Elsevier

Computers & Security

Volume 42, May 2014, Pages 66-76
Computers & Security

Evaluating the privacy of Android mobile applications under forensic analysis

https://doi.org/10.1016/j.cose.2014.01.004Get rights and content

Abstract

In this paper, we investigate and evaluate through experimental analysis the possibility of recovering authentication credentials of mobile applications from the volatile memory of Android mobile devices. Throughout the carried experiments and analysis, we have, exclusively, used open-source and free forensic tools. Overall, the contribution of this paper is threefold. First, it thoroughly, examines thirteen (13) mobile applications, which represent four common application categories that elaborate sensitive users' data, whether it is possible to recover authentication credentials from the physical memory of mobile devices, following thirty (30) different scenarios. Second, it explores in the considered applications, if we can discover patterns and expressions that indicate the exact position of authentication credentials in a memory dump. Third, it reveals a set of critical observations regarding the privacy of Android mobile applications and devices.

Introduction

According to recent reports (http://blog.flurry.com/bid/88867/iOS-and-Android-Adoption-Explodes-Internationally), the global adoption of smart phones and tablets has been growing faster than any other consumer technology in history. These small factor devices introduce a new processing and communication paradigm, enabling end-users to access and manage a broad set of data and services, while on the move. To materialize this, a wide range of mobile applications have been developed, which are extending from entertainment and gaming to critical mobile banking and proprietary enterprise applications for accessing corporate resources.

Along with great opportunities, mobile devices reveal new attack vectors for the involved parties (i.e., users, service providers, data owners, etc.) (Mylonas et al., 2013). It is a fact that mobile devices can be easily stolen or misplaced, due to their compact size. The loss of a mobile device can lead to major privacy breach, since emails, social activities, pictures or any other stored data can be disclosed. A study in 2011, named as the lost smart phone problem (Ponemon Institute LLC, 2011), determined that in a 12-month period 142,708 out of 3,297,569 employee smart phones were lost or stolen, i.e., 4.3 percent per year. Moreover, in 2012, researchers from Symantec presented their results of the Smartphone Honey Stick Project (Wright, 2012). In this project, 50 smart phones were, intentionally, lost in cities around the U.S. and Canada. The phones were loaded with logging software, so that Symantec could keep track of all activities. The study came to the result that in the 96 percent of the cases, the finders had accessed the personal data (e.g., email, photos, etc.) that was stored in the lost devices. Moreover, on nearly half of them (43 percent), the finders had attempted to access the owners' online banking applications.

The proliferation of mobile devices has also led to the birth of mobile digital forensics, a branch of digital forensics that deals with the recovery of digital evidence or data from mobile devices, under forensically sound conditions. The latter denotes the acquisition of identical copies of the entire available evidences/data, without causing any alteration to the underlying device. Currently, most of the forensic research on mobile devices has been focused on: (i) the acquisition and analysis of the internal flash NAND memory and SD Cards; (ii) the understanding of the employed file systems; and (iii) the scrutinizing of the application files for identifying malware. However, little attention has been paid to the research on the acquisition and analysis of the volatile memory, also referred as random access memory (RAM), of mobile devices. This is the motivation of the present work, which focuses, explicitly, on the volatile memory of mobile devices. Moreover, this type of memory holds, temporary, the authentication credentials (i.e., usernames and passwords) submitted by the users to activate security critical applications (e.g., mobile banking, password managers, etc.).

Previous research has proved that forensic investigators can discover critical information in the volatile memory of desktop computers, like users' authentication credentials (Karayianni et al., 2012). Thus, it is motivating to examine if we can discover such information in the volatile memory of mobile devices. Considering that 61 percent of the Internet users reuse authentication credentials on multiple websites/services (Consumer Survey, 2012), we realize that sometimes the disclosure of a username and/or password is sufficient to compromise the privacy of all the user's applications (Mylonas et al., 2013). Especially, in case of applications that deal with sensitive data or functionality (e.g., banking, password managers, e-shopping, etc.), an exposure of authentication credentials can lead to major privacy breach.

In this paper, we investigate and evaluate through experimental analysis whether we can discover authentication credentials of mobile applications in the volatile memory of rooted mobile devices, following thirty (30) different scenarios (i.e., eleven (11) general scenarios with some time variations). We focus on mobile devices that operate with the Android operating system (OS), because it is the most widely used one (IDC Worldwide Quarterly, 2013). To perform the experiments, we follow a procedure for the acquisition of the volatile memory of rooted mobile devices, under forensically sound conditions. Throughout the carried experiments and analysis, we have, exclusively, used open-source, free forensic tools. In total, we have evaluated the privacy of thirteen (13) popular Android applications, which represent four common application categories (i.e., mobile banking, e-shopping/financial applications, password managers, and encryption/data hiding applications) that elaborate sensitive users' data. For every investigated application and each studied scenario, we have performed two set of experiments with different objective each one. In the first one, our goal was to check if we could recover our own submitted credentials from the memory dump of a mobile device. In the second experiment, the goal was to find out patterns that indicate where the credentials are located in a memory image. Overall, the contributions of this paper are as follows:

  • (i)

    Examine for each investigated application and studied scenario whether we can discover authentication credentials in the physical memory of mobile devices;

  • (ii)

    Explore in the considered applications, if we can discover patterns and expressions that indicate the position of authentication credentials in a memory dump;

  • (iii)

    Derive a set of critical observations that provide insights for the privacy of mobile applications under various mobile usage scenarios.

The rest of the paper is organized as follows. Section 2 gives background information for Android OS and the related work. Section 3 presents the procedure for the acquisition of the volatile memory of Android mobile devices. Section 4 analyzes the carried out experiments. Section 5 elaborates on the results, providing generic observations and remarks regarding the privacy of authentication credentials in Android devices. Finally, section 6 concludes the paper.

Section snippets

Android operating system

Android is a Linux-based OS designed, primarily, for touch screen mobile devices such as smart phones and tablet computers. Since its appearance, Android followed an upward trajectory and wide acceptance, reaching triple-digit of growth for the last year (IDC Worldwide Quarterly, 2013). Today, it holds approximately 75 percent of the world market and there have been more than 48 billion of Android applications' installations so far, characterizing it as the fastest-growing mobile OS.

Android

Volatile memory acquisition procedure

To dump the volatile memory of a rooted Android mobile device, we used an open-source forensics tool named, Linux memory extractor (LiME) software (http://code.google.com/p/lime-forensics). LiME is a loadable kernel module, which allows the acquisition of the volatile memory from Linux and Linux-based devices, such as those powered by Android. LiME is able to acquire the memory pages in a forensically sound manner (approximately 99 percent of memory pages), since it minimizes the impact on the

Experiments

In this section, we present and analyze the carried out experiments. In a three months period, we examined thirteen (13) Android applications in total, which elaborate sensitive users' data. The majority of the examined applications release updates frequently. It is worth mentioning that all experiments were performed with the latest version of the applications, until June 1st, 2013. Each one of the considered applications employs a username and/or password as data in motion. Based on the

Results

In the first set of experiments, we successfully recovered our own submitted credentials in the majority of the applications, since they were in plaintext, without almost any modification. In some cases, the characters of the retrieved credentials within the memory images were separated by the dot symbol. For example, in case that the submitted password of an application was the phrase “password”, then we located in the memory image the phrase “p.a.s.s.w.o.r.d.”. The reason of this trivial

Conclusions

In this paper, we investigated and evaluated the privacy of Android mobile applications. In particular, we examined whether authentication credentials in the volatile memory of Android mobile devices can be discovered, using open-source forensics tools. The analysis of the results revealed that the majority of the considered Android applications are vulnerable to the recovery of authentication credentials from the volatile memory. It is alarming that even applications that should take security

Dr. Christoforos Ntantogian received his B.Sc. degree in Computer Science and Telecommunications in 2004 and his M.Sc. degree in Computer Systems Technology in 2006 both from the Department of Informatics and Telecommunications, University of Athens. In 2009 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). Currently, he is a research associate at the Department of Digital Systems of the University of Piraeus. His research interests are

References (26)

  • A. Mylonas et al.

    Delegate the smartphone user? Security awareness in the smartphone platforms

    Comput Secur

    (May 2013)
  • J. Sylve et al.

    Acquisition and analysis of volatile memory from android device

    Digit Investig

    (Feb 2012)
  • D. Abbott

    Linux for embedded and real-time applications

    (December 2012)
  • D. Apostolopoulos et al.

    Discovering authentication credentials in volatile memory of Android mobile devices

  • D. Bornstein

    Dalvik VM internals

  • A. Case

    Memory analysis of the Dalvik (Android) virtual machine

    (Dec. 2011)
  • Consumer Survey

    Password habits

    (September 2012)
  • E. Girault

    Volatilitux: physical memory analysis of Linux systems

    (Dec. 2010)
  • A. Hoog

    Android forensics: investigation, analysis, and mobile security for Google Android

    (June 2011)
  • http://blog.flurry.com/bid/88867/iOS-and-Android-Adoption-Explodes-Internationally [accessed on May...
  • http://code.google.com/p/lime-forensics [retrieved on Nov....
  • http://developer.Android.com/tools/debugging/ddms.html [accessed on Nov....
  • http://developer.android.com/tools/help/adb.html [accessed on Nov....
  • Cited by (30)

    • Freeze and Crypt: Linux kernel support for main memory encryption

      2019, Computers and Security
      Citation Excerpt :

      We leave behind the sensitive traces of our actions not only in the cloud, or on our persistent storage, but also in main memory. The data applications keep in memory usually remains in plaintext, such as credentials, pictures, passwords, or key material, (Apostolopoulos et al., 2013; Ntantogian et al., 2014; Pettersson, 2007; Tang et al., 2012). Especially in sensitive corporate or governmental domains, the reliable protection of valuable and possibly classified data is an important topic.

    • Forensics Analysis of Android Mobile VoIP Apps

      2017, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
    • Forensics Analysis of Android Mobile VoIP Apps

      2016, Contemporary Digital Forensic Investigations of Cloud and Mobile Applications
    • Privacy issues of android application permissions: A literature review

      2020, Transactions on Emerging Telecommunications Technologies
    View all citing articles on Scopus

    Dr. Christoforos Ntantogian received his B.Sc. degree in Computer Science and Telecommunications in 2004 and his M.Sc. degree in Computer Systems Technology in 2006 both from the Department of Informatics and Telecommunications, University of Athens. In 2009 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). Currently, he is a research associate at the Department of Digital Systems of the University of Piraeus. His research interests are software security, digital forensics and data analytics.

    Dimitris Apostolopoulos is a graduate of Computer and Communication Engineering department, University of Thessaly and an M.Sc. degree in Digital Systems Security from University of Piraeus. Currently, he develops Information Security Policies, Standards and Procedures based on ISO 27001 and other legal and regulatory requirements.

    Giannis Marinakis has received his B.Sc. degree in Electronics, Computers, and Telecommunications from the department of Physics in the National and Kapodistrian University of Athens and an M.Sc. degree in Digital Systems Security from the University of Piraeus. Currently, he works as software engineer designing, developing, and maintaining HR software.

    Dr. Christos Xenakis received his B.Sc. degree in computer science in 1993 and his M.Sc. degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004 he received his Ph.D. from the same Department. From 1996 to 2007 he was a member of the Communication Networks Laboratory of the University of Athens. Since 2007 he is a faculty member of the Department of Digital Systems of the University of Piraeus, Greece, where currently is an Assistant Professor and member of the System Security Laboratory.

    View full text