Abstract
Modern smartphone apps tend to contain and use vast amounts of data that can be broadly classified as structured and unstructured. Structured data, such as an user’s geolocation, has predefined semantics that can be retrieved by well-defined platform APIs. Unstructured data, on the other hand, relies on the context of the apps to reflect its meaning and value, and is typically provided by the user directly into an app’s interface. Recent research has shown that third-party apps are leaking highly-sensitive unstructured data, including user’s banking credentials. Unfortunately, none of the current solutions focus on the protection of unstructured data.
In this paper, we propose an owner-centric solution to protect unstructured data on smartphones. Our approach allows the data owners to specify security policies when providing their untrusted data to third-party apps. It tracks the flow of information to enforce the owner’s policies at strategic exit points. Based on this approach, we design and implement a system, called DataChest. We develop several mechanisms to reduce user burden and keep interruption to the minimum, while at the same time preventing the malicious apps from tricking the user. We evaluate our system against a set of real-world malicious apps and a series of synthetic attacks to show that it can successfully prevent the leakage of unstructured data while incurring reasonable performance overhead.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
CaffeineMark 3.0, http://www.benchmarkhq.ru/cm30/
Layouts, http://developer.android.com/guide/topics/ui/declaring-layout.html
Mobile Payment Libraries, https://www.x.com/developers/paypal/products/mobile-payment-libraries
Rogue phishing app smuggled onto Android Marketplace, http://www.theregister.co.uk/2010/01/11/android_phishing_app/
UI Overview, http://developer.android.com/guide/topics/ui/overview.html
Will Your Next TV Manual Ask You to Run a Scan Instead of Adjusting the Antenna? http://www.symantec.com/connect/blogs/will-your-next-tv-manual-ask-you-run-scan-instead-adjusting-antenna
YouDao Dictionary, https://play.google.com/store/apps/details?id=com.youdao.dict
Bugiel, S., Davi, L., Dmitrienko, A., Fischer, T., Sadeghi, A.-R., Shastry, B.: Towards Taming Privilege-Escalation Attacks on Android. In: NDSS (2012)
Chen, Y.-Y., Jamkhedkar, P.A., Lee, R.B.: A Software-Hardware Architecture for Self-Protecting Data. In: CCS (2012)
Chin, E., Felt, A.P., Greenwood, K., Wagner, D.: Analyzing Inter-Application Communication in Android. In: MobiSys (2011)
Dietz, M., Shekhar, S., Pisetsky, Y., Shu, A., Wallach, D.S.: QUIRE: Lightweight Provenance for Smart Phone Operating Systems. In: USENIX Security Symposium (2011)
Egele, M., Kruegel, C., Kirda, E., Vigna, G.: PiOS: Detecting Privacy Leaks in iOS Applications. In: NDSS (2011)
Enck, W., Gilbert, P., gon Chun, B., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N.: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In: USENIX Symposium on OSDI (2010)
Felt, A.P., Wang, H.J., Moshchuk, A., Hanna, S., Chin, E.: Permission Re-Delegation: Attacks and Defenses. In: USENIX Security Symposium (2011)
Grace, M., Zhou, W., Jiang, X., Sadeghi, A.-R.: Unsafe Exposure Analysis of Mobile In-App Advertisements. In: ACM WiSec (2012)
Grace, M., Zhou, Y., Wang, Z., Jiang, X.: Systematic Detection of Capability Leaks in Stock Android Smartphones. In: NDSS (2012)
Gu, B., Li, X., Li, G., Champion, A.C., Chen, Z., Qin, F., Xuan, D.: D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources. In: INFOCOM (2013)
Hardy, N.: The Confused Deputy (or why capabilities might have been invented). ACM SIGOPS Operating Systems Review, 22 (October 1998)
Hornyack, P., Han, S., Jung, J., Schechter, S., Wetherall, D.: These Aren’t the Droids You’re Looking For”: Retroffiting Android to Protect Data from Imperious Applications. In: ACM CCS (2011)
Lu, L., Li, Z., Wu, Z., Lee, W., Jiang, G.: CHEX: Statically Vetting Android Apps for Component Hijacking Vulnerabilities. In: CCS (2012)
Nauman, M., Khan, S., Zhang, X.: Apex: Extending Android Permission Model and Enforcement with User-Defined Runtime Constraints. In: ASIACCS (2010)
Pearce, P., Felt, A.P., Nunez, G., Wagner, D.: AdDroid: Privilege Separation for Applications and Advertisers in Android. In: ASIACCS (2012)
Sarwar, G., Mehani, O., Boreli, R., Kaafarn, M.A.: On the Effectiveness of Dynamic Taint Analysis for Protecting Against Private Information Leaks on Android-based Devices. In: SECRYPT (2013)
Shekhar, S., Dietz, M., Wallach, D.S.: AdSplit: Separating smartphone advertising from applications. In: USENIX Security Symposium (2012)
Shneiderman, B.: Designing the User Interface: Strategies for Effective Human-Computer Interaction, 3rd edn. Addison-Wesley (1998)
Tang, Y., Ames, P., Bhamidipati, S., Bijlani, A., Geambasu, R., Sarda, N.: CleanOS: Limiting Mobile Data Exposure with Idle Eviction. In: USENIX Symposium on OSDI (2012)
Xu, R., Saidi, H., Anderson, R.: Aurasium: Practical Policy Enforcement for Android Applications. In: USENIX Security Symposium (2012)
Zhou, Y., Jian, X.: Detecting Passive Content Leaks and Pollution in Android Applications. In: NDSS (2013)
Zhou, Y., Wang, Z., Zhou, W., Jiang, X.: Hey, You, Get off of My Market: Detecting Malicious Apps in Official and Alternative Android Markets. In: NDSS (2012)
Zhou, Y., Zhang, X., Jiang, X., Freeh, V.W.: Taming Information-Stealing Smartphone Applications (on Android). In: McCune, J.M., Balacheff, B., Perrig, A., Sadeghi, A.-R., Sasse, A., Beres, Y. (eds.) Trust 2011. LNCS, vol. 6740, pp. 93–107. Springer, Heidelberg (2011)
Zhu, D.Y., Jung, J., Song, D., Kohno, T., Wetherall, D.: TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. In: ACM Operating Systems Review (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Zhou, Y., Singh, K., Jiang, X. (2014). Owner-Centric Protection of Unstructured Data on Smartphones. In: Holz, T., Ioannidis, S. (eds) Trust and Trustworthy Computing. Trust 2014. Lecture Notes in Computer Science, vol 8564. Springer, Cham. https://doi.org/10.1007/978-3-319-08593-7_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-08593-7_4
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08592-0
Online ISBN: 978-3-319-08593-7
eBook Packages: Computer ScienceComputer Science (R0)