research-article

Identity, location, disease and more: inferring your secrets from android public resources

Authors:

Soteris Demetriou,

Muhammad Naveed,

Carl A. Gunter,

Klara NahrstedtAuthors Info & Claims

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

Pages 1017 - 1028

https://doi.org/10.1145/2508859.2516661

Published: 04 November 2013 Publication History

Abstract

The design of Android is based on a set of unprotected shared resources, including those inherited from Linux (e.g., Linux public directories). However, the dramatic development in Android applications (app for short) makes available a large amount of public background information (e.g., social networks, public online services), which can potentially turn such originally harmless resource sharing into serious privacy breaches. In this paper, we report our work on this important yet understudied problem. We discovered three unexpected channels of information leaks on Android: per-app data-usage statistics, ARP information, and speaker status (on or off). By monitoring these channels, an app without any permission may acquire sensitive information such as smartphone user's identity, the disease condition she is interested in, her geo-locations and her driving route, from top-of-the-line Android apps. Furthermore, we show that using existing and new techniques, this zero-permission app can both determine when its target (a particular application) is running and send out collected data stealthily to a remote adversary. These findings call into question the soundness of the design assumptions on shared resources, and demand effective solutions. To this end, we present a mitigation mechanism for achieving a delicate balance between utility and privacy of such resources.

References

[1]

ReadWrite A Tech Blog. http://readwrite.com/2011/05/10/doctor_in_your_pocket_webmd_comes_to_android. Accessed: 13/02/2013.

[2]

Wifi coverage map. http://www.navizon.com/navizon_coverage_wifi.htm. Accessed: 13/02/2013.

[3]

Fbi issues android smartphone malware warning. http://www.forbes.com/sites/billsinger/2012/10/15/fbi-issues-androidsmartphone-malware-warning/, 2012.

[4]

Get search, twitter api. https://dev.twitter.com/docs/api/1/get/search,2012.

[5]

Google play. https://play.google.com/store/search?q=traffic+monitor&c=apps, 2012.

[6]

Google play: Webmd for android. http://www.webmd.com/webmdapp, 2012.

[7]

Smart phone malware: The six worst offenders. http://www.nbcnews.com/technology/technolog/smart-phone-malware-six-worstoffenders-125248, 2012.

[8]

Antutu benchmark. https://play.google.com/store/apps/details?id=com.antutu.ABenchMark, 2013.

[9]

The google directions api. https://developers.google.com/maps/documentation/directions/, 2013.

[10]

Locate family. http://www.locatefamily.com/, 2013.

[11]

Lookup ip address location.http://whatismyipaddress.com/ip-lookup, 2013.

[12]

Online demo. https://sites.google.com/site/sidedroid/, 2013.

[13]

Standard address abbreviations. http://www.kutztown.edu/admin/adminserv/mailfile/guide/abbrev.html, 2013.

[14]

A. R. Beresford, A. Rice, N. Skehin, and R. Sohan. Mockdroid: trading privacy for application functionality on smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, HotMobile'11, pages 49--54, New York, NY, USA, 2011. ACM.

Digital Library

[15]

H. Berghel. Identity theft, social security numbers, and the web. Commun. ACM, 43(2):17--21, Feb. 2000.

Digital Library

[16]

P. Brodley and leviathan Security Group. Zero Permission Android Applications. http://leviathansecurity.com/blog/archives/17-Zero-Permission-Android-Applications.html. Accessed: 13/02/2013.

[17]

L. Cai and H. Chen. Touchlogger: inferring keystrokes on touch screen from smartphone motion. In Proceedings of the 6th USENIX conference on Hot topics in security, HotSec'11, pages 9--9, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[18]

L. Cai and H. Chen. On the practicality of motion based keystroke inference attack. In Proceedings of the 5th international conference on Trust and Trustworthy Computing, TRUST'12, pages 273--290, Berlin, Heidelberg, 2012. Springer-Verlag.

Digital Library

[19]

J. Camenisch, a. shelat, D. Sommer, S. Fischer-Hübner, M. Hansen, H. Krasemann, G. Lacoste, R. Leenes, and J. Tseng. Privacy and identity management for everyone. In Proceedings of the 2005 workshop on Digital identity management, DIM'05, pages 20--27, New York, NY, USA, 2005. ACM.

Digital Library

[20]

S. Chen, R. Wang, X. Wang, and K. Zhang. Side-channel leaks in web applications: A reality today, a challenge tomorrow. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 191--206, may 2010.

Digital Library

[21]

M. Dietz, S. Shekhar, Y. Pisetsky, A. Shu, and D. S. Wallach. Quire: Lightweight provenance for smart phone operating systems. In 20th USENIX Security Symposium, San Francisco, CA, Aug. 2011.

Digital Library

[22]

W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. In Proceedings of the 9th USENIX conference on Operating systems design and implementation, OSDI'10, pages 1--6, Berkeley, CA, USA, 2010. USENIX Association.

Digital Library

[23]

W. Enck, D. Octeau, P. McDaniel, and S. Chaudhuri. A study of android application security. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 21--21, Berkeley, CA, USA, 2011. USENIX Association.

Digital Library

[24]

W. Enck, M. Ongtang, and P. McDaniel. On lightweight mobile phone application certification. In Proceedings of the 16th ACM CCS, CCS'09, pages 235--245, New York, NY, USA, 2009. ACM.

Digital Library

[25]

A. P. Felt, E. Chin, S. Hanna, D. Song, and D. Wagner. Android permissions demystified. In Proceedings of the 18th ACM conference on Computer and communications security, CCS'11, pages 627--638, New York, NY, USA, 2011. ACM.

Digital Library

[26]

T. Govani and H. Pashley. Student awareness of the privacy implications when using facebook. unpublished paper presented at the "Privacy Poster Fair" at the Carnegie Mellon University School of Library and Information Science, 9, 2005.

[27]

M. Grace, Y. Zhou, Z. Wang, and X. Jiang. Systematic detection of capability leaks in stock Android smartphones. In Proceedings of the 19th Network and Distributed System Security Symposium (NDSS), Feb. 2012.

[28]

J. Han, E. Owusu, T.-L. Nguyen, A. Perrig, and J. Zhang. Accomplice: Location inference using accelerometers on smartphones. In Proceedings of the 4th International Conference on Communication Systems and Networks, Bangalore, India, 2012.

[29]

S. B. Hoar. Identity Theft: The Crime of the New Millennium. Oregon Law Review, 80:1423--1448, 2001.

[30]

P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren-t the droids you're looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM CCS, CCS'11, pages 639--652, New York, NY, USA, 2011. ACM.

Digital Library

[31]

S. Jana and V. Shmatikov. Memento: Learning secrets from process footprints. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP'12, pages 143--157, Washington, DC, USA, 2012. IEEE Computer Society.

Digital Library

[32]

E. Owusu, J. Han, S. Das, A. Perrig, and J. Zhang. Accessory: password inference using accelerometers on smartphones. In Proceedings of the 12th Workshop on Mobile Computing Systems Applications, HotMobile'12, pages 9:1--9:6, New York, NY, USA, 2012. ACM.

Digital Library

[33]

T. Ristenpart, E. Tromer, H. Shacham, and S. Savage. Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds. In Proceedings of the 16th ACM CCS, pages 199--212, New York, NY, USA, 2009. ACM.

Digital Library

[34]

R. Schlegel, K. Zhang, X. yong Zhou, M. Intwala, A. Kapadia, and X. Wang. Soundcomber: A stealthy and context-aware sound trojan for smartphones. In NDSS. The Internet Society, 2011.

[35]

D. J. Solove. Identity Theft, Privacy, and the Architecture of Vulnerability. Hastings Law Journal, 54:1227--1276, 2002-2003.

[36]

Q. Sun, D. R. Simon, Y.-M. Wang, W. Russell, V. N. Padmanabhan, and L. Qiu. Statistical identification of encrypted web browsing traffic. In IEEE Symposium on Security and Privacy. Society Press, 2002.

Digital Library

[37]

C. V. Wright, L. Ballard, S. E. Coull, F. Monrose, and G. M. Masson. Uncovering spoken phrases in encrypted voice over ip conversations. ACM Trans. Inf. Syst. Secur., 13(4):35:1--35:30, Dec. 2010.

Digital Library

[38]

K. Zhang and X. Wang. Peeping tom in the neighborhood: keystroke eavesdropping on multi-user systems. analysis, 20:23, 2010.

[39]

Y. Zhang, A. Juels, M. K. Reiter, and T. Ristenpart. Cross-vm side channels and their use to extract private keys. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS'12, pages 305--316, New York, NY, USA, 2012. ACM.

Digital Library

Cited By

Fu YYang LPan HChen YXue GRen J(2025)MagSpy: Revealing User Privacy Leakage via Magnetometer on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2024.349550624:3(2455-2469)Online publication date: Mar-2025
https://doi.org/10.1109/TMC.2024.3495506
Wan LWang KWang HBai GChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Is It Safe to Share Your Files? An Empirical Security Analysis of Google WorkspaceProceedings of the ACM Web Conference 202410.1145/3589334.3645697(1892-1901)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645697
Xu YBao YWang SZhang T(2024)Function Interaction Risks in Robot Apps: Analysis and Policy-Based SolutionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334877221:4(4236-4253)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3348772
Show More Cited By

Index Terms

Identity, location, disease and more: inferring your secrets from android public resources
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Systems security
    1. Operating systems security
2. Social and professional topics
  1. Computing / technology policy
    1. Privacy policies

Recommendations

Secure Integration of Web Content and Applications on Commodity Mobile Operating Systems
ASIA CCS '17: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security

A majority of today's mobile apps integrate web content of various kinds. Unfortunately, the interactions between app code and web content expose new attack vectors: a malicious app can subvert its embedded web content to steal user secrets; on the ...
Enforcing File System Permissions on Android External Storage: Android File System Permissions (AFP) Prototype and ownCloud
TRUSTCOM '14: Proceedings of the 2014 IEEE 13th International Conference on Trust, Security and Privacy in Computing and Communications

Mobile devices are fast becoming critical information management tools often storing a range of personal and corporate confidential data often synced from online and cloud based storage services. Mobile device operating system designers are increasing ...
Appinspect: large-scale evaluation of social networking apps
COSN '13: Proceedings of the first ACM conference on Online social networks

Third-party apps for social networking sites have emerged as a popular feature for online social networks, and are used by millions of users every day. In exchange for additional features, users grant third parties access to their personal data. However,...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '13: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security

November 2013

1530 pages

ISBN:9781450324779

DOI:10.1145/2508859

General Chair:
Ahmad-Reza Sadeghi
TU Darmstadt, CASED, Intel ICRI-SC, Germany
,
Program Chairs:
Virgil Gligor
Carnegie Mellon University, USA
,
Moti Yung
Columbia University, USA

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 November 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'13

Sponsor:

SIGSAC

CCS'13: 2013 ACM SIGSAC Conference on Computer and Communications Security

November 4 - 8, 2013

Berlin, Germany

Acceptance Rates

CCS '13 Paper Acceptance Rate 105 of 530 submissions, 20%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

106
Total Citations
View Citations
1,644
Total Downloads

Downloads (Last 12 months)58
Downloads (Last 6 weeks)8

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fu YYang LPan HChen YXue GRen J(2025)MagSpy: Revealing User Privacy Leakage via Magnetometer on Mobile DevicesIEEE Transactions on Mobile Computing10.1109/TMC.2024.349550624:3(2455-2469)Online publication date: Mar-2025
https://doi.org/10.1109/TMC.2024.3495506
Wan LWang KWang HBai GChua TNgo CKa-Wei Lee RKumar RLauw H(2024)Is It Safe to Share Your Files? An Empirical Security Analysis of Google WorkspaceProceedings of the ACM Web Conference 202410.1145/3589334.3645697(1892-1901)Online publication date: 13-May-2024
https://dl.acm.org/doi/10.1145/3589334.3645697
Xu YBao YWang SZhang T(2024)Function Interaction Risks in Robot Apps: Analysis and Policy-Based SolutionIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2023.334877221:4(4236-4253)Online publication date: Jul-2024
https://doi.org/10.1109/TDSC.2023.3348772
Yin JChen SLv YZhu H(2024)Enhancement and formal verification of the ICC mechanism with a sandbox approach in android systemSoftware Quality Journal10.1007/s11219-024-09684-232:3(1175-1202)Online publication date: 27-Jun-2024
https://doi.org/10.1007/s11219-024-09684-2
Perez BMehrotra AMusolesi M(2024)MarcoPolo: A Zero-Permission Attack for Location Type Inference from the Magnetic Field Using Mobile DevicesCryptology and Network Security10.1007/978-981-97-8016-7_1(3-24)Online publication date: 29-Sep-2024
https://doi.org/10.1007/978-981-97-8016-7_1
Achilleos GLimniotis KKolokotronis N(2023)Exploring Personal Data Processing in Video Conferencing AppsElectronics10.3390/electronics1205124712:5(1247)Online publication date: 5-Mar-2023
https://doi.org/10.3390/electronics12051247
Lu JYu S(2023)Application Identification Based on Overlap Relationship of Concurrent Flows and Their DurationsProceedings of the 2023 International Conference on Communication Network and Machine Learning10.1145/3640912.3640929(88-92)Online publication date: 27-Oct-2023
https://dl.acm.org/doi/10.1145/3640912.3640929
Xiao YJia YCheng XWang SMao JLiang Z(2023)I Know Your Social Network Accounts: A Novel Attack Architecture for Device-Identity AssociationIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2022.314778520:2(1017-1030)Online publication date: 1-Mar-2023
https://doi.org/10.1109/TDSC.2022.3147785
Ni TZhang XZuo CLi JYan ZWang WXu WLuo XZhao Q(2023)Uncovering User Interactions on Smartphones via Contactless Wireless Charging Side Channels2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179322(3399-3415)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179322
Sarker AShen HQiu CUehara HZhang K(2023)Brake-Signal-Based Driver’s Location Tracking in Usage-Based Auto Insurance ProgramsIEEE Internet of Things Journal10.1109/JIOT.2023.323775910:12(10172-10189)Online publication date: 15-Jun-2023
https://doi.org/10.1109/JIOT.2023.3237759
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten