2. NervousNet from ETHZ:
•http://www.nervousnet.ethz.ch
•NervousNet hub mobile app polls
various physical sensors at a user-
defined rate.
•Data is pushed to one or more
remote “proxies”.
•Outputs of sensors combined into
“virtual sensors”.
•Small custom deployment at CCC
Congres.
3. What about the device's “inner-life”?
•Apps bleed into the physical world.
They hold data about us. What
are they doing behind our backs?
•”Pokemon Go is more than just a
game and it's bringing people
together.” -Forbes.
•“Blogger who filmed himself
playing Pokemon Go at a
Cathedral could face prison.”
-Moscow Times.
•Really? What about other
pervasive games like Ingress?
4. Our Data Ourselves: MobileMiner
•20 Young coders from “Young
Rewired State” were issued with
Android smartphones.
•Developed MobileMiner together,
an app that records the behaviour
of other apps.
•Return their data at hack-days.
•Discuss their attitudes to privacy
before and after confronting them
with their data.
5. What data do Android apps store?
•We don't know!
•Apps' internal SQLite databases are not available when the device is
mounted as mass-storage.
•Databases can be copied from rooted devices using the Android Debug
Bridge.
6. How frequently do apps request location?
•We don't know!
•The Android settings activity lists
recent location requests.
•Non-system apps cannot access
this API call.
•Apps can make passive location
requests, to find the last
requested location.
•Poll this repeatedly and see when it
changes?
•Make an “educated” guess as to
which app is responsible?
7. How frequently do apps send notifications?
• Moral: Stop Playing Clean!
• Register your app as an
“accessibility service”.
• The user must be prompted to
accept it.
• Normally, the service would do
text-to-speech, or use large print.
• Instead, log the time and the app
that sent the notification.
• Ignore the content!
8. Notifications as a proxy for social network usage.
0 200 400 600 800 1000 1200
0
200
400
600
800
1000
1200
Twitter Network Degree vs Notifications
Friends
Followers
Number of Notifications
friends/followerscount
Twitter sends notifications based on people you follow.
The more notifications the more friends.
9. How frequently do apps “phone home”?
• Android has a TrafficStats API.
• Poll this reasonably frequently on
a per-app basis and record the
increase in Txed/Rxed bytes.
• GetUidRxBytes: “Starting in N
this will only report traffic
statistics for the calling UID...” (N
is for ¯_( ツ )_/¯)
• Buggy. Protocol info depreciated.
• No idea what's being sent.
10. How frequently do apps “phone home”?
• Android is a Linux-based system.
• For some apps, we can read
the /proc/<pid>/net directory
and find open network sockets.
• This gives us the protocol and the
port.
• Need to poll agressively, not great
for battery life.
sl local_address rem_address st tx_queue rx_queue tr tm->when retrnsmt uid timeout inode
12: 4F01A8C0:E1D0 B422C2AD:0050 01 00000000:00000000 02:000003A3 00000000 1000 0 154153 2
0000000000000000 23 4 28 10 -1
Don't Tap The White Tile
11. Why do apps “phone home” so frequently?
• “The Line-Keep In” is a simple
scrolling maze game with very
frequent network access.
• It requests very extensive
permissions, including location.
• Decompiling it revealed 3
advertising and notifcation
services. (tencent.com, jpush.cn,
umneng.com)
• Some of these were alreeady of
interest to security researchers.
12. The Droid Destruction Kit!
• Can we put Android reversal and traffic
capture tools into the hands of
beginners?
• Many tools require building from
source. Containerize a browser-based
VNC desktop with Docker.
• “Masterclass” on app reversal held by
Darren Martyn (http://insecurety.net/)
of Xiphos Research:
http://www.xiphosresearch.com
13. Distributing mobile social data.
• MobileMiner uploaded data to a slightly
customized CKAN instance. -Containerzied and
distributed to the YRS participants.
• Pentland proposes “Open Personal Data Stores”.
(http://openpds.media.mit.edu/)
• Iaconesi & Persico propose the “Ubiquitous
Commons” on Ethereum.
(http://www.artisopensource.net/)
• Pentland then proposes “Enigma”, peer-to-peer
data storage on Ethereum.
(http://enigma.media.mit.edu/)
• NervousNet proposes a peer-to-peer proxy.
14. “Informed Consent”
• Users upload position data with low
frequency. Do they understand the
consequences?
• Should such information be quantized
spatially as well as temporally?
• MobileMiner collected cell-tower data,
resolved spatially using
http://opencellid.org.
• Simple application of k-means is
sufficient to determine places of work or
study.