skip to main content
10.1145/2940343.2940346acmconferencesArticle/Chapter ViewAbstractPublication PagesmobihocConference Proceedingsconference-collections
research-article

Android privacy C(R)ache: reading your external storage and sensors for fun and profit

Published: 05 July 2016 Publication History

Abstract

Android's permission system empowers informed privacy decisions when installing third-party applications. However, examining the access permissions is not enough to assess privacy exposure; even seemingly harmless applications can severely expose user data. This is what we demonstrate here: an application with the common READ_EXTERNAL_STORAGE and the INTERNET permissions can be the basis of extracting and inferring a wealth of private information. What has been overlooked is that such a "curious" application can prey on data stored in the Android's commonly accessible external storage or on unprotected phone sensors. By accessing and stealthily extracting data thought to be unworthy of protection, we manage to access highly sensitive information: user identifiers and habits. Leveraging data-mining techniques, we explore a set of popular applications, establishing that there is a clear privacy danger for numerous users installing innocent-looking and but, possibly, "curious" applications.

References

[1]
Sanae Rosen et al. "AppProfiler: A Flexible Method of Exposing Privacy-related Behavior in Android Applications to End Users". In: ACM Conference on Data and Application Security and Privacy. San Antonio, Texas, USA, 2013.
[2]
Alexios Mylonas et al. "Assessing Privacy Risks in Android: A User-Centric Approach". In: Risk Assessment and Risk-Driven Testing - First International Workshop, RISK. 2013.
[3]
P. Eckersley. "Google removes the vital privacy feature from Android, claiming its release was accidental". URL: https://www.eff.org/deeplinks/2013/12/google-removes-vital-privacy-features-android-shortly-after-adding-them.
[4]
Paul Ratazzi et al. "PINPOINT: Efficient and Effective Resource Isolation for Mobile Security and Privacy". In: Proceedings of the SPW Workshop on Mobile Security Technologies (MoST). San Jose, CA, USA, 2015.
[5]
William Enck et al. "TaintDroid: An Information-flow Tracking System for Realtime Privacy Monitoring on Smart-phones". In: Proc. of the 9th USENIX Conf. on OS Design and Implementation. Vancouver, Canada, 2010.
[6]
Tom Fox-Brewster. "Check the permissions: Android flashlight apps criticised over privacy". Oct. 2014. URL: http://www.theguardian.com/technology/2014/oct/03/android-flashlight-apps-permissions-privacy.
[7]
Manuel Egele et al. "PiOS: Detecting privacy leaks in iOS applications". In: 18th Annual Network and Distributed System Security Symposium, San Diego, USA. 2011.
[8]
Yajin Zhou et al. "Taming Information-stealing Smartphone Applications (on Android)". In: Proceedings of the 4th International Conference on Trust and Trustworthy Computing. Pittsburgh, PA, 2011.
[9]
Peter Hornyack et al. "These Aren't the Droids You'Re Looking for: Retrofitting Android to Protect Data from Imperious Applications". In: 18th ACM Conference on Computer and Communications Security. Chicago, Illinois, USA, 2011.
[10]
Franziska Roesner et al. "User-Driven Access Control: Rethinking Permission Granting in Modern Operating Systems". In: Proc. of the 2012 IEEE Symposium on Security and Privacy. Washington, DC, USA, 2012.
[11]
Dave Smith. "On the Edge of the Sandbox: External Storage Permissions". Mar. 2014. URL: http://possiblemobile.com/2014/03/android-external-storage/.
[12]
Michaela Götz et al. "MaskIt: Privately Releasing User Context Streams for Personalized Mobile Applications". In: Proceedings of the ACM SIGMOD International Conference on Management of Data. Scottsdale, Arizona, USA, 2012.
[13]
Xuetao Wei et al. "ProfileDroid: Multi-layer Profiling of Android Applications". In: Proceedings of the 18th Annual International Conference on Mobile Computing and Networking. Mobicom. Istanbul, Turkey, 2012.
[14]
Patrick Gage Kelley et al. "A Conundrum of Permissions: Installing Applications on an Android Smartphone". In: Proceedings of the 16th International Conference on Financial Cryptography and Data Security. Bonaire, 2012.
[15]
Adrienne Porter Felt et al. "Android Permissions: User Attention, Comprehension, and Behavior". In: Proceedings of the Eighth Symposium on Usable Privacy and Security. Washington, D.C., 2012.
[16]
Charles Arthur. "Boot up: more Android permissions, device growth?, Apple Maps updates". July 2014. URL: http://www.theguardian.com/technology/blog/2014/jul/08/android-permissions-apple-maps.
[17]
WhatsApp user chats on Android liable to theft due to file system flaw. URL: https://www.theguardian.com/technology/2014/mar/12/whatsapp-android-users-chats-theft.
[18]
Patrick Gage Kelley et al. "When are users comfortable sharing locations with advertisers?" In: Proceedings of the 2011 annual conference on Human factors in computing systems. Vancouver, BC, Canada, 2011.
[19]
Janne Lindqvist et al. "I'M the Mayor of My House: Examining Why People Use Foursquare - a Social-driven Location Sharing Application". In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. Vancouver, BC, Canada, 2011, pp. 2409--2418.
[20]
Jagdish Prasad Achara et al. "WifiLeaks: Underestimated Privacy Implications of the ACCESS_WIFI_STATE Android Permission". In: 7th ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec)). Oxford, United Kingdom, July 2014.
[21]
Mudhakar Srivatsa and Mike Hicks. "Deanonymizing Mobility Traces: Using Social Network As a Side-channel". In: Proceedings of the 2012 ACM Conference on Computer and Communications Security. Raleigh, North Carolina, USA, 2012, pp. 628--637.
[22]
Vincent W. Zheng et al. "Collaborative Location and Activity Recommendations with GPS History Data". In: Proceedings of the 19th International Conference on World Wide Web. Raleigh, North Carolina, USA, 2010, pp. 1029--1038.
[23]
Xiangyu Liu et al. "Gateless Treasure: How to Get Sensitive Information from Unprotected External Storage on Android Phones". In: CoRR abs/1407.5410 (2014).
[24]
Xiangyu Liu et al. "An Empirical Study on Android for Saving Non-shared Data on Public Storage". In: chap. 30th IFIP Conf. on ICT Systems Security and Privacy Protection, Hamburg, Germany, May 26-28, 2015.
[25]
Kevin Lerman et al. "Sentiment Summarization: Evaluating and Learning User Preferences". In: Proc. of the 12th Conf. of the EU Chapter of the Association for Computational Linguistics. Athens, Greece, 2009.
[26]
S. s. k. Rastogi et al. "A Sentiment Analysis based Approach to Facebook User Recommendation". In: Journal of Computer Applications 90.16 (2014), pp. 21--25.
[27]
Davide Feltoni Gurini et al. "A Sentiment-Based Approach to Twitter User Recommendation". In: Proc. of the Fifth ACM RecSys Workshop on Recommender Systems and the Social Web, Hong Kong, China, 2013.
[28]
Dragos Sbirlea et al. "Automatic detection of inter-application permission leaks in Android applications". In: IBM Journal of Research and Development 57.6 (2013).
[29]
Leo Breiman. "Random Forests". In: Machine Learning 45.1 (2001), pp. 5--32.
[30]
Android Developer Program. "Activity Manager API". URL: http://developer.android.com/reference/android/app/ActivityManager.html.
[31]
Android Team. "Provide Broadcast or API to Get Current Foreground Activity". URL: https://code.google.com/p/android-developer-preview/issues/detail?id=29#c50.
[32]
R. Freedman. Migrating Apps to Android 6.0 Marsgmallow. URL: http://chariotsolutions.com/blog/post/migrating-apps-to-android-6-0/.
[33]
Jiaqi Tan et al. "Short Paper: CHIPS: Content-based Heuristics for Improving Photo Privacy for Smartphones". In: Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless & Mobile Networks. WiSec '14. Oxford, United Kingdom, 2014.
[34]
Weichao Sun. "Evernote Patches Vulnerability in Android App". In: TrendLabs Security Intelligence Blog. Aug. 2014.
[35]
Machigar Ongtang et al. "Semantically Rich Application-Centric Security in Android". In: Proceedings of the 2009 Annual Computer Security Applications Conference. AC-SAC '09. Washington, DC, USA, 2009, pp. 340--349.
[36]
Adam Skillen and Mohammad Mannan. "On Implementing Deniable Storage Encryption for Mobile Devices". In: 20th Annual Network and Distributed System Security Symposium, NDSS 2013, San Diego, California, USA, February 24-27, 2013. 2013.
[37]
Lok Kwong Yan and Heng Yin. "DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis". In: Proceedings of the 21st USENIX Conference on Security Symposium. Bellevue, WA: USENIX Association, 2012.

Cited By

View all
  • (2022)Watch Out for Race Condition Attacks When Using Android External StorageProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560666(891-904)Online publication date: 7-Nov-2022
  • (2021)Examining Power Use and the Privacy Paradox between Intention vs. Actual Use of Mobile ApplicationsProceedings of the 2021 European Symposium on Usable Security10.1145/3481357.3481513(223-235)Online publication date: 11-Oct-2021
  • (2020)SecureESFS: Sharing Android External Storage Files in a Securer Way2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00180(1339-1347)Online publication date: Dec-2020
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
PAMCO '16: Proceedings of the 1st ACM Workshop on Privacy-Aware Mobile Computing
July 2016
66 pages
ISBN:9781450343466
DOI:10.1145/2940343
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 July 2016

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. Android permissions
  2. external storage
  3. monitoring
  4. personal data leakage
  5. profiling

Qualifiers

  • Research-article

Conference

MobiHoc'16
Sponsor:

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)9
  • Downloads (Last 6 weeks)2
Reflects downloads up to 17 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2022)Watch Out for Race Condition Attacks When Using Android External StorageProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security10.1145/3548606.3560666(891-904)Online publication date: 7-Nov-2022
  • (2021)Examining Power Use and the Privacy Paradox between Intention vs. Actual Use of Mobile ApplicationsProceedings of the 2021 European Symposium on Usable Security10.1145/3481357.3481513(223-235)Online publication date: 11-Oct-2021
  • (2020)SecureESFS: Sharing Android External Storage Files in a Securer Way2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom50675.2020.00180(1339-1347)Online publication date: Dec-2020
  • (2019)Location Leakage from Network Access Patterns2019 IEEE Conference on Communications and Network Security (CNS)10.1109/CNS.2019.8802847(214-222)Online publication date: Jun-2019
  • (2018)Supporting users to take informed decisions on privacy settings of personal devicesPersonal and Ubiquitous Computing10.1007/s00779-017-1068-322:2(345-364)Online publication date: 1-Apr-2018
  • (2017)PrivacyStreamsProceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies10.1145/31309411:3(1-26)Online publication date: 11-Sep-2017
  • (2017)Smartphone Bloatware: An Overlooked Privacy ProblemSecurity, Privacy, and Anonymity in Computation, Communication, and Storage10.1007/978-3-319-72389-1_15(169-185)Online publication date: 7-Dec-2017

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media