Evaluating the privacy of Android mobile applications under forensic analysis
Introduction
According to recent reports (http://blog.flurry.com/bid/88867/iOS-and-Android-Adoption-Explodes-Internationally), the global adoption of smart phones and tablets has been growing faster than any other consumer technology in history. These small factor devices introduce a new processing and communication paradigm, enabling end-users to access and manage a broad set of data and services, while on the move. To materialize this, a wide range of mobile applications have been developed, which are extending from entertainment and gaming to critical mobile banking and proprietary enterprise applications for accessing corporate resources.
Along with great opportunities, mobile devices reveal new attack vectors for the involved parties (i.e., users, service providers, data owners, etc.) (Mylonas et al., 2013). It is a fact that mobile devices can be easily stolen or misplaced, due to their compact size. The loss of a mobile device can lead to major privacy breach, since emails, social activities, pictures or any other stored data can be disclosed. A study in 2011, named as the lost smart phone problem (Ponemon Institute LLC, 2011), determined that in a 12-month period 142,708 out of 3,297,569 employee smart phones were lost or stolen, i.e., 4.3 percent per year. Moreover, in 2012, researchers from Symantec presented their results of the Smartphone Honey Stick Project (Wright, 2012). In this project, 50 smart phones were, intentionally, lost in cities around the U.S. and Canada. The phones were loaded with logging software, so that Symantec could keep track of all activities. The study came to the result that in the 96 percent of the cases, the finders had accessed the personal data (e.g., email, photos, etc.) that was stored in the lost devices. Moreover, on nearly half of them (43 percent), the finders had attempted to access the owners' online banking applications.
The proliferation of mobile devices has also led to the birth of mobile digital forensics, a branch of digital forensics that deals with the recovery of digital evidence or data from mobile devices, under forensically sound conditions. The latter denotes the acquisition of identical copies of the entire available evidences/data, without causing any alteration to the underlying device. Currently, most of the forensic research on mobile devices has been focused on: (i) the acquisition and analysis of the internal flash NAND memory and SD Cards; (ii) the understanding of the employed file systems; and (iii) the scrutinizing of the application files for identifying malware. However, little attention has been paid to the research on the acquisition and analysis of the volatile memory, also referred as random access memory (RAM), of mobile devices. This is the motivation of the present work, which focuses, explicitly, on the volatile memory of mobile devices. Moreover, this type of memory holds, temporary, the authentication credentials (i.e., usernames and passwords) submitted by the users to activate security critical applications (e.g., mobile banking, password managers, etc.).
Previous research has proved that forensic investigators can discover critical information in the volatile memory of desktop computers, like users' authentication credentials (Karayianni et al., 2012). Thus, it is motivating to examine if we can discover such information in the volatile memory of mobile devices. Considering that 61 percent of the Internet users reuse authentication credentials on multiple websites/services (Consumer Survey, 2012), we realize that sometimes the disclosure of a username and/or password is sufficient to compromise the privacy of all the user's applications (Mylonas et al., 2013). Especially, in case of applications that deal with sensitive data or functionality (e.g., banking, password managers, e-shopping, etc.), an exposure of authentication credentials can lead to major privacy breach.
In this paper, we investigate and evaluate through experimental analysis whether we can discover authentication credentials of mobile applications in the volatile memory of rooted mobile devices, following thirty (30) different scenarios (i.e., eleven (11) general scenarios with some time variations). We focus on mobile devices that operate with the Android operating system (OS), because it is the most widely used one (IDC Worldwide Quarterly, 2013). To perform the experiments, we follow a procedure for the acquisition of the volatile memory of rooted mobile devices, under forensically sound conditions. Throughout the carried experiments and analysis, we have, exclusively, used open-source, free forensic tools. In total, we have evaluated the privacy of thirteen (13) popular Android applications, which represent four common application categories (i.e., mobile banking, e-shopping/financial applications, password managers, and encryption/data hiding applications) that elaborate sensitive users' data. For every investigated application and each studied scenario, we have performed two set of experiments with different objective each one. In the first one, our goal was to check if we could recover our own submitted credentials from the memory dump of a mobile device. In the second experiment, the goal was to find out patterns that indicate where the credentials are located in a memory image. Overall, the contributions of this paper are as follows:
- (i)
Examine for each investigated application and studied scenario whether we can discover authentication credentials in the physical memory of mobile devices;
- (ii)
Explore in the considered applications, if we can discover patterns and expressions that indicate the position of authentication credentials in a memory dump;
- (iii)
Derive a set of critical observations that provide insights for the privacy of mobile applications under various mobile usage scenarios.
The rest of the paper is organized as follows. Section 2 gives background information for Android OS and the related work. Section 3 presents the procedure for the acquisition of the volatile memory of Android mobile devices. Section 4 analyzes the carried out experiments. Section 5 elaborates on the results, providing generic observations and remarks regarding the privacy of authentication credentials in Android devices. Finally, section 6 concludes the paper.
Section snippets
Android operating system
Android is a Linux-based OS designed, primarily, for touch screen mobile devices such as smart phones and tablet computers. Since its appearance, Android followed an upward trajectory and wide acceptance, reaching triple-digit of growth for the last year (IDC Worldwide Quarterly, 2013). Today, it holds approximately 75 percent of the world market and there have been more than 48 billion of Android applications' installations so far, characterizing it as the fastest-growing mobile OS.
Android
Volatile memory acquisition procedure
To dump the volatile memory of a rooted Android mobile device, we used an open-source forensics tool named, Linux memory extractor (LiME) software (http://code.google.com/p/lime-forensics). LiME is a loadable kernel module, which allows the acquisition of the volatile memory from Linux and Linux-based devices, such as those powered by Android. LiME is able to acquire the memory pages in a forensically sound manner (approximately 99 percent of memory pages), since it minimizes the impact on the
Experiments
In this section, we present and analyze the carried out experiments. In a three months period, we examined thirteen (13) Android applications in total, which elaborate sensitive users' data. The majority of the examined applications release updates frequently. It is worth mentioning that all experiments were performed with the latest version of the applications, until June 1st, 2013. Each one of the considered applications employs a username and/or password as data in motion. Based on the
Results
In the first set of experiments, we successfully recovered our own submitted credentials in the majority of the applications, since they were in plaintext, without almost any modification. In some cases, the characters of the retrieved credentials within the memory images were separated by the dot symbol. For example, in case that the submitted password of an application was the phrase “password”, then we located in the memory image the phrase “p.a.s.s.w.o.r.d.”. The reason of this trivial
Conclusions
In this paper, we investigated and evaluated the privacy of Android mobile applications. In particular, we examined whether authentication credentials in the volatile memory of Android mobile devices can be discovered, using open-source forensics tools. The analysis of the results revealed that the majority of the considered Android applications are vulnerable to the recovery of authentication credentials from the volatile memory. It is alarming that even applications that should take security
Dr. Christoforos Ntantogian received his B.Sc. degree in Computer Science and Telecommunications in 2004 and his M.Sc. degree in Computer Systems Technology in 2006 both from the Department of Informatics and Telecommunications, University of Athens. In 2009 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). Currently, he is a research associate at the Department of Digital Systems of the University of Piraeus. His research interests are
References (26)
- et al.
Delegate the smartphone user? Security awareness in the smartphone platforms
Comput Secur
(May 2013) - et al.
Acquisition and analysis of volatile memory from android device
Digit Investig
(Feb 2012) Linux for embedded and real-time applications
(December 2012)- et al.
Discovering authentication credentials in volatile memory of Android mobile devices
Dalvik VM internals
Memory analysis of the Dalvik (Android) virtual machine
(Dec. 2011)Password habits
(September 2012)Volatilitux: physical memory analysis of Linux systems
(Dec. 2010)Android forensics: investigation, analysis, and mobile security for Google Android
(June 2011)- http://blog.flurry.com/bid/88867/iOS-and-Android-Adoption-Explodes-Internationally [accessed on May...
Cited by (30)
Freeze and Crypt: Linux kernel support for main memory encryption
2019, Computers and SecurityCitation Excerpt :We leave behind the sensitive traces of our actions not only in the cloud, or on our persistent storage, but also in main memory. The data applications keep in memory usually remains in plaintext, such as credentials, pictures, passwords, or key material, (Apostolopoulos et al., 2013; Ntantogian et al., 2014; Pettersson, 2007; Tang et al., 2012). Especially in sensitive corporate or governmental domains, the reliable protection of valuable and possibly classified data is an important topic.
Forensics Analysis of Android Mobile VoIP Apps
2017, Contemporary Digital Forensic Investigations of Cloud and Mobile ApplicationsForensics Analysis of Android Mobile VoIP Apps
2016, Contemporary Digital Forensic Investigations of Cloud and Mobile ApplicationsA survey of information security incident handling in the cloud
2015, Computers and SecurityAntecedents of Apps Download Intention: An Empirical Study of Google Play
2023, Journal of QualityPrivacy issues of android application permissions: A literature review
2020, Transactions on Emerging Telecommunications Technologies
Dr. Christoforos Ntantogian received his B.Sc. degree in Computer Science and Telecommunications in 2004 and his M.Sc. degree in Computer Systems Technology in 2006 both from the Department of Informatics and Telecommunications, University of Athens. In 2009 he received his Ph.D. from the University of Athens (Department of Informatics and Telecommunications). Currently, he is a research associate at the Department of Digital Systems of the University of Piraeus. His research interests are software security, digital forensics and data analytics.
Dimitris Apostolopoulos is a graduate of Computer and Communication Engineering department, University of Thessaly and an M.Sc. degree in Digital Systems Security from University of Piraeus. Currently, he develops Information Security Policies, Standards and Procedures based on ISO 27001 and other legal and regulatory requirements.
Giannis Marinakis has received his B.Sc. degree in Electronics, Computers, and Telecommunications from the department of Physics in the National and Kapodistrian University of Athens and an M.Sc. degree in Digital Systems Security from the University of Piraeus. Currently, he works as software engineer designing, developing, and maintaining HR software.
Dr. Christos Xenakis received his B.Sc. degree in computer science in 1993 and his M.Sc. degree in telecommunication and computer networks in 1996, both from the Department of Informatics and Telecommunications, University of Athens, Greece. In 2004 he received his Ph.D. from the same Department. From 1996 to 2007 he was a member of the Communication Networks Laboratory of the University of Athens. Since 2007 he is a faculty member of the Department of Digital Systems of the University of Piraeus, Greece, where currently is an Assistant Professor and member of the System Security Laboratory.