Jianmeng Huang,Wenchao Huang,Zhaoyi Meng,Fuyou Miao,Yan Xiong

2020-01-01

Abstract:The network transmission is an important way to exchange information between Android applications and their own backend or other third-party servers. However, some network transmissions are superfluous for the apps’ functionalities. Superfluous network transmissions not only increase the network traffic but also may leak users’ sensitive data. To identify the superfluous network transmissions, we propose a static-analysis based approach. Evaluation with real world market apps shows that 62% apps contain superfluous network transmissions, and 48% of the analyzed network transmissions are superfluous, and our approach could effectively detect superfluous network transmissions in Android apps.

Yajin Zhou,Xuxian Jiang

2013-01-01

Abstract:In this paper, we systematically study two vulnerabilities and their presence in existing Android applications (or “apps”). These two vulnerabilities are rooted in an unprotected Android component, i.e., content provider, inside vulnerable apps. Because of the lack of necessary access control enforcement, affected apps can be exploited to either passively disclose various types of private in-app data or inadvertently manipulate certain security-sensitive in-app settings or configurations that may subsequently cause serious system-wide side effects (e.g., blocking all incoming phone calls or SMS messages). To assess the prevalence of these two vulnerabilities, we analyze 62, 519 apps collected in February 2012 from various Android markets. Our results show that among these apps, 1, 279 (2.0%) and 871 (1.4%) of them are susceptible to these two vulnerabilities, respectively. In addition, we find that 435 (0.7%) and 398 (0.6%) of them are accessible from official Google Play and some of them are extremely popular with more than 10, 000, 000 installs. The presence of a large number of vulnerable apps in popular Android markets as well as the variety of private data for leaks and manipulation reflect the severity of these two vulnerabilities. To address them, we also explore and examine possible mitigation solutions.

Wu Zhou,Yajin Zhou,Michael C. Grace,Xuxian Jiang,Shihong Zou

DOI: https://doi.org/10.1145/2435349.2435377

2013-01-01

Abstract:Mobile applications (or apps) are rapidly growing in number and variety. These apps provide useful features, but also bring certain privacy and security risks. For example, malicious authors may attach destructive payloads to legitimate apps to create so-called "piggybacked" apps and advertise them in various app markets to infect unsuspecting users. To detect them, existing approaches typically employ pair-wise comparison, which unfortunately has limited scalability. In this paper, we present a fast and scalable approach to detect these apps in existing Android markets. Based on the fact that the attached payload is not an integral part of a given app's primary functionality, we propose a module decoupling technique to partition an app's code into primary and non-primary modules. Also, noticing that piggybacked apps share the same primary modules as the original apps, we develop a feature fingerprint technique to extract various semantic features (from primary modules) and convert them into feature vectors. We then construct a metric space and propose a linearithmic search algorithm (with O(n log n) time complexity) to efficiently and scalably detect piggybacked apps. We have implemented a prototype and used it to study 84,767 apps collected from various Android markets in 2011. Our results show that the processing of these apps takes less than nine hours on a single machine. In addition, among these markets, piggybacked apps range from 0.97% to 2.7% (the official Android Market has 1%). Further investigation shows that they are mainly used to steal ad revenue from the original developers and implant malicious payloads (e.g., for remote bot control). These results demonstrate the effectiveness and scalability of our approach.

Ming Fan,Jifei Shi,Yin Wang,Le Yu,Xicheng Zhang,Haijun Wang,Wuxia Jin,Ting Liu

DOI: https://doi.org/10.1145/3691620.3695528

2024-01-01

Abstract:Mobile apps often access personal information to meet business needs, raising concerns about privacy breaches. Compliance detection methods are proposed to check for inconsistencies between program code and privacy policies. However, existing methods face challenges with the low efficiency of static data flow analysis tools and often neglect physical data transmission destinations. To address these issues, we propose an automated compliance detection method called GNChecker. It uses an efficient static data flow analysis technique with a segmentation strategy, significantly reducing the search scope and improving efficiency. Additionally, a fine-grained consistency detection framework is proposed by integrating static data flow and dynamic traffic flow results into a unified tuple form, i.e., (information type, transmission address). Evaluation results on 50 popular apps show that GNChecker outperforms state-of-the-art data flow analysis tools. Among 1,134 real-world apps, GNChecker identified 1,410 true non-compliant transmission behaviors in 379 apps, significantly surpassing existing compliance detection tools.

Hao Fu,Zizhan Zheng,Somdutta Bose,Matt Bishop,Prasant Mohapatra

DOI: https://doi.org/10.48550/arXiv.1702.01160

2017-02-07

Abstract:Mobile applications (apps) often transmit sensitive data through network with various intentions. Some transmissions are needed to fulfill the app's functionalities. However, transmissions with malicious receivers may lead to privacy leakage and tend to behave stealthily to evade detection. The problem is twofold: how does one unveil sensitive transmissions in mobile apps, and given a sensitive transmission, how does one determine if it is legitimate? In this paper, we propose LeakSemantic, a framework that can automatically locate abnormal sensitive network transmissions from mobile apps. LeakSemantic consists of a hybrid program analysis component and a machine learning component. Our program analysis component combines static analysis and dynamic analysis to precisely identify sensitive transmissions. Compared to existing taint analysis approaches, LeakSemantic achieves better accuracy with fewer false positives and is able to collect runtime data such as network traffic for each transmission. Based on features derived from the runtime data, machine learning classifiers are built to further differentiate between the legal and illegal disclosures. Experiments show that LeakSemantic achieves 91% accuracy on 2279 sensitive connections from 1404 apps.

Cryptography and Security

Zhenyu Cheng,Xunxun Chen,Yongzheng Zhang,Shuhao Li,Yafei Sang

DOI: https://doi.org/10.1109/nas.2017.8026853

2017-01-01

Abstract:With the widespread use of smartphones, more and more malicious attacks happen with information leakage from apps installed on users' devices. The adversary always uses a malware as the client to take remote control of smartphones, and leverages the vulnerability of operation systems to send back the collected information without users' permissions. All the information has to be transferred by network traffic. In this paper, we consider that different apps maybe generate different network flows by different operations, and the "shapes" of the benign flows and malicious ones will be diverse. Thus we propose a detection model based on the analysis of relationships between behavior patterns and network flows, which achieves our goal by using the Random Forest machine learning algorithm to classify the network flows into benign or malicious. To further improve the controllability of the experiment, we design an app called Moledroid to simulate malwares by uploading the user's privacy without authorization, in addition, we can change the behavior pattern of the app to complete our evaluation. Finally, we run this app and several benign apps to generate traffic to detect the malicious network flows, and it shows that our detection model can achieve precision and accuracy higher than 95%, which demonstrates that our model is suitable for detecting the network flows of information theft.

Hiroki Kuzuno,Satoshi Tonami

DOI: https://doi.org/10.48550/arXiv.1305.4045

2013-05-17

Cryptography and Security

Abstract:In recent years, there has been rapid growth in mobile devices such as smartphones, and a number of applications are developed specifically for the smartphone market. In particular, there are many applications that are ``free'' to the user, but depend on advertisement services for their revenue. Such applications include an advertisement module - a library provided by the advertisement service - that can collect a user's sensitive information and transmit it across the network. Users accept this business model, but in most cases the applications do not require the user's acknowledgment in order to transmit sensitive information. Therefore, such applications' behavior becomes an invasion of privacy. In our analysis of 1,188 Android applications' network traffic and permissions, 93% of the applications we analyzed connected to multiple destinations when using the network. 61% required a permission combination that included both access to sensitive information and use of networking services. These applications have the potential to leak the user's sensitive information. In an effort to enable users to control the transmission of their private information, we propose a system which, using a novel clustering method based on the HTTP packet destination and content distances, generates signatures from the clustering result and uses them to detect sensitive information leakage from Android applications. Our system does not require an Android framework modification or any special privileges. Thus users can easily introduce our system to their devices, and manage suspicious applications' network behavior in a fine grained manner. Our system accurately detected 94% of the sensitive information leakage from the applications evaluated and produced only 5% false negative results, and less than 3% false positive results.

Zhemin Yang,Min Yang,Yuan Zhang,Guofei Gu,Peng Ning,Xiaoyang Sean Wang

DOI: https://doi.org/10.1145/2508859.2516676

2013-01-01

Abstract:ABSTRACTAndroid phones often carry personal information, attracting malicious developers to embed code in Android applications to steal sensitive data. With known techniques in the literature, one may easily determine if sensitive data is being transmitted out of an Android phone. However, transmission of sensitive data in itself does not necessarily indicate privacy leakage; a better indicator may be whether the transmission is by user intention or not. When transmission is not intended by the user, it is more likely a privacy leakage. The problem is how to determine if transmission is user intended. As a first solution in this space, we present a new analysis framework called AppIntent. For each data transmission, AppIntent can efficiently provide a sequence of GUI manipulations corresponding to the sequence of events that lead to the data transmission, thus helping an analyst to determine if the data transmission is user intended or not. The basic idea is to use symbolic execution to generate the aforementioned event sequence, but straightforward symbolic execution proves to be too time-consuming to be practical. A major innovation in AppIntent is to leverage the unique Android execution model to reduce the search space without sacrificing code coverage. We also present an evaluation of AppIntent with a set of 750 malicious apps, as well as 1,000 top free apps from Google Play. The results show that AppIntent can effectively help separate the apps that truly leak user privacy from those that do not.

Gaofeng He,Bingfeng Xu,Lu Zhang,Haiting Zhu

DOI: https://doi.org/10.1177/1550147718817292

IF: 1.938

2018-12-01

International Journal of Distributed Sensor Networks

Abstract:Mobile application (simply “app”) identification at a per-flow granularity is vital for traffic engineering, network management, and security practices. However, uncertainty is caused by a growing fraction of encrypted traffic such as Hypertext Transfer Protocol Secure. To address this challenge, we have carefully analyzed mobile app traffic (mainly including Domain Name System, Hypertext Transfer Protocol, and encrypted traffic such as Secure Sockets Layer and Transport Layer Security) and observed that (1) the sets of server hostnames queried by different apps are distinguishable; (2) mobile apps may query multiple server hostnames simultaneously, that is, apps may send several Domain Name System lookups within a short time interval; and (3) the encrypted traffic may be similar to various other network flows generated by the same app. Based on these three observations, in this article, we propose a novel app identification methodology for encrypted network flows. To be specific, temporal, lexical, and metadata similarity are investigated to select correlated traffic and information retrieving techniques are adopted to identify apps. We ran a thorough set of experiments to assess the performance of the proposed approaches. The experimental results show that the identification accuracy can be as high as 95%, and the proposed methods have low storage requirements as well as fast training speeds.

computer science, information systems,telecommunications

Faqiang Sun,Li Zhao,Bo Zhou,Yong Wang

DOI: https://doi.org/10.1109/iccia49625.2020.00036

2020-06-01

Abstract:Network operators often need a clear visibility of the mobile APPs and their user scales running in the network traffic. This is critical for network management and network security. Analysis of the network traffic using the extracted APP features and user fingerprints is helpful for effective network operations, management, and security monitoring of LANs, MANs, and WANs. In China, the number of mobile APP users continues to increase, and the proportion of Internet users using mobile APPs to access the Internet far exceeds that of computers, making this task significant and difficult. The traditional methods are mainly APP identifications or identifications of specific APP users, which cannot satisfy the requirements of globally monitoring of APPs and their user scales at the same time. Especially when many users share the same network IPs (4G, home broadband, NAT), this work becomes challenging and time-consuming. This paper proposes an automatic fingerprint extraction approach of mobile APP users in network traffic. By analyzing the plaintext of the HTTP requests initiated by APPs in training datasets, we extract the APPs’ features and the users’ fingerprints simultaneously. Both of them are the combinations of strings which are distinguishable of APPs and their users in the network traffic. The proposed method is evaluated with the top 49 popular APPs in Huawei App Store. The experimental results show that the recalls of the extractions of APPs’ features and users’ fingerprints are respectively 77.5% and 55.1% in total.

Biniam Fisseha Demissie,Mariano Ceccato,Lwin Khin Shar

DOI: https://doi.org/10.1145/3197231.3197238

2018-12-19

Abstract:Smartphone apps usually have access to sensitive user data such as contacts, geo-location, and account credentials and they might share such data to external entities through the Internet or with other apps. Confidentiality of user data could be breached if there are anomalies in the way sensitive data is handled by an app which is vulnerable or malicious. Existing approaches that detect anomalous sensitive data flows have limitations in terms of accuracy because the definition of anomalous flows may differ for different apps with different functionalities; it is normal for "Health" apps to share heart rate information through the Internet but is anomalous for "Travel" apps. In this paper, we propose a novel approach to detect anomalous sensitive data flows in Android apps, with improved accuracy. To achieve this objective, we first group trusted apps according to the topics inferred from their functional descriptions. We then learn sensitive information flows with respect to each group of trusted apps. For a given app under analysis, anomalies are identified by comparing sensitive information flows in the app against those flows learned from trusted apps grouped under the same topic. In the evaluation, information flow is learned from 11,796 trusted apps. We then checked for anomalies in 596 new (benign) apps and identified 2 previously-unknown vulnerable apps related to anomalous flows. We also analyzed 18 malware apps and found anomalies in 6 of them.

Software Engineering

Luigi Vigneri,Jaideep Chandrashekar,Ioannis Pefkianakis,Olivier Heen

DOI: https://doi.org/10.48550/arXiv.1504.06093

2015-04-23

Networking and Internet Architecture

Abstract:There are over 1.2 million applications on the Google Play store today with a large number of competing applications for any given use or function. This creates challenges for users in selecting the right application. Moreover, some of the applications being of dubious origin, there are no mechanisms for users to understand who the applications are talking to, and to what extent. In our work, we first develop a lightweight characterization methodology that can automatically extract descriptions of application network behavior, and apply this to a large selection of applications from the Google App Store. We find several instances of overly aggressive communication with tracking websites, of excessive communication with ad related sites, and of communication with sites previously associated with malware activity. Our results underscore the need for a tool to provide users more visibility into the communication of apps installed on their mobile devices. To this end, we develop an Android application to do just this; our application monitors outgoing traffic, associates it with particular applications, and then identifies destinations in particular categories that we believe suspicious or else important to reveal to the end-user.

Yao Liu,Qi Wei,Lei Guo,Bo Shen,Songqing Chen,Yingjie Lan

DOI: https://doi.org/10.1109/TMM.2013.2293312

IF: 7.3

2014-01-01

IEEE Transactions on Multimedia

Abstract:The Internet has witnessed rapidly increasing streaming traffic to various mobile devices. In this paper, through analysis of a server-side workload and experiments in a controlled lab environment, we find that current practice has introduced a significant amount of redundant traffic. In particular, for the popular iOS based mobile devices, accessing popular Internet streaming services typically involves about 10%–70% redundant traffic. Such a practice not only over-utilizes and wastes resources on the server side and the network (cellular or Internet), but also consumes additional battery power on user's mobile devices and leads to possible monetary cost. To alleviate such a situation without changing the server side or the client side, we design and implement CStreamer that can transparently work between existing mobile clients and servers. We have implemented a prototype and installed on Amazon EC2. Experiments conducted based on this prototype show that CStreamer can completely eliminate the redundant traffic without degrading user's QoS.

Xiaoyu Sun,Xiao Chen,Kui Liu,Sheng Wen,Li Li,John Grundy

DOI: https://doi.org/10.1109/issre52982.2021.00058

2021-10-01

Abstract:While extremely valuable to achieve advanced functions, mobile phone sensors can be abused by attackers to implement malicious activities in Android apps, as experimentally demonstrated by many state-of-the-art studies. There is hence a strong need to regulate the usage of mobile sensors so as to keep them from being exploited by malicious attackers. However, despite the fact that various efforts have been put in achieving this, i.e., detecting privacy leaks in Android apps, we have not yet found approaches to automatically detect sensor leaks in Android apps. To fill the gap, we designed and implemented a novel prototype tool, Seeker, that extends the famous FlowDroid tool to detect sensor-based data leaks in Android apps. Seeker conducts sensor-focused static taint analyses directly on the Android apps' bytecode and reports not only sensor-triggered privacy leaks but also the sensor types involved in the leaks. Experimental results using over 40,000 real-world Android apps show that Seeker is effective in detecting sensor leaks in Android apps, and malicious apps are more interested in leaking sensor data than benign apps.

Jianmeng Huang,Yan Xiong,Wenchao Huang,Chen Xu,Fuyou Miao

DOI: https://doi.org/10.1109/jsyst.2019.2938611

IF: 4.802

2020-01-01

IEEE Systems Journal

Abstract:Android applications may abuse their permissions on private data, leaking the user's privacy out of the mobile device via data transmissions. A straightforward way to deal with this problem is to restrict the application permissions. However, the restriction not only prevents the undesirable operations fromleaking privacy but also prohibits the desirable operations from utilizing private data. Ourgoal is to get both of the points: ensuring the user's privacy by preventing undesirable private-data transmissions and enduring no degradation on the desirable application functionalities. We propose SieveDroid, a fine-grained runtime privacy control framework. SieveDroid addresses two key challenges of intercepting the undesirable private-data transmissions: revealing how private-data transmissions occur to end-users and setting privacy control rules which intercept the undesirable private-data transmissions at runtime without interfering with desirable ones. We evaluate SieveDroid by using Android malware samples and real applications from the Android market. The results demonstrate that SieveDroid reveals the undesirable operations precisely and concisely and it can effectively intercept the undesirable data transmissions. Besides, desirable functionalities in 98% of the tested applications are not affected.

Hongbing Yan,Yan Xiong,Wenchao Huang,Jianmeng Huang,Zhaoyi Meng

DOI: https://doi.org/10.1109/BIGCOM.2018.00023

2018-01-01

Abstract:Android devices have increased rapidly in recent years. Because sensitive data of users can bring huge profits, there are so many malicious Android applications (apps) which aim at users' sensitive data in Android markets. Malicious apps may collect sensitive data of users, such as phone number, location, contact information, and send them to advertisers or attackers. To prevent malicious apps from stealing user information, a simple solution is not to grant corresponding permissions to apps. But if we don't give corresponding permissions, the apps may exit directly. This affect the normal use of apps. In order to solve the above problems, we design a system which uses machine-learning technology to detect malicious behaviours. Our system is based on the observation that apps in the same category usually use sensitive data in the same or similar way. The system implements automatic detection of malicious behaviours. The true positive rate of our system can be over 90% and the false positive rate can be below 8%.

Xiangyu Liu,Zhe Zhou,Wenrui Diao,Zhou Li,Kehuan Zhang

DOI: https://doi.org/10.1007/978-3-319-18467-8_36

2015-01-01

Abstract:With millions of apps provided from official and third-party markets, Android has become one of the most active mobile platforms in recent years. These apps facilitate people's lives in a broad spectrum of ways but at the same time touch numerous users' information, raising huge privacy concerns. To prevent leaks of sensitive information, especially from legitimate apps to malicious ones, developers are encouraged to store users' sensitive data into private folders which are isolated and securely protected. But for non-sensitive data, there is no specific guideline on how to manage them, and in many cases, they are simply stored on public storage which lacks fine-grained access control and is almost open to all apps.Such storage model appears to be capable of preventing privacy leaks, as long as the sensitive data are correctly identified and kept in private folders by app developers. Unfortunately, this is not true in reality. In this paper, we carry out a thorough study over a number of Android apps to examine how the sensitive data are handled, and the results turn out to be pretty alarming: most of the apps we surveyed fail to handle the data correctly, including extremely popular apps. Among these problematic apps, some directly store the sensitive data into public storage, while others leave non-sensitive data on public storage which could give out users' private information when being combined with data from other sources. An adversary can exploit these leaks to infer users' location, friends and other information without requiring any critical permission. We refer to both types of data as "non-shared" data, and argue that Android's storage model should be refined to protect the non-shared data if they are saved to public storage. In the end, we propose several approaches to mitigate such privacy leaks.

Qiang Xu,Yong Liao,Stanislav Miskovic,Z. Morley Mao,Mario Baldi,Antonio Nucci,Thomas Andrews

DOI: https://doi.org/10.1109/INFOCOM.2015.7218526

2015-01-01

Abstract:There are network management, traffic engineering, and security practices adopted in today's networking that rely on the knowledge about what applications' traffic is passing through the networks. These practices might fail with mobile apps whose identity remains hidden in generic HTTP traffic. The main reason is that unlike traditional applications, most mobile apps do not use specific protocols or IP ports with distinctive features. Many enterprises and service providers are in a great need of regaining control over their networks that increasingly carry mobile traffic. In this paper we propose FLOWR, a system that automatically identifies mobile apps by continually learning the apps' distinguishing features via traffic analysis. FLOWR focuses solely on key-value pairs in HTTP headers and intelligently identifies the pairs suitable for app signatures. Our system employs a custom supervised learning approach that leverages a very limited knowledge of app-signature seeds and autonomously grows its capacity for app identification. The approach is motivated by a simple but effective hypothesis that unknown app-identifying features should co-occur with the known signatures. Our experimental results show a significant growth in flow identification coverage provided by FLOWR. Specifically, we show that FLOWR can achieve identification of 86-95% of flows related to their generating apps.

Jiafa Liu,Junyi Liu,Huaxin Li,Haojin Zhu,Na Ruan,Di Ma

DOI: https://doi.org/10.1109/glocom.2016.7842384

2016-01-01

Abstract:The mobile advertisement (ad) network is gaining an increasing interest due to the high popularity of smart phones. Previous researches on the security issues of ad network primarily focus on the privacy, permission and malware detection while less attention has been paid to the traffic consumption issue incurred by ad network. Though it is well known that ad network plays an important role in network consumption, it represents a great challenge of giving a fine-grained classification of ad networks. Inspired by this, different from any previous researches, in this study, we take the initial step towards modeling the network consumption of Ad network in Android. We develop an automatic ad analysis platform to quantify the ad network traffic consumed by android applications (app). To achieve a fine-grained quantification, we combine two sources of network traffic. On one hand, we modify the android webview and log system in system level to capture network traffic accurately. On the other hand, we capture network traffic in router level to collect detailed information of traffic packets, such as packet size and URI. We have evaluated the developed system in terms of normal apps, repacked apps and malicious apps based on the real-world dataset, which is comprised of 93 Android apps. We find out that ad traffic takes major percentage of the whole network traffic caused by Android app. We have also studied the ad library mechanism for 10 popular ad libraries. We found ads from some ad libraries use much more network traffic because they have to be fetched from remote ad libraries each time they are shown to users while other ad libraries allow apps to store ads locally.

Qinge Xie,Qingyuan Gong,Xinlei He,Yang Chen,Xin Wang,Haitao Zheng,Ben Y. Zhao,Heather Zheng,Ben Zhao

DOI: https://doi.org/10.1109/tmc.2021.3088121

IF: 6.075

2021-01-01

IEEE Transactions on Mobile Computing

Abstract:Despite continuous efforts to build and update mobile network infrastructure, mobile devices in developing regions continue to be constrained by limited bandwidth. Unfortunately, this coincides with a period of unprecedented growth in the sizes of mobile applications. Thus it is becoming prohibitively expensive for users in developing regions to download and update mobile apps critical to their economic and educational development. Unchecked, these trends can further contribute to a large and growing global digital divide. Our goal is to better understand the source of this rapid growth in mobile app code size, whether it is reflective of new functionality, and identify steps that can be taken to make existing mobile apps more friendly to bandwidth constrained mobile networks. We hypothesize that much of this growth in mobile apps is due to poor resource/code management, and do not reflect proportional increases in functionality. Our hypothesis is partially validated by mini-programs, apps with extremely small footprints gaining popularity in Chinese mobile platforms. Here, we use functionally equivalent pairs of mini-programs and Android apps to identify potential sources of "bloat," i.e., inefficient uses of code or resources that contribute to large package sizes. We analyze a large sample of popular Android apps and quantify instances of code and resource bloat. We develop techniques for automated code and resource trimming, and successfully validate them on a large set of Android apps. We hope our results will lead to continued efforts to streamline mobile apps, making them easier to access and maintain for users in developing regions.

computer science, information systems,telecommunications