Nitisha Desai, Sean Wang and Jiang Zhu
November 23rd, 2011
1

• Privacy in the news
• TaintDroid
2

3

• Addresses of websites • Share with other companies
•URLS
• Verizon will use this information for
•Search Terms
•Business & Marketing Reports
• Location Details •Making relevant mobile ads
• App and Device usage
• Use of Verizon Products
• Demographic categories
•Gender
•Age
•Sports
•Frequent Diner
4

• “I know where you were and what you are Sharing: Exploiting P2P
Communications to Invade Users‟ Privacy”
• An attacker can Identify a person, their location and filesharing habits
5

6

• Collected children‟s • “Unsubtantiated • P2P File Sharing
personal and deceptive” exposed app users‟
information without personal
parental consent information without
authorization
• Violated COPPA
7

• Geolocational Privacy and Surveillance Act
• Creates rules to govern the interception and disclosure of geolocation
information
• Prohibits unlawfully intercepted geolocation information to be used as
evidence
8

• Require companies to tell users when location data is being collected
• Allow the users to decide whether or not to disclose this information to
third parties
9

10

• “With more than 58% of U.S. mobile users worried that their data can be
easily accessed by others, a privacy policy that helps establish and
maintain consumer trust is absolutely essential.”
• Create a framework for developers to use to provide clear and functional
privacy disclosures to consumers who use mobile applications.
11

Policy
maker
Policy
Language
Code
Guidance
Resources
12

Authors: William Enck, Peter Gilbert, Byung-Gon Chun, Landon P.Cox,
Jaeyeon Jung, Patrick McDaniel and Anmo N.Sheth.
Slide credits: William Enck, Steven Zittrower
13

• What is TaintDroid
• Why it‟s Important
• Implementation
• Costs and Tradeoffs
• Results
14

15

GPS/Location Data
Camera/Photos/Microphone
Contacts
SMS Messages
SIM Identifiers (IMSI, ICC-ID, IMEI)

• Goals: Monitor app behavior to determine when privacy sensitive
information leaves the phone
• Challenges ..
• Smartphones are resource constrained
• Third-party applications are entrusted with several types of privacy sensitive
information
• Context-based privacy information is dynamic and can be difficult to identify
even when sent in the clear
• Applications can share information
18

Dynamic Taint Analysis
• Dynamic taint analysis is ais a technique that tracks
1. Dynamic taint analysis technique that tracks the information
information dependencies from an origin
dependencies from it origin.
• Conceptual idea:
2. Conceptual Ideas: c = t ai nt _sour ce( )
‣
a. Taint source
Taint source
...
‣
b. Taint propagation
Taint propagation
c. Taint sink a = b + c
‣ Taint sink
...
net wor k_send( a)
• Limitations: performance and granularity is a trade-off
ystems and Internet Infrastructure Security Laboratory (SIIS) Page 5
19

20

TaintDroid Architecture map courtesy of
TaintDroid: An Information-Flow…
Interpreted Code
Trusted Applications Untrusted Applications
8
Trusted Library
Taint Source 1 Taint Sink
2 3 6 7 9
Taint Map
Taint Map
Userspace
Dalvik VM Dalvik VM
Interpreter Interpreter
4
Binder IPC Library Binder IPC Library
Binder Hook Binder Hook
5
Kernel
Binder Kernel Module
21

‣ Patches state after native method invocation
‣ Extends tracking between applications and to storage
Message-level tracking
Alci n o
pi a Ce
p to d M
sg Alci n o
pi a Ce
p to d
Va
it l
ru Va
it l
ru Variable-level
Mie
an
ch Mie
an
ch tracking
Method-level
NvSt m rr s
a eye L a
t
i s i i
b e
tracking
File-level
N o Itr c
e r nf e
t k e
w a So a S a
e n r t rg
c dy o e
tracking
• Variables
Local variables, arguments, class static fields, class instances, and arrays
• TaintDroid is a firmware modification, not an app
• Messages
ystems and Internet Infrastructure Security Laboratory (SIIS) Page 6
Taint tag is upper bound of tainted variables in message
• Methods
Tracks and propagates system provided native libraries
• Files
One tag per-file, same logic as messages
22

Sources Sinks
• Low-bandwidth • Network Calls
Sensors
• File-system Writes
• High-bandwidth
Sensors
• Information
Databases
• Devices Identifiers
23

• The authors modified the
Dalvik VM interpreter to
store and propagate taint
tags (a taint bit-vector) on
variables.
• Local variables and tags:
taint tags stored adjacent to
variables on the internal
execution stack.
-- 32-bit bitvector with
each variable
24

• Rules for passing taint
markers
• α←C : τα←0
• β←α:τβ←τα
• α„←α⊗β：τα←τα∪τβ
• …
• Govern steps 3, 7 of
TaintDroid Architecture
25

26

27

• 14% overall overhead. Smallest for arithmetic and logic operations;
greatest for string operations
• 4.4% memory overhead
28

25 21.88 MB
21.06 MB
19.48 MB
18.92 MB
20
15
10.89 ms Android
8.58 ms TaintDroid
10
5
0
App Load Time Address Book © Address Book ®
27% slower 3.5% more memory
29

30%
25%
20%
15%
10%
5%
0%
App Load Addres Book Addres Book Phone Call Take Picture
Time (create) (read)
63:65 348:367 101:119 96:106 1718:2216
(Android: TaintDriod in ms)
30

31

• Selected 30 applications with bias on popularity and access to
Internet, location, microphone, and camera
• 100 minutes, 22,594 packets, 1,130 TCP connections
• Of 105 flagged TCP connections, only 37 legitimate.
32

• 15 of the 30 applications shared physical location with an ad
server (admob.com, ad.qwapi.com, ads.mobclix.com,
data.flurry.com)
• Most traffic was plaintext (e.g., AdMob HTTP GET):
• In no case was sharing obvious to user or in EULA
• In some cases, periodic and occurred without app use
33

• 7 applications sent device (IMEI) and 2 apps sent phone
information (Phone #, IMSI*, ICC-ID) to a remote server without
informing the user.
One app‟s EULA indicated the IMEI was sent
Another app sent the hash of the IMEI
• Frequency was app-specific, e.g., one app sent phone
information every time the phone booted.
• Appeared to be sent to app developers ...
34

35

• Approach Limitations
• TaintDroid only tracks data flows (i.e. explicit flows).
• Malicious application can game out TaintDroid and exflitrate privacy sensitive
information through control flow.
• Taint Source Limitations
• IMSI contains country (MCC), network (MNC) and Station (MSIN) codes. All
tainted together, but heavily used in Android for configuration parameters.
Likely to cause false positives.
• Network only as sink . Sensitive information can propagate back from
network.
• Requires custom OS modification. No checks on native libraries
• Lack of evaluation data on power consumption
• User Interface: log is too technical and need further inspection
37

• TaintDroid provides efficient, system-wide, dynamic taint tracking and
analysis for Android
• 4 granularities of taint propagations
• Variable-level
• Message-level
• Method-level
• File-level
• 14% performance overhead on a CPU-bound microbenchmark.
• Identified 20 out of the 30 random selected applications to share
information in a way that was not expected.
• Findings demonstrated the effectiveness and value of enhancing Mobile
Privacy on smartphone platforms.
38

• Real-time tracking, filtering and enforcement
• Eliminate or reduce false-positives through better management of
variable-level tags
• Integrated with Expert rating system (crowd sourcing)
• Detection of bypass attempts
39

• http://appanalysis.org/demo/TaintDroid_controller.swf
40

nitisha@cmu.edu
sean.wang@sv.cmu.edu
jiang.zhu@sv.cmu.edu
41

Thank you.