Authors: William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth
Date: OSDI 2010
Novel idea: By leveraging Android's Dalvik VM and binder IPC framework, we can track the flow of privacy sensitive data through third-party applications at various levels of granularity (variable-level, message-level, method-level, and file-level).
Main results: TaintDroid taints data from privacy-sensitive sources (such as low-bandwidth sensors, high-bandwidth sensors, information databases, and device identifiers), which are then propagated throughout internal VM methods, JNI methods, IPC calls, and secondary storage. When tainted data is transmitted over the network, TaintDroid logs the application responsible and the intended destination.
Impact: As a paranoid smartphone user, I would be very interested to learn which third-party developers are violating my privacy (and to stop using their programs). The authors also mention that smartphone security service firms might benefit greatly from the reports collected by TaintDroid.
Evidence: The authors collected TaintDroid traces on 30 popular third-party Android applications and found 68 instances of potential misuse of private data across 20 applications. This included two applications sending phone information to content servers (such as phone number, IMSI, and ICC-ID), six applications sending the device ID (IMEI number) to content servers, and 15 applications sending geo-coordinates to advertising servers. The authors also ran macrobenchmarks (four of their own Android apps) and microbenchmarks (CaffeineMark as well as an IPC throughput test) in order to showcase TaintDroid's minimal performance overhead. In the case of CaffeineMark, TaintDroid had a 14% overhead in comparison to the unmodified system.
Competitive work: The authors cite a few dynamic taint analysis programs in the Related Work section, but claim that their system is the first for a mobile phone and the first to achieve system-wide analysis.
Reproducibility: Apache-licensed source code is on GitHub, and detailed instructions are available at http://appanalysis.org/.
Praise: The implementation is fairly well-described, with further details apparently in the Technical Report version of the paper. The macrobenchmarks are a nice touch in addition to CaffeineMark.
Ideas for further work: How hard could it be to modify TaintDroid such that not only would geo-coordinates destined for advertising servers be detected, but that they would also be blocked!
TaintDroid: An Information-Flow Tracking System for Realtime Privacy
Monitoring on Smartphones
Authors
William Enck, Peter Gilbert, Patrick McDaniel, Byung-Gon Chun, Anmol
N. Sheth, Landon P. Cox, Jaeyeon Jung
Date
OSDI'10 - Symposium on Operating Systems Design and Implementation
Novel Idea
Tainting sensitive information on smartphones and keeping track of the
paths they take through their lifetime.
Main Results
TaintDroid is a modification of the Android OS that taint-tracks
sensitive information that moves through the execution environment on
smartphones. The approach integrates tightly to the OS, allowing an
efficient and system-wide operation.
Impact
One of the keys to the success of application repositories
(Application Markets or Stores) for smartphones is the overwhelming
availability of applications, based (and depending) on third-party
software designers.
TaintDroid permits the analysis of the usage of sensitive information
without requiring the source code of applications, therefore avoiding
to break the market model. Indeed, such dependency on third-party
software designers is a big virtue for the availability of
applications, but is certainly uninviting in terms of security. A
transparent mechanism, that doesn't depend on emulation, and with low
overhead, is certainly useful given such context.
Evidence
After presenting the techniques, the paper describes an experimental
study on thirty applications (from popular applications that require
Internet permissions). They perform the tests forcing the applications
to use the WiFi interface, which is tapped with tcpdump (so they can
verify the results).
They see that 2/3 of the applications transmitted phone information to
servers (without adequate permission) and 1/2 of the applications
transmitted location information to servers (to advertisement servers,
again without proper permission).
They also make a performance evaluation, which consists on measuring
latency of common tasks (such as dialing a number), and also on
running benchmarks on the applications (CaffeineMark) and on the
system itself (on the communication infrastructure).
Prior Work + Competitive Work
They mention approaches that prevent *access* to sensitive information
(Kirin, Saint, Security-by-Contract); black-box techniques that
monitors leaks in applications (Privacy Oracle, TightLip - the authors
mention it is ineffective facing encrypted protocols); programming
language extensions that permit the generation of instrumented object
code (Jif, SLam, Laminar - the authors mention those are incompatible
with "legacy software designs").
Regarding dynamic taint analysis (taint tracking), they mention that
some tools aim for guaranteeing system integrity or information
confidentiality. They note that hardware extensions and emulation are
other approaches to taint tracking (and they mention many
optimizations to these techniques). They also talk about tools that
perform source code analysis. Tools that perform taint tracking on
virtual machines (Haldar, WASP, Resin) are also mentioned (these are
similar to the TaintDroid approach).
Reproducibility
The experiments are reproducible. They clearly mention the names of
the applications used, and TaintDroid is available for download.
Questions + Criticism
[Criticism] In the third-party application analyis, the authors
mention that some applications transmit sensitive information without
proper user authorization. This was actually expected, however, I
believe that what kind of authorization is proper or not is a gray
area. For instance, when an application asks permission to "send
feedback information to <InsertYourCompanyNameHere>", what does it
mean, exactly?
[Question] How could the appropriate authorizations could be expressed
in an uniform way across the applications? Is there any product that
does something similar to this already?
[Criticism] Just to amend the previous criticism, I think that this
work has strong merits on implementing apparently viable mechanisms
for detecting leaks of sensitive information, implemented in a clearly
complex environment and requiring intricate system integration.
Ideas for Future Work
The authors claim that they go one step ahead of providing *access* to
sensitive information by providing *tracking* of sensitive
information. If not yet available somewhere, the idea mentioned in the
Questions+Criticism section, on providing an uniform (same looks),
expressive (clears the gray areas), and extensive (encompasses
everything an application would need) way for applications to expose
their queries for permission is an idea for future work.
On Mon, Nov 29, 2010 at 10:14 PM, Rodrigo Fonseca
<rodrigo...@gmail.com> wrote: