Enhanced Identification of Sensitive User Inputs in Mobile Applications

Mashael Aldayel, Mohammad Alhussain

2017

Abstract

While smartphones and its apps have a fundamental role in our lives, privacy is a critical issue. With the constantly growth of mobile applications, smartphones are now capable of satisfying all kinds of users’ needs, dealing with more private and restricted tasks by the users and gain more access to sensitive and private data. This issue is even worse with the current absence of methods that can notify users of possibly dangerous privacy leaks in mobile apps without disturbing users with apps’ legitimate privacy exposes. Previous mobile privacy disclosure approaches are mostly concentrated on well-defined sources controlled by smartphones. They do not cover all sensitive data associated with users’ privacy. Also, they cannot filter out legitimate privacy disclosures that are commonly found in detection results and consecutively conceal true threats. Sensitive user inputs through UI (User Interface), are the dominant type of sensitive data that has been almost ignored. Defending this kind of information cannot be accomplished automatically using existing techniques because it necessitates understanding of user inputs' semantics in apps, before identifying its positions. Moreover, eliminating legitimate privacy disclosures necessaries tracking of the related app data flows form these users’ inputs to various sinks. Such tracking will help to determine if this privacy disclosure is valid or suspicious. To address all these important issues, we propose an enhanced approach for detecting users’ inputs privacy disclosures that are truly suspicious.

References

  1. Arzt, S. et al., 2014. FlowDroid?: Precise Context , Flow , Field , Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. PLDI 7814 Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, pp.259-269.
  2. Enck, W. et al., 2010. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. Osdi 7810, 49, pp.1-6.
  3. Fahl, S. et al., 2012. Why eve and mallory love android: an analysis of android SSL (in) security. Proc. of ACM CCS, pp.50-61.
  4. Gibler, C. et al., 2012. AndroidLeaks: Automatically detecting potential privacy leaks in Android applications on a large scale. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), 7344 LNCS, pp.291-307.
  5. Gorla, A. et al., 2014. Checking app behavior against app descriptions. Proceedings of the 36th International Conference on Software Engineering - ICSE 2014, pp.1025-1035. Available at: http://dl.acm.org/citation.cfm?doid=2568225.2568276.
  6. Han, J. et al., 2013. Comparing Mobile Privacy Protection through Cross-Platform Applications. Network and Distributed System Security Symposium, pp.1-15. Available at: http://www.liaiqin.com/hanjin/%5Cnpapers3://publica tion/uuid/EDE08F21-0175-4B99-B31B86FC339DAFB4.
  7. Huang, J. et al., 2014. AsDroid: detecting stealthy behaviors in Android applications by user interface and program behavior contradiction. ICSE 2014: Proceedings of the 36th International Conference on Software Engineering, (March). Available at: https://ece.uwaterloo.ca/lintan/publications/asdroidicse14.pdf.
  8. Huang, J. et al., 2015. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. 24th USENIX Security Symposium (USENIX Security 15), pp.977-992. Available at: https://www.usenix.org/conference/usenixsecurity15/t echnical-sessions/presentation/huang.
  9. ITU, 2016. ITU Statistics. Available at: http://www.itu.int/en/ITUD/Statistics/Pages/stat/default.aspx.
  10. Khan, J., Abbas, H. & Al-Muhtadi, J., 2015. Survey on Mobile User's Data Privacy Threats and Defense Mechanisms. Procedia Computer Science, 56(Csdi), pp.376-383. Available at: http://www.sciencedirect.com/science/article/pii/S187 7050915017044.
  11. Lu, K. et al., 2015. Checking More and Alerting Less: Detecting Privacy Leakages via Enhanced Data-flow Analysis and Peer Voting. Symposium on Network and Distributed System Security (NDSS).
  12. Lu, K. et al., 2016. DuLeak: A Scalable App Engine for High-Impact Privacy Leaks. , p.16. Available at: https://www.google.com/patents/US9245125.
  13. Mitchell, M., Wang, A.-I.A. & Reiher, P., 2015. Cashtags: Protecting the Input and Display of Sensitive Data. 24th USENIX Security Symposium (USENIX Security 15), pp.961-976. Available at: https://www.usenix.org/conference/usenixsecurity15/t echnical-sessions/presentation/mitchell.
  14. Nan, Y. et al., 2015. UIPicker?: User-Input Privacy Identification in Mobile Applications This paper is included in the Proceedings of the.
  15. Pandita, R. et al., 2013. Whyper: Towards Automating Risk Assessment of Mobile Applications. USENIX Security Symposium.
  16. La Polla, M., Martinelli, F. & Sgandurra, D., 2013. A Survey on Security for Mobile Devices. IEEE Communications Surveys & Tutorials, 15(1), pp.446- 471.
  17. Princeton, U., 2010. WordNet:An Electronic Lexical Database. Princeton University. Available at: http://wordnet.princeton.edu.
  18. Rastogi, V., Chen, Y. & Enck, W., 2013. AppsPlayground?: Automatic Security Analysis of Smartphone Applications. CODASPY 7813 (3rd ACM conference on Data and Application Security and Privac), pp.209- 220.
  19. Sujithra, M., 2012. Mobile Device Security?: A Survey on Mobile Device Threats , Vulnerabilities and their Defensive Mechanism. , 56(14), pp.24-29.
  20. Wain, K. et al., 2012. PScout?: Analyzing the Android Permission Specification. CCS 7812 Proceedings of the 2012 ACM conference on Computer and communications security, pp.217-228. Available at: http://www.eecg.toronto.edu/lie/papers/PScoutCCS2012- web.pdf%5Cnhttp://dl.acm.org/citation.cfm?id=23822 22.
  21. Xu, R. et al., 2012. Aurasium: Practical Policy Enforcement for Android Applications. Proceedings of the 21st USENIX conference …, p.27. Available at: https://www.usenix.org/system/files/conference/usenix security12/sec12- final60.pdf%5Cnhttp://dl.acm.org/citation.cfm?id=236 2793.2362820.
  22. Yang, Z. et al., 2013. AppIntent: analyzing sensitive data transmission in android for privacy leakage detection. Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS 7813, pp.1043-1054. Available at: http://dl.acm.org/citation.cfm?doid=2508859.2516676.
Download


Paper Citation


in Harvard Style

Aldayel M. and Alhussain M. (2017). Enhanced Identification of Sensitive User Inputs in Mobile Applications . In Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-209-7, pages 506-515. DOI: 10.5220/0006238405060515


in Bibtex Style

@conference{icissp17,
author={Mashael Aldayel and Mohammad Alhussain},
title={Enhanced Identification of Sensitive User Inputs in Mobile Applications},
booktitle={Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2017},
pages={506-515},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0006238405060515},
isbn={978-989-758-209-7},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Enhanced Identification of Sensitive User Inputs in Mobile Applications
SN - 978-989-758-209-7
AU - Aldayel M.
AU - Alhussain M.
PY - 2017
SP - 506
EP - 515
DO - 10.5220/0006238405060515