skip to main content
short-paper
Free access

TaintDroid: an information flow tracking system for real-time privacy monitoring on smartphones

Published: 01 March 2014 Publication History

Abstract

Today's smartphone operating systems frequently fail to provide users with adequate control over and visibility into how third-party applications use their privacy-sensitive data. We address these shortcomings with TaintDroid, an efficient, systemwide dynamic taint tracking and analysis system capable of simultaneously tracking multiple sources of sensitive data. TaintDroid provides real-time analysis by leveraging Android's virtualized execution environment. Using TaintDroid to monitor the behavior of 30 popular third-party Android applications, we found 68 instances of misappropriation of users' location and device identification information across 20 applications. Monitoring sensitive data with TaintDroid provides informed use of third-party applications for phone users and valuable input for smartphone security service firms seeking to identify misbehaving applications.

References

[1]
Chandra, D., Franz, M. Fine-grained information flow analysis and enforcement in a Java virtual machine. In Proceedings of the 23rd Annual Computer Security Applications Conference (ACSAC) (Dec. 2007).
[2]
Cheng, W., Zhao, Q., Yu, B., Hiroshige, S. TaintTrace: efficient flow tracing with dyanmic binary rewriting. In Proceedings of the IEEE Symposium on Computers and Communications (ISCC) (Jun. 2006), 749--754.
[3]
Chow, J., Pfaff, B., Garfinkel, T., Christopher, K., Rosenblum, M. Understanding data lifetime via whole system simulation. In Proceedings of the 13th USENIX Security Symposium (Aug. 2004).
[4]
Clause, J., Li, W., Orso, A. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 International Symposium on Software Testing and Analysis (2007), 196--206.
[5]
Costa, M., Crowcroft, J., Castro, M., Rowstron, A., Zhou, L., Zhang, L., Barham, P. Vigilante: end-to-end containment of internet worms. In Proceedings of the ACM Symposium on Operating Systems Principles (Oct. 2005), 133--147.
[6]
Crandall, J.R., Chong, F.T. Minos: control data attack prevention orthogonal to memory model. In Proceedings of the International Symposium on Microarchitecture (Dec. 2004), 221--232.
[7]
Denning, D.E., Denning, P.J. Certification of Programs for Secure Information Flow. Commun. ACM 20, 7 (Jul. 1977).
[8]
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D. Dyanmic spyware analysis. In Proceedings of the USENIX Annual Technical Conference (Jun. 2007), 233--246.
[9]
Enck, W., Gilbert, P., Chun, B.G., Cox, L.P., Jung, J., McDaniel, P., Sheth, A.N. TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation (OSDI) (Oct. 2010).
[10]
Haldar, V., Chandra, D., Franz, M. Dynamic taint propagation for Java. In Proceedings of the 21st Annual Computer Security Applications Conference (ACSAC) (Dec. 2005), 303--311.
[11]
Halfond, W.G., Orso, A., Manolios, P. WASP: protecting web applications using positive tainting and syntax-aware evaluation. IEEE Trans. Softw. Eng. 34, 1 (2008), 65--81.
[12]
Ho, A., Fetterman, M., Clark, C., Warfield, A., Hand, S. Practical taint-based protection using demand emulation. In Proceedings of the European Conference on Computer Systems (EuroSys) (Apr. 2006), 29--41.
[13]
Lam, L.C., cker Chiueh, T. A general dynamic information flow tracking framework for security applications. In Proceedings of the Annual Computer Security Applications Conference (ACSAC) (Dec. 2006), 463--472.
[14]
Myers, A.C. JFlow: practical mostly-static information flow control. In Proceedings of the ACM Symposium on Principles of Programming Langauges (POPL) (Jan. 1999).
[15]
Nair, S.K., Simpson, P.N., Crispo, B., Tanenbaum, A.S. A virtual machine based information flow control system for policy enforcement. In The 1st International Workshop on Run Time Enforcement for Mobile and Distributed Systems (REM) (2007).
[16]
Newsome, J., Song, D. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of the 12th Network and Distributed System Security Symposium (NDSS) (2005).
[17]
Qin, F., Wang, C., Li, Z., seop Kim, H., Zhou, Y., Wu, Y. LIFT: a low-overhead practical information flow tracking system for detecting security attacks. In Proceedings of the 39th Annual IEEE/ACM International Symposium on Microarchitecture (2006), 135--148.
[18]
Saxena, P., Sekar, R., Puranik, V. Efficient fine-grained binary instrumentation with applications to taint-tracking. In Proceedings of the IEEE/ACM symposium on Code Generation and Optimization (CGO) (Apr. 2008), 74--83,.
[19]
Suh, G.E., Lee, J.W., Zhang, D., Devadas, S. Secure program execution via dynamic information flow tracking. In Proceedings of the Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS) (Oct. 2004), 85--96.
[20]
Vachharajani, N., Bridges, M.J., Chang, J., Rangan, R., Ottoni, G., Blome, J.A., Reis, G.A., Vachharajani, M., August, D.I. RIFLE: an architectural framework for user-centric information-flow security. In Proceedings of the 37th annual IEEE/ACM International Symposium on Microarchitecture (2004), 243--254.
[21]
Vogt, P., Nentwich, F., Jovanovic, N., Kirda, E., Kruegel, C., Vigna, G. Cross-site scripting prevention with dynamic data tainting and static analysis. In Proceedings of the 14th Network and Distributed System Security Symposium (2007).
[22]
Xu, W., Bhatkar, S., Sekar, R. Taint-enhanced policy enforcement: a practical approach to defeat a wide range of attacks. In Proceedings of the USENIX Security Symposium (Aug. 2006), 121--136.
[23]
Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceedings of the 14th ACM Conference on Computer and Communications Security (2007), 116--127.
[24]
Yip, A., Wang, X., Zeldovich, N., Kaashoek, M.F. Improving application security with data flow assertions. In Proceedings of the ACM Symposium on Operating Systems Principles (Oct. 2009).
[25]
Zhu, D.Y., Jung, J., Song, D., Kohno, T., Wetherall, D. Tainteraser: protecting sensitive data leaks using application-level taint tracking. Operating Sys. Rev. 45, 1 (2011), 142--154.

Cited By

View all
  • (2024)Implementing a hybrid Android sandbox for malware analysisDüzce Üniversitesi Bilim ve Teknoloji Dergisi10.29130/dubited.123977912:2(1114-1125)Online publication date: 29-Apr-2024
  • (2024)A Privacy Leak Detection Mechanism based on Service Binding2024 10th International Symposium on System Security, Safety, and Reliability (ISSSR)10.1109/ISSSR61934.2024.00018(92-103)Online publication date: 16-Mar-2024
  • (2024)Android Malware Detection: An Empirical Investigation into Machine Learning Classifiers2024 IEEE International Conference on Information Reuse and Integration for Data Science (IRI)10.1109/IRI62200.2024.00039(144-149)Online publication date: 7-Aug-2024
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image Communications of the ACM
Communications of the ACM  Volume 57, Issue 3
March 2014
99 pages
ISSN:0001-0782
EISSN:1557-7317
DOI:10.1145/2566590
  • Editor:
  • Moshe Y. Vardi
Issue’s Table of Contents
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 01 March 2014
Published in CACM Volume 57, Issue 3

Permissions

Request permissions for this article.

Check for updates

Qualifiers

  • Short-paper
  • Research
  • Refereed

Funding Sources

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)378
  • Downloads (Last 6 weeks)46
Reflects downloads up to 11 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2024)Implementing a hybrid Android sandbox for malware analysisDüzce Üniversitesi Bilim ve Teknoloji Dergisi10.29130/dubited.123977912:2(1114-1125)Online publication date: 29-Apr-2024
  • (2024)A Privacy Leak Detection Mechanism based on Service Binding2024 10th International Symposium on System Security, Safety, and Reliability (ISSSR)10.1109/ISSSR61934.2024.00018(92-103)Online publication date: 16-Mar-2024
  • (2024)Android Malware Detection: An Empirical Investigation into Machine Learning Classifiers2024 IEEE International Conference on Information Reuse and Integration for Data Science (IRI)10.1109/IRI62200.2024.00039(144-149)Online publication date: 7-Aug-2024
  • (2024)Taint Analysis for Graph APIs Focusing on Broken Access ControlGraph Transformation10.1007/978-3-031-64285-2_10(180-200)Online publication date: 2-Jul-2024
  • (2023)Data-Dependent Confidentiality in DCR GraphsProceedings of the 25th International Symposium on Principles and Practice of Declarative Programming10.1145/3610612.3610619(1-13)Online publication date: 22-Oct-2023
  • (2023)Privacy Rating for Android Apps2023 International Conference on Artificial Intelligence and Smart Communication (AISC)10.1109/AISC56616.2023.10085462(671-675)Online publication date: 27-Jan-2023
  • (2023)Detection of Android Malwares on IOT Platform Using PCA and Machine LearningProceedings of International Conference on Recent Innovations in Computing10.1007/978-981-19-9876-8_16(193-205)Online publication date: 3-May-2023
  • (2023)Context Correlation for Automated Dynamic Android App Analysis to Improve Impact Rating of Privacy and Security FlawsRisks and Security of Internet and Systems10.1007/978-3-031-31108-6_1(1-17)Online publication date: 14-May-2023
  • (2023)Detection and Privacy Leakage Analysis of Third-Party Libraries in Android AppsSecurity and Privacy in Communication Networks10.1007/978-3-031-25538-0_30(569-587)Online publication date: 4-Feb-2023
  • (2022)The rise of obfuscated Android malware and impacts on detection methodsPeerJ Computer Science10.7717/peerj-cs.9078(e907)Online publication date: 9-Mar-2022
  • Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

PDFChinese translation

eReader

View online with eReader.

eReader

Digital Edition

View this article in digital edition.

Digital Edition

Magazine Site

View this article on the magazine site (external)

Magazine Site

Login options

Full Access

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media