(In)visible Privacy Indicator: Security Analysis of Privacy Indicator on Android Devices
Authors: 
Yurak Choe, Hyungseok Yu, Taeho Kim, Shinjae Lee, Hojoon Lee, Hyoungshick KimAuthors Info & Claims
Yurak Choe, Hyungseok Yu, Taeho Kim, Shinjae Lee, Hojoon Lee, Hyoungshick KimAuthors Info & ClaimsPages 1630 - 1643
Abstract
In Android 12, Google introduced a new security feature called the privacy indicator to protect users from spyware. The privacy indicator visually alerts users by displaying a green circle in the notification bar when an application accesses the camera. While this feature initially appears effective, our work has identified two possible attack scenarios that can undermine it. The first attack uses screen overlay techniques with a higher Z-order and deceptive status bar layouts to make it difficult to see the privacy indicator. In a user study involving 44 participants, only 13.6% of participants recognized the indicator under UI overlay attacks, compared to 63.6% in default Android 12 settings. The second attack exploits device configurations to disable the privacy indicator. Our findings were reported to the developers of the Android system UI at Samsung Electronics and the Google Issue Tracker, and we received acknowledgments from both parties. As countermeasures, we recommend ensuring the integrity of the privacy indicator using trusted execution facilities. We introduce a proof-of-concept solution called SEPI (Security-Enhanced Privacy Indicator), which utilizes a secure hypervisor and ARM TrustZone. SEPI is designed to detect camera and microphone activities, subsequently displaying the relevant indicator with the highest Z-order in a securely isolated display buffer. Our experimental findings revealed only a minimal 3.3% reduction in benchmark scores compared to the device's default operational state. The SEPI privacy indicator is displayed with a negligible mean delay of 20.92 ms.
References
[1]
[n. d.]. libpng. http://www.libpng.org/pub/png/libpng.html. Accessed: May 4, 2023.
[2]
[n. d.]. Magisk GitHub Repository. https://github.com/topjohnwu/Magisk.
[3]
2023. Android Virtualization Framework (AVF) overview. Retrieved June 7, 2023 from https://source.android.com/docs/core/virtualization
[4]
2023. HIDL C++ Types. https://source.android.com/docs/core/architecture/hidl-cpp/types. Accessed: June 29, 2023.
[5]
Alexis Ahmed. 2022. CVE-2022-0847 Dirty Pipe Exploits. https://github.com/AlexisAhmed/CVE-2022-0847-DirtyPipe-Exploits
[6]
Chaitrali Amrutkar, Patrick Traynor, and Paul C Van Oorschot. 2013. An empirical evaluation of security indicators in mobile web browsers. IEEE Transactions on Mobile Computing 14, 5 (2013), 889--903.
[7]
Android Developers. 2021. DeviceConfig. https://developer.android.com/reference/kotlin/androidx/wear/watchface/client/DeviceConfig. Accessed on 2023-05-02.
[8]
Apple. 2021. If the camera or flash on your iPhone, iPad, or iPod touch isn't working. iOS. https://support.apple.com/en-us/HT211808
[9]
ARM. 2022. SoC and CPU System-Wide Approach to Security. ARM. https://www.arm.com/technologies/trustzone-for-cortex-a
[10]
ARM. 2023. Stage 2 Translation.
[11]
Ahmed M Azab, Peng Ning, Jitesh Shah, Quan Chen, Rohan Bhutkar, Guruprasad Ganesh, Jia Ma, and Wenbo Shen. 2014. Hypervision across worlds: Real-time kernel protection from the arm trustzone secure world. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security. 90--102.
[12]
Mathew Brocker and Stephen Checkoway. 2014. IseeYou: disabling the MacBook webcam indicator LED. In 23rd USENIX Security Symposium (USENIX Security 14). USENIX Association, 387--402.
[13]
Checkmarx. 2006. Checkmarx. https://checkmarx.com/ Accessed on August 17, 2023.
[14]
Joseph Cox. 2022. Hacker steals customers' text messages from android spyware company. https://www.vice.com/en/article/qvm44m/hacker-steals-text-messages-android-spyware-company-spyhuman
[15]
Wenrui Diao, Yue Zhang, Li Zhang, Zhou Li, Fenghao Xu, Xiaorui Pan, Xiangyu Liu, Jian Weng, Kehuan Zhang, and XiaoFeng Wang. 2019. Kindness is a Risky Business: On the Usage of the Accessibility {APIs} in Android. In 22nd International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2019). 261--275.
[16]
Lorenzo Franceschi-Bicchierai. 2022. Stalkerware company flexispy calls catastrophic hack 'just some false news'. https://www.vice.com/en/article/xyjwpw/flexispy-calls-catastrophic-hack-just-some-false-news
[17]
Yanick Fratantonio, Chenxiong Qian, Simon P Chung, and Wenke Lee. 2017. Cloak and dagger: from two permissions to complete control of the UI feedback loop. In 2017 IEEE Symposium on Security and Privacy (SP). IEEE, 1041--1057.
[18]
Nitish Gadangi. 2021. Privacy Indicator App. https://github.com/NitishGadangi/Privacy-Indicator-App. Accessed: 2023-05-05.
[19]
Google. 2020. Skia: a 2D graphics library for accelerating the user interface. Google Developers (2020).
[20]
Google. 2021. Android 12 Features and APIs. https://developer.android.com/about/versions/12/features. Accessed on 2023-05-01.
[21]
Jie Huang, Michael Backes, and Sven Bugiel. 2021. A11y and Privacy don't have to be mutually exclusive: Constraining Accessibility Service Misuse on Android. In 30th USENIX Security Symposium (USENIX Security 21). 3631--3648.
[22]
Independent JPEG Group. 2021. libjpeg. http://libjpeg.sourceforge.net/.
[23]
Fedor Indutny and Michael Zalewski. 2022. Dirty Pipe: Reading and Writing to Any Memory Location on Linux. https://dirtypipe.cm4all.com/ (2022).
[24]
Cyber Insurance. 2022. mspy - cyberinsurance.com. https://www.cyberinsurance.com/breaches/mspy/
[25]
Joseph Cox. 2022. Hacker strikes 'stalkerware' companies, stealing alleged texts and GPS locations of customers. https://www.vice.com/en/article/7x77ex/hacker-strikes-stalkerware-companies-stealing-alleged-texts-and-gps-locations-of-customers
[26]
Karma9874. [n. d.]. AndroRAT. https://github.com/karma9874/AndroRAT. Accessed: May 5, 2023.
[27]
Max Kellermann. 2022. The Dirty Pipe Vulnerability. M4ALL. https://dirtypipe.cm4all.com/
[28]
Brian Krebs. 2022. mspy breach krebs on security. https://krebsonsecurity.com/tag/mspy-breach/
[29]
Matthew Lentz, Rijurekha Sen, Peter Druschel, and Bobby Bhattacharjee. 2018. Secloak: Arm trustzone-based mobile peripheral control. In Proceedings of the 16th Annual International Conference on Mobile Systems, Applications, and Services. 1--13.
[30]
Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and Ron Deibert. 2018. Hide and seek: Tracking NSO group's Pegasus spyware to operations in 45 countries. Technical Report.
[31]
MITRE. 2019. CVE-2019-2234. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-2234. Accessed: 2023-05-03.
[32]
Charlie Osborne. 2022. Spyware firm spyfone leaves customer data, recordings exposed online. https://www.zdnet.com/article/spyware-firm-spyfone-leaves-customer-data-recordings-exposed-online/
[33]
Chang Min Park, Donghwi Kim, Deepesh Veersen Sidhwani, Andrew Fuchs, Arnob Paul, Sung-Ju Lee, Karthik Dantu, and Steven Y Ko. 2021. Rushmore: securely displaying static and animated images using TrustZone. In Proceedings of the 19th Annual International Conference on Mobile Systems, Applications, and Services. 122--135.
[34]
Rapid7. 2021. Metasploit. https://www.metasploit.com/. Accessed: 2021-09-29.
[35]
Rithvik. 2022. Cerberus acknowledges data breach, states some usernames and encrypted passwords stolen. https://www.droidlife.com/2014/03/26/cerberus-data-breach/
[36]
Nezer Jacob Zaidenberg Ron Stajnrod, Raz Ben Yehuda. 2021. Attacking TrustZone on devices lacking memory protection. In Journal of Computer Virology and Hacking Techniques.
[37]
Samsung. 2020. Samsung Knox - HdmManager. https://docs.samsungknox.com/devref/knox-sdk/reference/com/samsung/android/knox/hdm/HdmManager.html.
[38]
Samsung Insights. 2022. Defense in Depth: How Samsung Knox Defeats Mobile Malware. https://insights.samsung.com/2022/08/14/defense-in-depth-how-samsung-knox-defeats-mobile-malware-2/.
[39]
Saurav Tanwar and Hee Wan Kim. 2022. A study on Dirty Pipe Linux vulnerability. International Journal of Internet, Broadcasting and Communication 14, 3 (2022), 17--21.
[40]
Lisa Vaas. 2018. Hacker claims spyware maker retina-x has been breached, again. https://nakedsecurity.sophos.com/2018/02/23/hacker-claims-spyware-maker-retina-x-has-been-breached-again/.
[41]
Preethi Vennam, Pramod TC, Thippeswamy BM, Yong-Guk Kim, and Pavan Kumar BN. 2021. Attacks and preventive measures on video surveillance systems: A review. Applied Sciences 11, 12 (2021), 5571.
[42]
Waqas. 2022. Company that sells spyware to domestic abusers hacked. https://www.hackread.com/company-that-sells-spywareto-domestic-abusers-hacked/
[43]
Yuxuan Yan, Zhenhua Li, Qi Alfred Chen, Christo Wilson, Tianyin Xu, Ennan Zhai, Yong Li, and Yunhao Liu. 2019. Understanding and detecting overlay-based android malware at market scales. In Proceedings of the 17th Annual International Conference on Mobile Systems, Applications, and Services. 168--179.
[44]
Zicheng Zhang. 2021. On the usability (in) security of in-app browsing interfaces in mobile apps. In Proceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses. 386--398.
[45]
Zhongwen Zhang, Peng Liu, Ji Xiang, Jiwu Jing, and Lingguang Lei. 2015. How your phone camera can be used to stealthily spy on you: Transplantation attacks against android camera service. In Proceedings of the 5th ACM Conference on Data and Application Security and Privacy. 99--110.
[46]
Zimperium. 2021. PhoneSpy: The App-based Cyberattack Snooping South Korean Citizens. Zimperium. https://www.zimperium.com/blog/phonespy-the-app-based-cyberattack-snooping-south-korean-citizens/
[47]
Zeljka Zorz. 2022. Retina-x admits they have suffered a data breach - help net security. https://www.helpnetsecurity.com/2017/05/02/retina-x-data-breach/
Index Terms
- (In)visible Privacy Indicator: Security Analysis of Privacy Indicator on Android Devices
Recommendations
Secure Containers in Android: The Samsung KNOX Case Study
SPSM '16: Proceedings of the 6th Workshop on Security and Privacy in Smartphones and Mobile DevicesBring Your Own Device (BYOD) is a growing trend among enterprises, aiming to improve workers' mobility and productivity via their smartphones. The threats and dangers posed by the smartphones to the enterprise are also ever-growing. Such dangers can be ...
Security and Privacy Analysis of Android Family Locator Apps
SACMAT '20: Proceedings of the 25th ACM Symposium on Access Control Models and TechnologiesFamilies are increasingly using Family Locator (FL) apps for convenience and safety purposes. Such FL apps often collect a lot of sensitive information, such as user location and contacts, to improve their usability and functionality. However, it is not ...
Comments
Information & Contributors
Information
Published In
July 2024
1987 pages
ISBN:9798400704826
DOI:10.1145/3634737
- Chair:
- Jianying Zhou,
- Co-chair:
- Tony Q. S. Quek,
- Program Chairs:
- Debin Gao,
- Alvaro Cardenas
This work is licensed under a Creative Commons Attribution International 4.0 License.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 01 July 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
ASIA CCS '24
Sponsor:
ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security
July 1 - 5, 2024
Singapore, Singapore
Acceptance Rates
Overall Acceptance Rate 418 of 2,322 submissions, 18%
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 299Total Downloads
- Downloads (Last 12 months)299
- Downloads (Last 6 weeks)59
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in