Skip to main content
Springer Nature Link
Log in

Discovering and understanding android sensor usage behaviors with data flow analysis

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

Today’s Android-powered smartphones have various embedded sensors that measure the acceleration, orientation, light and other environmental conditions. Many functions in the third-party applications (apps) need to use these sensors. However, embedded sensors may lead to security issues, as the third-party apps can read data from these sensors without claiming any permissions. It has been proven that embedded sensors can be exploited by well designed malicious apps, resulting in leaking users’ privacy. In this work, we are motivated to provide an overview of sensor usage patterns in current apps by investigating what, why and how embedded sensors are used in the apps collected from both a Chinese app. market called “AppChina” and the official market called “Google Play”. To fulfill this goal, We develop a tool called “SDFDroid” to identify the used sensors’ types and to generate the sensor data propagation graphs in each app. We then cluster the apps to find out their sensor usage patterns based on their sensor data propagation graphs. We apply our method on 22,010 apps collected from AppChina and 7,601 apps from Google Play. Extensive experiments are conducted and the experimental results show that most apps implement their sensor related functions by using the third-party libraries. We further study the sensor usage behaviors in the third-party libraries. Our results show that the accelerometer is the most frequently used sensor. Though many third-party libraries use no more than four types of sensors, there are still some third-party libraries registering all the types of sensors recklessly. These results call for more attentions on better regulating the sensor usage in Android apps.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8
Figure 9

Similar content being viewed by others

References

  1. Apktool. Apktool. http://ibotpeaches.github.io/Apktool/, 2015-05-20

  2. AppBrain. Google play stats. http://www.appbrain.com/stats/, 2016-10-28

  3. Android. Android sensor overview. http://developer.android.com/guide/topics/sensors/sensors_overview.html, 2015-03-28

  4. Android. Android sensor type. http://developer.android.com/reference/android/hardware/Sensor.html, 2015-03-29

  5. Android. Dalvik bytecode. https://source.android.com/devices/tech/dalvik/dalvik-bytecode.html (2016)

  6. Arzt, S., Rasthofer, S., Fritz, C., Bodden, E., Bartel, A., Klein, J., Le Traon, Y., Octeau, D., McDaniel, P.: Flowdroid: Precise context, flow, field, object-sensitive and lifecycle-aware taint analysis for android apps. In: Proceedings of the 35th ACM SIGPLAN Conference on Programming Language Design and Implementation, p 29. ACM (2014)

  7. Aviv, A.J., Sapp, B., Blaze, M., Smith, J.M.: Practicality of accelerometer side channels on smartphones. In: ACSAC 2012, pp. 41–50. ACM (2012)

  8. Cai, L., Chen, H.: Touchlogger: inferring keystrokes on touch screen from smartphone motion. In: Proceedings of the 6th USENIX conference on Hot topics in security, pp. 9–9. USENIX Association (2011)

  9. Chen, K., Liu, P., Zhang, Y.: Achieving accuracy and scalability simultaneously in detecting application clones on android markets. In: Proceedings of the 36th International Conference on Software Engineering, pp. 175–186. ACM (2014)

  10. Chen, K., Wang, P., Lee, Y., Wang, X.F., Zhang, N., Huang, H., Zou, W., Liu, P.: Finding unknown Malice in 10 seconds Mass vetting for new threats at the google-play scale. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 659–674 (2015)

    Google Scholar 

  11. Desnos, A.: Androguard: Reverse engineering, malware and goodware analysis of android applications... and more (ninja!). http://code.google.com/p/androguard, 2013-03-26

  12. Elish, K.O., Shu, X., Yao, D.D., Ryder, B.G, Jiang, X.: Profiling user-trigger dependence for android malware detection. Comput. Secur. 49, 255–273 (2015)

    Article  Google Scholar 

  13. Ester, M., Kriegel, H.-P., Sander, J., Xiaowei, X.: A density-based algorithm for discovering clusters in large spatial databases with noise. In: Kdd, vol. 96, pp. 226–231 (1996)

  14. Gascon, H., Yamaguchi, F., Arp, D., Rieck, K.: Structural detection of android malware using embedded call graphs. In: Proceedings of the ACM Workshop on Artificial Intelligence and Security, p. 2013. ACM (2013)

  15. Gephi: The open graph viz platform https://gephi.org (2016)

  16. Hido, S., Hisashi, K.: Linear-Time Graph Kernel. In: 9th IEEE International Conference on Data Mining, 2009. ICDM ’09, pp. 179–188 (2009)

  17. Hoffmann, J., Ussath, M., Holz, T., Spreitzenbarth, M.: Slicing droids: program slicing for smali code. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing, pp. 1844–1851. ACM (2013)

  18. I.D.Corporation. Smartphone os market share, q2 2016. http://www.idc.com/prodserv/smartphone-os-market-share.jsp, 2016-08

  19. Klieber, W., Flynn, L., Bhosale, A., Jia, L., Bauer, L.: Android taint flow analysis for app. sets. In: Proceedings of the 3rd ACM SIGPLAN International Workshop on the State of the Art in Java Program Analysis, pp. 1–6. ACM (2014)

  20. Lee, W.-H., Lee, R.B.: Multi-sensor authentication to improve smartphone security. In: Conference on Information Systems Security and Privacy (2015)

  21. Li, L., Bartel, A., Bissyande, T.F.D.A., Klein, J., Le Traon, Y., Arzt, S., Rasthofer, S., Bodden, E., Octeau, D., McDaniel, P.: Iccta: detecting inter-component privacy leaks in android apps. In: 2015 IEEE/ACM 37th IEEE International Conference on Software Engineering (ICSE 2015) (2015)

  22. Lin, C.-C., Liang, D., Chang, C.-C., Yang, C.-H.: A new non-intrusive authentication method based on the orientation sensor for smartphone users. In: IEEE 6th International Conference on Software Security and Reliability (SERE), p. 2012. IEEE (2012)

  23. Liu, X., Liu, J., Wang, W.: Exploring sensor usage behaviors of android applications based on data flow analysis. In: 34th IEEE International Performance Computing and Communications Conference, IPCCC 2015, Nanjing, China, December 14-16, 2015, pp. 1–8 (2015)

  24. Liu, X., Zhu, S., Wang, W., Jiqiang, L.: Alde: Privacy risk analysis of analytics libraries in the android ecosystem. In: 12th EAI International Conference on Security and Privacy in Communication Networks (SecureComm 2016), Guangzhou, China, October, 10–12, 2016 (2016)

  25. Miluzzo, E., Varshavsky, A., Balakrishnan, S., Choudhury, R.R.: Tapprints: your finger taps have fingerprints. In: Proceedings of the 10th International Conference on Mobile Systems, Applications, and Services, pp. 323–336. ACM (2012)

  26. Octeau, D., McDaniel, P., Jha, S., Bartel, A., Bodden, E., Klein, J., Le Traon, Y.: Effective inter-component communication mapping in android with epicc: An essential step towards holistic security analysis. In: Proceedings of the 22nd USENIX Security Symposium. Citeseer (2013)

  27. Owusu, E., Han, J., Das, S., Perrig, A., Zhang, J.: Accessory: password inference using accelerometers on smartphones. ACM (2012)

  28. Soot. Soot. http://sable.github.io/soot/, 2015-12-09

  29. Spreitzer, R., Skimming, P.: Exploiting the ambient-light sensor in mobile devices. In: Proceedings of the 4th ACM Workshop on Security and Privacy in Smartphones & Mobile Devices, pp. 51–62. ACM (2014)

  30. Su, D., Wang, W., Wang, X., Liu, J.: Anomadroid: profiling android application behaviors for identifying unknown malapps. In: 15th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom 2016), Tianjin, China, 23-26 August, 2016 (2016)

  31. The Hacker News: Taplogger android trojan can determine tapped keys. http://thehackernews.com/2012/04/taplogger-android-trojan-can-determine.html, 2012-04-21

  32. The Verge: Taplogger android app. can read your password based on motion sensor data. http://www.theverge.com/2012/4/20/2963110/taplogger-android-app-motion-sensor-data, 2012-04-20

  33. Wang, W., Wang, X., Feng, D., Liu, J., Han, Z., Zhang, X.: Exploring permission-induced risk in android applications for Malicious application detection. IEEE Trans. Inf. Forensics Secur. 9(11), 1869–1882 (2014)

    Article  Google Scholar 

  34. Wei, F., Roy, S., Ou, X., et al.: Amandroid: A precise and general inter-component data flow analysis framework for security vetting of android apps. In: CCS 2014, pp. 1329–1341. ACM (2014)

  35. WIKI. Dbscan. http://en.wikipedia.org/wiki/DBSCAN, 2015-04-05

  36. Zeng, Z., Tung, A.K.H., Wang, J., Feng, J., Lizhu, Z.: Comparing Stars: On Approximating Graph Edit Distance.. In: Proceedings of the Vldb Endowment 2, 25–36 (2009)

    Article  Google Scholar 

  37. Zhi, X., Bai, K., Zhu, S.: Taplogger: Inferring user inputs on smartphone touchscreens using on-board motion sensors. In: Proceedings of the 5th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 113–124. ACM (2012)

  38. Zhang, F., Huang, H., Zhu, S., Dinghao, W., Liu, P.: Viewdroid: Towards obfuscation-resilient mobile application repackaging detection. In: Proceedings of the 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks(WiSec 2014). Citeseer (2014)

  39. Zhang, M., Duan, Y., Yin, H., Zhao, Z.: Semantics-aware android malware classification using weighted contextual api dependency graphs. In: CCS 2014, pp. 1105–1116. ACM (2014)

  40. Zhu, J., Wu, P., Wang, X., Zhang, J.: Sensec: Mobile security through passive sensing. In: 2013 International Conference on Computing, Networking and Communications (ICNC), pp. 1128–1133. IEEE (2013)

Download references

Acknowledgment

The work reported in this paper is partially supported by the Fundamental Research funds for the central Universities of China (No. K15JB00190), Shanghai Key Laboratory of Integrated Administration Technologies for Information Security, the Ph.D. Programs Foundation of Ministry of Education of China (No. 20120009120010), the Scientific Research Foundation for the Returned Overseas Chinese Scholars, State Education Ministry (No. K14C300020), and in part by the 111 Project (B14005).

Author information

Authors and Affiliations

  1. Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong University, 3 Shangyuancun, 100044, Beijing, China

    Xing Liu, Jiqiang Liu, Wei Wang & Yongzhong He

  2. Division of Computer, Electrical and Mathematical Sciences & Engineering, King Abdullah University of Science and Technology, Thuwal, Saudi Arabia

    Xiangliang Zhang

Authors
  1. Xing Liu
    View author publications

    You can also search for this author inPubMed Google Scholar

  2. Jiqiang Liu
    View author publications

    You can also search for this author inPubMed Google Scholar

  3. Wei Wang
    View author publications

    You can also search for this author inPubMed Google Scholar

  4. Yongzhong He
    View author publications

    You can also search for this author inPubMed Google Scholar

  5. Xiangliang Zhang
    View author publications

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence to Wei Wang.

Additional information

This article is part of the Topical Collection: Special Issue on Security and Privacy of IoT

Guest Editors: Tarik Taleb, Zonghua Zhang, and Hua Wang

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Liu, X., Liu, J., Wang, W. et al. Discovering and understanding android sensor usage behaviors with data flow analysis. World Wide Web 21, 105–126 (2018). https://doi.org/10.1007/s11280-017-0446-0

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-017-0446-0

Keywords