensitive data from being stolen. Our work will benefit mobile device users and help to prevent sensitive data from being stolen. Our experiments show different ways to safely transfer information on mobile devices by testing three methods types, which are back- up, encryption, and lock plus wipe data.

Xiaolong Bai,Zhe Zhou,XiaoFeng Wang,Zhou Li,Xianghang Mi,Nan Zhang,Tongxin Li,Shi-Min Hui,Kehuan Zhang

2017-01-01

Abstract:Mobile off-line payment enables purchase over the counter even in the absence of reliable network connections. Popular solutions proposed by leading payment service providers (e.g., Google, Amazon, Samsung, Apple) rely on direct communication between the payer's device and the POS system, through Near-Field Communication (NFC), Magnetic Secure Transaction (MST), audio and QR code. Although pre-cautions have been taken to protect the payment transactions through these channels, their security implications are less understood, particularly in the presence of unique threats to this new e-commerce service. In the paper, we report a new type of over-the-counter payment frauds on mobile off-line payment, which exploit the designs of existing schemes that apparently fail to consider the adversary capable of actively affecting the payment process. Our attack, called Synchronized Token Lifting and Spending (STLS), demonstrates that an active attacker can sniff the payment token, halt the ongoing transaction through various means and transmit the token quickly to a colluder to spend it in a different transaction while the token is still valid. Our research shows that such STLS attacks pose a realistic threat to popular offline payment schemes, particularly those meant to be backwardly compatible, like Samsung Pay and AliPay. To mitigate the newly discovered threats, we propose a new solution called POSAUTH. One fundamental cause of the STLS risk is the nature of the communication channels used by the vulnerable mobile off-line payment schemes, which are easy to sniff and jam, and more importantly, unable to support a secure mutual challenge-response protocols since information can only be transmitted in one-way. POSAUTH addresses this issue by incorporating one unique ID of the current POS terminal into the generation of payment tokens by requiring a quick scan-ning of QR code printed on the POS terminal. When combined with a short valid period, POSAUTH can ensure that tokens generated for one transaction can only be used in that transaction.

William Enck,Peter Gilbert,Seungyeop Han,Vasant Tendulkar,Byung-Gon Chun,Landon P. Cox,Jaeyeon Jung,Patrick McDaniel,Anmol N. Sheth

DOI: https://doi.org/10.1145/2619091

2014-06-01

ACM Transactions on Computer Systems

Abstract:Today’s smartphone operating systems frequently fail to provide users with visibility into how third-party applications collect and share their private data. We address these shortcomings with TaintDroid, an efficient, system-wide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid enables realtime analysis by leveraging Android’s virtualized execution environment. TaintDroid incurs only 32% performance overhead on a CPU-bound microbenchmark and imposes negligible overhead on interactive third-party applications. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, in our 2010 study we found 20 applications potentially misused users’ private information; so did a similar fraction of the tested applications in our 2012 study. Monitoring the flow of privacy-sensitive data with TaintDroid provides valuable input for smartphone users and security service firms seeking to identify misbehaving applications.

computer science, theory & methods

Mingshen Sun,Tao Wei,John C. S. Lui

DOI: https://doi.org/10.1145/2976749.2978343

2016-01-01

Abstract:ABSTRACTMobile operating systems like Android failed to provide sufficient protection on personal data, and privacy leakage becomes a major concern. To understand the security risks and privacy leakage, analysts have to carry out data-flow analysis. In 2014, Android upgraded with a fundamentally new design known as Android RunTime (ART) environment in Android 5.0. ART adopts ahead-of-time compilation strategy and replaces previous virtual-machine-based Dalvik. Unfortunately, many data-flow analysis systems like TaintDroid were designed for the legacy Dalvik environment. This makes data-flow analysis of new apps and malware infeasible. We design a multi-level information-flow tracking system for the new Android system called TaintART. TaintART employs a multi-level taint analysis technique to minimize the taint tag storage. Therefore, taint tags can be stored in processor registers to provide efficient taint propagation operations. We also customize the ART compiler to maximize performance gains of the ahead-of-time compilation optimizations. Based on the general design of TaintART, we also implement a multi-level privacy enforcement to prevent sensitive data leakage. We demonstrate that TaintART only incurs less than 15% overheads on a CPU-bound microbenchmark and negligible overhead on built-in or third-party applications. Compared to legacy Dalvik environment in Android 4.4, TaintART achieves about 99.7% faster performance for Java runtime benchmark.

He Liu,Stefan Saroiu,Alec Wolman,Himanshu Raj

DOI: https://doi.org/10.1145/2307636.2307670

2012-01-01

Abstract:With the proliferation of e-commerce, e-wallet, and e-health smartphone applications, the need for trusted mobile applications is greater than ever. Unlike their desktop counterparts, many mobile applications rely heavily on sensor inputs. As a result, trust often requires authenticity and integrity of sensor readings. For example, applications may need trusted readings from sensors such as a GPS, camera, or microphone. Recent research has started to recognize the need for "trusted sensors", yet providing the right programming abstractions and system support for building mobile trusted applications is an open problem. This paper proposes two software abstractions for offering trusted sensors to mobile applications. We present the design and implementation of these abstractions on both x86 and ARM platforms. We implement a trusted GPS sensor on both platforms, and we provide a privacy control for trusted location using differential privacy. Our evaluation shows that implementing these abstractions comes with moderate overhead on both x86 and ARM platforms. We find these software abstractions to be versatile and practical - using them we implement one novel enterprise mobile application.

Ahmad-Atamli Reineh,Giuseppe Petracca,Janne Uusilehto,Andrew Martin

DOI: https://doi.org/10.48550/arXiv.1606.02995

2016-06-09

Cryptography and Security

Abstract:The emergence of mobile applications to execute sensitive operations has brought a myriad of security threats to both enterprises and users. In order to benefit from the large potential in smartphones there is a need to manage the risks arising from threats, while maintaining an easy interface for the users. In this paper we investigate the use of Trusted Platform Model (TPM) 2.0 to develop a secure application for smartphones using Windows Phone 8.1. In particular, we suggest a framework based on remote attestation as a proxy to authenticate remote services, where the device is associated to the user and replaces the users credentials. In addition, we use the TPM 2.0 to enable secured information and data storage within the device itself. We present an implementation and performance evaluation of the suggested architecture that uses our novel attestation and authentication scheme and reveal the caveats of using software TPM in todays mobile devices.

Chao Wang,Ronny Ko,Yue Zhang,Yuqing Yang,Zhiqiang Lin

DOI: https://doi.org/10.1109/icse48619.2023.00086

2023-01-01

Abstract:Mini-programs, which are programs running inside mobile super apps such as WeChat, often have access to privacy-sensitive information, such as location data and phone numbers, through APIs provided by the super apps. This access poses a risk of privacy sensitive data leaks, either accidentally from carelessly programmed mini-programs or intentionally from malicious ones. To address this concern, it is crucial to track the flow of sensitive data in mini-programs for either human analysis or automated tools. Although existing taint analysis techniques have been widely studied, they face unique challenges in tracking sensitive data flows in mini-programs, such as cross-language, cross-page, and cross-mini-program data flows. This paper presents a novel framework, TAINTMINI, which addresses these challenges by using a novel universal data flow graph approach that captures data flows within and across mini-programs. We have evaluated TAINTMINI with 238,866 mini-programs and detect 27,184 that contain sensitive data flows. We have also applied TAINTMINI to detect privacy leakage colluding mini-programs and identify 455 such programs from them that clearly violate privacy policy.

Donghong Sun,Wu Liu,Ping Ren,Dongbin Sun

DOI: https://doi.org/10.1109/ctc.2012.10

2012-01-01

Abstract:The proliferations of the mobile intelligent terminal have brought them to the spotlight of the attackers for the sensitive information they carried. However, the current security schemes on the mobile intelligent terminal are fragile. This paper proposed a new transparent authentication and encryption measure to protect the confidentiality and integrity of the data on the mobile intelligent terminal. Our method is user-friendly as no interaction is needed during the process. Also, the result can be applied as evidence to identify who have used the phone.

Le Guan,Chen Cao,Sencun Zhu,Jingqiang Lin,Peng Liu,Yubin Xia,Bo Luo

DOI: https://doi.org/10.1145/3317549.3319721

2019-01-01

Abstract:Sensitive data in a process could be scattered over the memory of a computer system for a prolonged period of time. Unfortunately, DRAM chips were proven insecure in previous studies. The problem becomes worse in the mobile environment, in which users' smartphones are easily lost or stolen. The powered-on phones may contain sensitive data in the vulnerable DRAM chips. In this paper, we propose MemVault, a mechanism to protect sensitive data in Android devices against physical memory attacks. MemVault keeps track of the propagation of well-marked sensitive data sources, and selectively encrypts tainted sensitive memory contents in the DRAM chip. When a tainted object is accessed, MemVault redirects the access to the internal RAM (iRAM), where the cipher-text object is decrypted transparently. iRAM is a system-on-chip (SoC) component which is by nature immune to physical memory exploits. We have implemented a MemVault prototype system, and have evaluated it with extensive experiments. Our results validate that MemVault effectively eliminates the occurrences of clear-text sensitive objects in DRAM chips, and imposes acceptable overheads.

Jianlin Xu,Yifan Yu,Zhen Chen,Bin Cao,Wenyu Dong,Yu Guo,Junwei Cao

DOI: https://doi.org/10.1109/tst.2013.6574680

2013-01-01

Tsinghua Science & Technology

Abstract:With the explosive increase in mobile apps, more and more threats migrate from traditional PC client to mobile device. Compared with traditional Win+Intel alliance in PC, Android+ARM alliance dominates in Mobile Internet, the apps replace the PC client software as the major target of malicious usage. In this paper, to improve the security status of current mobile apps, we propose a methodology to evaluate mobile apps based on cloud computing platform and data mining. We also present a prototype system named MobSafe to identify the mobile app's virulence or benignancy. Compared with traditional method, such as permission pattern based method, MobSafe combines the dynamic and static analysis methods to comprehensively evaluate an Android app. In the implementation, we adopt Android Security Evaluation Framework (ASEF) and Static Android Analysis Framework (SAAF), the two representative dynamic and static analysis methods, to evaluate the Android apps and estimate the total time needed to evaluate all the apps stored in one mobile app market. Based on the real trace from a commercial mobile app market called AppChina, we can collect the statistics of the number of active Android apps, the average number apps installed in one Android device, and the expanding ratio of mobile apps. As mobile app market serves as the main line of defence against mobile malwares, our evaluation results show that it is practical to use cloud computing platform and data mining to verify all stored apps routinely to filter out malware apps from mobile app markets. As the future work, MobSafe can extensively use machine learning to conduct automotive forensic analysis of mobile apps based on the generated multifaceted data in this stage.