Sajjad Pourali
Nayanamana Samarasinghe
Mohammad Mannan
ABSTRACT
As privacy features in Android operating system improve, privacy-invasive apps may gradually shift their focus to non-standard and covert channels for leaking private user/device information. Such leaks also remain largely undetected by state-of-the-art privacy analysis tools, which are very effective in uncovering privacy exposures via regular HTTP and HTTPS channels. In this study, we design and implement, ThirdEye, to significantly extend the visibility of current privacy analysis tools, in terms of the exposures that happen across various non-standard and covert channels, i.e., via any protocol over TCP/UDP (beyond HTTP/S), and using multi-layer custom encryption over HTTP/S and non-HTTP protocols. Besides network exposures, we also consider covert channels via storage media that also leverage custom encryption layers. Using ThirdEye, we analyzed 12,598 top-apps in various categories from Androidrank, and found that 2887/12,598 (22.92%) apps used custom encryption/decryption for network transmission and storing content in shared device storage, and 2465/2887 (85.38%) of those apps sent device information (e.g., advertising ID, list of installed apps) over the network that can fingerprint users. Besides, 299 apps transmitted insecure encrypted content over HTTP/non-HTTP protocols; 22 apps that used authentication tokens over HTTPS, happen to expose them over insecure (albeit custom encrypted) HTTP/non-HTTP channels. We found non-standard and covert channels with multiple levels of obfuscation (e.g., encrypted data over HTTPS, encryption at nested levels), and the use of vulnerable keys and cryptographic algorithms. Our findings can provide valuable insights into the evolving field of non-standard and covert channels, and help spur new countermeasures against such privacy leakage and security issues.
- Adb shell pm clear. 2020. Adbshell. https://adbshell.com/commands/adb-shellpm-clear.Google Scholar
- Androguard. 2022. Androguard. https://github.com/androguard/androguard.Google Scholar
- Androidrank. 2022. Androidrank. https://www.androidrank.org/.Google Scholar
- AndroidViewClient. 2022. AndroidViewClient. https://github.com/dtmilano/ AndroidViewClient/.Google Scholar
- Apktool. 2021. Apktool. https://github.com/scottyab/rootbeer.Google Scholar
- Appium. 2022. Appium. https://appium.io/.Google Scholar
- Evita Bakopoulou, Anastasia Shuba, and Athina Markopoulou. 2020. Exposures exposed: A measurement and user study to assess mobile data privacy in context. arXiv preprint arXiv:2008.08973 (2020).Google Scholar
- Kenneth Block, Sashank Narain, and Guevara Noubir. 2018. An autonomic and permissionless android covert channel. In ACM Conference on Security & Privacy in Wireless and Mobile Networks (WISEC'18). Stockholm Sweden.Google Scholar
- Cloudflare. 2022. What is MTU (maximum transmission unit)? https://www. cloudflare.com/learning/network-layer/what-is-mtu/.Google Scholar
- Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel, and Giovanni Vigna. 2017. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. In Network and Distributed System Security Symposium (NDSS'17). San Diego, CA, USA.Google Scholar
- Patrick Cronin, Xing Gao, Haining Wang, and Chase Cotton. 2021. An Exploration of ARM System-Level Cache and GPU Side Channels. In IEEE Symposium on Security and Privacy (SP'21). Association for Computing Machinery, Online. https://doi.org/10.1145/3485832.3485902Google ScholarDigital Library
- Dpkt. 2021. Dpkt. https://github.com/kbandla/dpkt.Google Scholar
- Federal Trade Commission (FTC). 2016. Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers' Locations Without Permission. https://www.ftc.gov/news-events/press-releases/2016/06/ mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked.Google Scholar
- Frida. 2022. Frida. https://frida.re/.Google Scholar
- Sudipta Ghosh, SR Tandan, and Kamlesh Lahre. 2013. Shielding android application against reverse engineering. International Journal of Engineering Research & Technology 2, 6 (2013), 2635--2643.Google Scholar
- Githubusercontent.com. 2022. List of the base rules that block ads in mobile apps. https://raw.githubusercontent.com/AdguardTeam/AdguardFilters/master/ MobileFilter/sections/specific_app.txt.Google Scholar
- Google. 2020. Android Debug Bridge (adb). https://developer.android.com/ studio/command-line/adb.Google Scholar
- Google. 2021. Logcat command-line tool. https://us.norton.com/internetsecuritymobile-android-vs-ios-which-is-more-secure.html.Google Scholar
- Google. 2022. Call package manager (pm). https://developer.android.com/studio/ command-line/adb#pm.Google Scholar
- Google. 2022. Cmd in Android native framework (cmd). https://android.googlesource.com/platform/frameworks/native// 593991bfd9747692c09ebd980ddc50dc29d86d5d/cmds/cmd/cmd.cpp.Google Scholar
- Google. 2022. dumpsys. https://developer.android.com/studio/command-line/ dumpsys.Google Scholar
- Google. 2022. Google Admob. https://developers.google.com/admob.Google Scholar
- Google. 2022. Google Play Protect. https://developers.google.com/android/playprotect.Google Scholar
- Google. 2022. monkeyrunner. https://developer.android.com/studio/test/ monkeyrunner.Google Scholar
- Google. 2022. View class - Android Developers. https://developer.android.com/ reference/android/view/View.Google Scholar
- Google. 2022. Work with data more securely. https://developer.android.com/ topic/security/data.Google Scholar
- Huffpost.com. 2011. Google's Wi-Fi Database May Know Your Router's Physical Location. News article (Apr. 25, 2011). https://www.huffpost.com/entry/androidmap-reveals-router-location_n_853214.Google Scholar
- Kyeonghwan Lim, Younsik Jeong, Seong-je Cho, Minkyu Park, and Sangchul Han. 2016. An Android Application Protection Scheme against Dynamic Reverse Engineering Attacks. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl. 7, 3 (2016), 40--52.Google Scholar
- Linux.die.net. 2022. tcpdump. https://linux.die.net/man/8/tcpdump.Google Scholar
- Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In Joint Meeting on Foundations of Software Engineering (ESEC/FSE'13). Saint Petersburg, Russia.Google ScholarDigital Library
- Medium.com. 2016. Rotate Android device screen using adb commands (not emulator). https://medium.com/@navalkishoreb/rotate-android-device-screenusing-adb-commands-not-emulator-94ab1a749b87.Google Scholar
- Mitmproxy. 2022. mitmproxy. https://mitmproxy.org/.Google Scholar
- Mohammad Naseri, Nataniel P Borges Jr, Andreas Zeller, and Romain Rouvoy. 2019. AccessiLeaks: Investigating Privacy Leaks Exposed by the Android Accessibility Service. Proceedings on Privacy Enhancing Technologies 2 (2019), 291--305.Google ScholarCross Ref
- Dario Nisi, Antonio Bianchi, and Yanick Fratantonio. 2019. Exploring SyscallBased Semantics Reconstruction of Android Applications. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID'19). Beijing, China.Google Scholar
- Oracle. 2020. Object (Java platform SE 7. https://docs.oracle.com/javase/7/docs/ api/java/lang/Object.html#hashCode().Google Scholar
- Oracle. 2022. Class Cipher. https://docs.oracle.com/javase/7/docs/api/javax/ crypto/Cipher.html.Google Scholar
- Gerald Palfinger, Bernd Prünster, and Dominik Julian Ziegler. 2020. AndroTIME: Identifying Timing Side Channels in the Android API. In ACM Conference on Trust, Security and Privacy in Computing and Communications (TrustCom'20). Guangzhou, China.Google Scholar
- Priyam Patel, Gokul Srinivasan, Sydur Rahaman, and Iulian Neamtiu. 2018. On the effectiveness of random testing for Android: or how i learned to stop worrying and love the monkey. In International Workshop on Automation of Software Test (ICSE'18). Gothenburg , Sweden.Google ScholarDigital Library
- Anh Pham, Italo Dacosta, Eleonora Losiouk, John Stephan, Kévin Huguenin, and Jean-Pierre Hubaux. 2019. HideMyApp: Hiding the Presence of Sensitive Apps on Android. In USENIX Security Symposium (USENIX Security'19). Santa Clara, CA, USA.Google Scholar
- Sajjad Pourali, Nayanamana Samarasinghe, and Mohammad Mannan. [n. d.]. Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps. Extended report (Oct. 1, 2022). https://users.encs.concordia.ca/~mmannan/publications/ ThirdEye-CCS2022.pdf.Google Scholar
- Pypi.org. 2022. googletrans 3.0.0. https://pypi.org/project/googletrans/.Google Scholar
- Python-magic. 2021. python-magic. https://github.com/ahupp/python-magic.Google Scholar
- Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo VallinaRodriguez, and Serge Egelman. 2019. 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system. In USENIX Security Symposium (USENIX Security'19). Santa Clara, CA, USA.Google Scholar
- Red Hat. 2022. Chapter 24. Creating a dummy interface. https:// access.redhat.com/documentation/en-us/red_hat_enterprise_linux/ 8/html/configuring_and_managing_networking/creating-a-dummyinterface_configuring-and-managing-networking.Google Scholar
- RIP Tutorial. 2022. Turn on/off Wifi. https://riptutorial.com/android/example/ 5113/turn-on-off-wifi.Google Scholar
- Rootbeer. 2021. Rootbeer. https://github.com/scottyab/rootbeer.Google Scholar
- RootCloak. 2016. RootCloak. https://github.com/devadvance/rootcloak.Google Scholar
- Rootcloakplus. 2014. Rootcloakplus. https://github.com/devadvance/ rootcloakplus.Google Scholar
- Erik Rye and Rob Beverly. 2021. IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation. BlackHat USA (July 31 - Aug. 5, 2021). https://www.blackhat.com/us-21/briefings/schedule/#ipvseeyouexploiting-leaked-identifiers-in-ipv-for-street-level-geolocation-22889.Google Scholar
- Shadowsocks. 2022. shadowsocks. https://shadowsocks.org/en/index.html.Google Scholar
- Similarweb. 2022. similarweb. https://www.similarweb.com/.Google Scholar
- Raphael Spreitzer, Gerald Palfinger, and Stefan Mangard. 2018. Scandroid: Automated side-channel analysis of android apis. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 224--235.Google ScholarDigital Library
- San-Tsai Sun, Andrea Cuadros, and Konstantin Beznosov. 2015. Android rooting: Methods, detection, and evasion. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'15). Denver, Colorado , USA.Google ScholarDigital Library
- Symantec. 2022. WebPulse Site Review Request - dt.beyla.site. https://sitereview. bluecoat.com/#/lookup-result/dt.beyla.site.Google Scholar
- Symbolics Cambridge Research Center. 1984. RFC0894: Standard for the transmission of IP datagrams over Ethernet networks. https://dl.acm.org/doi/pdf/ 10.17487/RFC0894.Google Scholar
- Theiphonewik. 2015. xCon. https://www.theiphonewiki.com/wiki/XCon.Google Scholar
- Tldp.org. 1996. The dummy interface. https://tldp.org/LDP/nag/node72.html.Google Scholar
- UlionTse. 2021. translators. https://pypi.org/project/translators/.Google Scholar
- Unity. 2022. Unity AdUnits. https://docs.unity.com/monetization-dashboard/ AdUnits.html.Google Scholar
- Yingjie Wang, Xing Liu, Weixuan Mao, and Wei Wang. 2019. DCDroid: Automated detection of SSL/TLS certificate verification vulnerabilities in Android apps. In ACM Turing Celebration Conference (TURC'19). Sichuan, China.Google ScholarDigital Library
- Dominik Wermke, Nicolas Huaman, Yasemin Acar, Bradley Reaves, Patrick Traynor, and Sascha Fahl. 2018. A large scale investigation of obfuscation use in google play. In Annual Computer Security Applications Conference (ACSAC'18). San Juan, Puerto Rico, USA.Google ScholarDigital Library
- Wikipedia. 2022. Decimal degrees. https://en.wikipedia.org/wiki/Decimal_ degrees.Google Scholar
- Junfeng Xu, Li Zhang, Yunchuan Sun, Dong Lin, and Ye Mao. 2015. Toward a secure android software protection system. In CIT/IUCC/DASC/PICOM'15. Liverpool, UK.Google Scholar
- Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang. 2013. Appintent: Analyzing sensitive data transmission in Android for privacy leakage detection. In ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany.Google ScholarDigital Library
- Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, and Wei Zou. 2012. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'12). Raleigh, NC, USA.Google ScholarDigital Library
Index Terms
- Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps
Recommendations
Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development LifecycleSmart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...
POSTER: Experimental Analysis of Popular Anonymous, Ephemeral, and End-to-End Encrypted Apps
WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile NetworksAs social networking takes to the mobile world, smartphone apps provide users with ever-changing ways to interact with each other. Over the past couple of years, an increasing number of apps have entered the market offering end-to-end encryption, self-...
Bittersweet ADB: Attacks and Defenses
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications SecurityAndroid devices and applications become prevalent and ask for unanticipated capabilities thanks to the increased interests in smartphones and web applications. As a way to use the capabilities not directly available to ordinary users, applications have ...
Comments