Reviews: TaintDroid

[Rodrigo Fonseca]

Hi,

Please post your reviews to TaintDroid here.

Thanks,
Rodrigo

[Matt Mallozzi]

Matt Mallozzi

11/30/10

Title:

TaintDroid: An Information-Flow Tracking System for Realtime Privacy

Monitoring on Smartphones

Authors:

Enck, Gilbert, Chun, Cox, Jung, McDaniel, Sheth

Date:

2010

Novel Idea:

Using Android's virtualized execution environment to analyze and track

usage of private information by untrusted, third-party applications.

Main Results:

An extension to Android that implements the above novel idea: it detects

when private data leaves the system via third-party applications and allows

applications to be easily analyzed.

Impact:

This could be used to analyze apps that are being considered for the

Marketplace, as the app's actual data usage can be compared against its

declared data usage as provided by the developer. Since it is possible for

some code paths to not be exercised even under the most stringent

pre-Marketplace privacy testing, TaintDroid could be included on end-user

devices to let users monitor applications at will or at random app launches.

Evidence:

The authors used TaintDroid to analyze the data usage of 30 popular Android

applications. They also ran macrobenchmarks to test the performance hit for

certain common high-level tasks, such as launching an application and taking

a photo. Further, there were various microbenchmarks, such as for various

Java operations and for Inter-Process Communication.

Prior Work:

TaintDroid builds heavily on dynamic taint analysis, or "taint tracking".

Competitive Work:

Similar work such as Kirin, Saint, and Security-by-Contract will monitor

an app's access to sensitive information, but not how that information is

used (or misused) beyond the app. Other systems require modification of the

OS or app abstraction, or break on common mechanisms such as encryption.

Reproducibility:

Open source!

Question:

Could an application detect when it is being monitored by TaintDroid

using the known performance hit?

Criticism:

The analysis (in particular, the performance analysis) was only performed

on one type of phone running one version of Android OS.

Ideas For Further Work:

Try to come up with an application that behaves when TaintDroid is looking

by using the known performance hit to detect when TaintDroid is running.

[Dimitar]

TaintDroid: An Information-Flow Tracking System for
Realtime Privacy

Monitoring on Smatrthphones
Authors: Landon P. Cox, William Enck, Peter ilbert, Patrick McDaniel,
Byung-Gon Chun,
Anmol N. Sheth
Date: OSDI 2010

Novel Idea: The paper present TaintDroid , a information- flow
tracking system which tries to address
some of the short comings of the smarthphone operating systems such as
visibility into how third party
applications use private data. TaintDriod assumes that the third party
applications are not trusted and tries
in real time to monitor how this application access and use user's
private data.

Results: TaintDroid is working system that uses dynamic taint analysis
to monitor privacy sensitive
information. The first thing the system does is to identified the
sensitive information at the source and
to mark it. Next, TaintDroid tracks how the labeled data impacts other
data in a way that might leak
sensitive information. The tracking is performed at the instruction
level and later identified when it
leaves the system.

Impact: TaintDroid can be useful in evaluating how private information
is used by third party
applications.

Evidence: Using TainDroid authors evaluate thirty of the most popular
applications for Android.
The evaluation showed that two thirds of these applications exposed
confidential user information.
The test also showed that TaintDroid is efficient, there is only 3%
overhead to load application , and
for most of the tested application it had low overhead for tracking.

Competitive Work: According to the authors TaintDroids is the first
taint tracking system for
smarthphones.

Reproducibility: The test cases are reproducible provided we have the
source code for TaintDroid.

Criticism: I think that the paper is well written and the authors have
done extensive evaluation.
They also mentioned that TainDroid causes significant number of false
positive in certain situations.
Can this limit its usefulness?

On Nov 29, 10:14 pm, Rodrigo Fonseca <rodrigo.fons...@gmail.com>
wrote:

[Duy Nguyen]

Paper Title

TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

Authors:

William Enck

Peter Gilbert

Byung-Gon Chun

Landon P.Cox

Date 

OSDI 2010

Novel Idea

A data flow tracking framework for Android OS used to monitor whether sensitive data is sent

out the phone. Sensitive data can be location, phone IMEI, address book,...

Main Results

In Android environment, applications are written in Java which is translated to the Dalvik 

EXecutable byte code format. Each application runs within its Dalvik VM interpreter instance.

By modifying Dalvik VM interpreter, TaintDroid offers 4 tracking levels: variable tracking

within an application, message tracking between applications, method tracking for system

provided libraries and file tracking for persistent storage.

Impact 

This work can have big impact if it goes into Android main source code tree. Currently Android

tells you what kind of permission an application can have when being launched, but these messages

are too general or not easy to understand for normal users, so they tend to ignore them. If 

TaintDroid can point out those behaviors not only in detail but also in an user-friendly way, it 

will be an attractive feature for Android platform.

Evidence 

30 applications were chosen for experimenting. These applications access to phone location,

microphone, camera,... TaintDroid successfully reports many illegitimate behaviors such as:

sharing physical location with ad server, reporting phone IMEI number,...

Prior Work 

TaintDroid is built upon many works in dynamic taint analysis: Dytan, LIFT, Panorama, Privacy Scope

Competitive Work 

Unknown

Reproducibility 

Yes. Source code is available

Question/Criticism

N/A

On Mon, Nov 29, 2010 at 10:14 PM, Rodrigo Fonseca <rodrigo...@gmail.com> wrote:

[Basil Crow]

Title: TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones

Authors: William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth

Date: OSDI 2010

Novel idea: By leveraging Android's Dalvik VM and binder IPC framework, we can track the flow of privacy sensitive data through third-party applications at various levels of granularity (variable-level, message-level, method-level, and file-level).

Main results: TaintDroid taints data from privacy-sensitive sources (such as low-bandwidth sensors, high-bandwidth sensors, information databases, and device identifiers), which are then propagated throughout internal VM methods, JNI methods, IPC calls, and secondary storage. When tainted data is transmitted over the network, TaintDroid logs the application responsible and the intended destination.

Impact: As a paranoid smartphone user, I would be very interested to learn which third-party developers are violating my privacy (and to stop using their programs). The authors also mention that smartphone security service firms might benefit greatly from the reports collected by TaintDroid.

Evidence: The authors collected TaintDroid traces on 30 popular third-party Android applications and found 68 instances of potential misuse of private data across 20 applications. This included two applications sending phone information to content servers (such as phone number, IMSI, and ICC-ID), six applications sending the device ID (IMEI number) to content servers, and 15 applications sending geo-coordinates to advertising servers. The authors also ran macrobenchmarks (four of their own Android apps) and microbenchmarks (CaffeineMark as well as an IPC throughput test) in order to showcase TaintDroid's minimal performance overhead. In the case of CaffeineMark, TaintDroid had a 14% overhead in comparison to the unmodified system.

Competitive work: The authors cite a few dynamic taint analysis programs in the Related Work section, but claim that their system is the first for a mobile phone and the first to achieve system-wide analysis.

Reproducibility: Apache-licensed source code is on GitHub, and detailed instructions are available at http://appanalysis.org/.

Praise: The implementation is fairly well-described, with further details apparently in the Technical Report version of the paper. The macrobenchmarks are a nice touch in addition to CaffeineMark.

Ideas for further work: How hard could it be to modify TaintDroid such that not only would geo-coordinates destined for advertising servers be detected, but that they would also be blocked!

[Hammurabi Mendes]

Paper Title

TaintDroid: An Information-Flow Tracking System for Realtime Privacy
Monitoring on Smartphones

Authors

William Enck, Peter Gilbert, Patrick McDaniel, Byung-Gon Chun, Anmol
N. Sheth, Landon P. Cox, Jaeyeon Jung

Date

OSDI'10 - Symposium on Operating Systems Design and Implementation

Novel Idea

Tainting sensitive information on smartphones and keeping track of the
paths they take through their lifetime.

Main Results

TaintDroid is a modification of the Android OS that taint-tracks
sensitive information that moves through the execution environment on
smartphones. The approach integrates tightly to the OS, allowing an
efficient and system-wide operation.

Impact

One of the keys to the success of application repositories
(Application Markets or Stores) for smartphones is the overwhelming
availability of applications, based (and depending) on third-party
software designers.

TaintDroid permits the analysis of the usage of sensitive information
without requiring the source code of applications, therefore avoiding
to break the market model. Indeed, such dependency on third-party
software designers is a big virtue for the availability of
applications, but is certainly uninviting in terms of security. A
transparent mechanism, that doesn't depend on emulation, and with low
overhead, is certainly useful given such context.

Evidence

After presenting the techniques, the paper describes an experimental
study on thirty applications (from popular applications that require
Internet permissions). They perform the tests forcing the applications
to use the WiFi interface, which is tapped with tcpdump (so they can
verify the results).

They see that 2/3 of the applications transmitted phone information to
servers (without adequate permission) and 1/2 of the applications
transmitted location information to servers (to advertisement servers,
again without proper permission).

They also make a performance evaluation, which consists on measuring
latency of common tasks (such as dialing a number), and also on
running benchmarks on the applications (CaffeineMark) and on the
system itself (on the communication infrastructure).

Prior Work + Competitive Work

They mention approaches that prevent *access* to sensitive information
(Kirin, Saint, Security-by-Contract); black-box techniques that
monitors leaks in applications (Privacy Oracle, TightLip - the authors
mention it is ineffective facing encrypted protocols); programming
language extensions that permit the generation of instrumented object
code (Jif, SLam, Laminar - the authors mention those are incompatible
with "legacy software designs").

Regarding dynamic taint analysis (taint tracking), they mention that
some tools aim for guaranteeing system integrity or information
confidentiality. They note that hardware extensions and emulation are
other approaches to taint tracking (and they mention many
optimizations to these techniques). They also talk about tools that
perform source code analysis. Tools that perform taint tracking on
virtual machines (Haldar, WASP, Resin) are also mentioned (these are
similar to the TaintDroid approach).

Reproducibility

The experiments are reproducible. They clearly mention the names of
the applications used, and TaintDroid is available for download.

Questions + Criticism

[Criticism] In the third-party application analyis, the authors
mention that some applications transmit sensitive information without
proper user authorization. This was actually expected, however, I
believe that what kind of authorization is proper or not is a gray
area. For instance, when an application asks permission to "send
feedback information to <InsertYourCompanyNameHere>", what does it
mean, exactly?

[Question] How could the appropriate authorizations could be expressed
in an uniform way across the applications? Is there any product that
does something similar to this already?

[Criticism] Just to amend the previous criticism, I think that this
work has strong merits on implementing apparently viable mechanisms
for detecting leaks of sensitive information, implemented in a clearly
complex environment and requiring intricate system integration.

Ideas for Future Work

The authors claim that they go one step ahead of providing *access* to
sensitive information by providing *tracking* of sensitive
information. If not yet available somewhere, the idea mentioned in the
Questions+Criticism section, on providing an uniform (same looks),
expressive (clears the gray areas), and extensive (encompasses
everything an application would need) way for applications to expose
their queries for permission is an idea for future work.

On Mon, Nov 29, 2010 at 10:14 PM, Rodrigo Fonseca
<rodrigo...@gmail.com> wrote:

[Siddhartha Jain]

Siddhartha Jain:

Title: TaintDroid

Novel Idea:
The idea is to exploit the fact that Android programs are executed in a VM to tag variables, message between applications and native library function calls with so-called taint tags to trace whether sensitive information ends up being transmitted or used suspiciously.

Main Results:
The framework is given and some experimental results in the form of overhead analysis and behavior over a set of apps is given.

Impact:
Privacy is an increasingly important concern and tools like this could be very important in the future to help detect apps containing spyware or malware.

Evidence:
The results for the overhead are given. The results for what sort of data was tagged by taintdroid as violating privacy and of that what messages actually violated privacy is given.

Prior Work:
Prior work in emulating the system to provide instruction level tracing. That's inefficient and the architecture of the VM is used by TaintDroid to improve efficiency.

Reproducibility:
Open source!

Question:
What happens if the data is encrypted before being sent over the network. It seems like it would be hard to detect at the instruction level whether sensitive data is actually being used to generate information which is not sensitive and that that's being transmitted to say a remote server or whether the sensitive data is actually being encrypted before transmission.

On Mon, Nov 29, 2010 at 10:14 PM, Rodrigo Fonseca <rodrigo...@gmail.com> wrote:

[Sandy Ryza]

Title:
TaintDroid: An Information-Flow Tracking System for Realtime Privacy
Monitoring on Smartphones

Authors:

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon
Jung, Patrick McDaniel, Anmol N. Sheth

Date:
OSDI’10

Novel Idea:
The authors seek to monitor how applications on mobile phones handle
private data and where they send it to. They automatically label
(taint) data from private sources and, using Android's virtualized
architecture, propagate taint inside applications, between processes,
and through files. They use using different granularities for each
propagation method in accordance with practical concerns.

Main Result(s):
TaintDroid was successful in identifying 68 instances of potential
misuse of private data across two thirds of the applications tested.
It was able to identify what kind of private data is used, and where
it is transmitted to(in particular, it found that 15 of the 30 tested
applications reported users' locations to advertising servers). It
incurs about a 14% performance overhead and about a 4.4% memory
overhead. It can be sidestepped (produce false negatives) with use of
implicit flows.

Evidence:
They randomly selected 30 of the most popular Android applications
across a number of categories and manually exercised their
functionality while running TaintDroid on them. They recorded the
types of private data used by each application and to what extent
tainted data was transmitted over the network. They verified their
results by looking at the actual data the phone was transmitting.
They performed a set of performance benchmarks, comparing a phone
modified with TaintDroid with an unmodified Android phone. They
measured the latencies to perform tasks such as create address book
entries and take pictures. Used CaffeineMark for performance
microbenchmarks for basic tasks that occur inside an app.

Prior Work:
Kirin and Saint provide OS-level protections to prevent access to
sensitive information on mobile phones. Asbestos, HiStar, and Flume
track flows between processes (in very different ways). A fair amount
of work has been on dynamic taint analysis, which monitors how
information flows inside legacy programs. A few efforts have been
made to apply dynamic taint analysis to virtual machines and
interpreters, particularly targeting the JVM.

Competitive Work:
As far as I know, TaintDroid is the only system that attempts to track
taint at fine granularity on mobile phones.

Reproducibility:
The authors mention a Technical Report version of paper that contains
more implementation details. Without the source code or the names of
the applications tested on, however, the analyses might be difficult
to reproduce.

Criticism:
It seems very difficult to actually assess whether an application is
doing something sketchy without looking at the source code or at least
the actual data that it is sending to the network. For instance, the
paper contrasts two applications that transmit data tainted by the
IMEI (a unique phone identifier). One uses an actual IMEI while
another uses a hash of it, but TaintDroid has no way of
distinguishing. If TaintDroid is meant to be run in a laboratory
setting where a deeper look can be taken, why does the realtime aspect
(and all the fuss about performance overhead) matter?

Question:
How would we expect TaintDroid to be used? Would people have it on
their phones running all the time and somehow reporting to them when
applications are engaging in sketchy behavior?

Ideas for further work:
Perhaps combine TaintDroid with some mechanism that allows mobile
phone users to stop tainted data from leaving their phones (either
automatically behind the scenes or with some sort of popup when it's
about to happen).

On Nov 29, 10:14 pm, Rodrigo Fonseca <rodrigo.fons...@gmail.com>
wrote:

[Shah]

Title:

TaintDroid: An Information-Flow Tracking System for Realtime Privacy
Monitoring on Smartphones

Authors:

[1] William Enck
[2] Peter Gilbert
[3] Byung-Gon Chun
[4] Landon P. Cox
[5] Jaeyeon Jung
[6] Patrick McDaniel
[7] Anmol N. Sheth

Source and Date:

9th USENIX on Operating Systems Design and Implementation. October
4-6, Vancouver, BC, Canada.

Novel Idea:

The authors present a novel system for the Android mobile phone that’s
capable of providing users with an overview of how their private data
is being used by third-party applications.

Main Result:

The scientists present TaintDroid - a system that provides realtime
analysis on Android by employing its virtualized execution environment
- and show that a large percentage of the 30-odd applications misuse
users’ sensitive data.

Impact:

Since this paper was only launched a couple on months ago and so it
has yet to make its impact.

Evidence:

Providing sufficent evidence is a key theme in this paper as what the
authors claim is largely based on this alone. The authors give a fair
amount of detail on how their system works. Also, in the Section 6,
they mention that their entire experiment lasted a little over 100
minutes indicating that this is the time it takes to analyze, in
detail, the 30-odd applications in a mobile environment.

Prior Work:

In Section 9, the authors clearly state that dynamic taint analysis
and information tracking for legacy programs inspired their work.
However, they claim that, to their knowledge, TaintDroid is the first
taint tracking system for a mobile phone.

Competitive Work:

In the same section as above, the authors list out several systems
that try to address mobile security concerns. Among many others, they
list Security-by-Contract, the work of Mulliner et al., Decentralized
Information Flow Control (DIFC), Flume, PRECIP, Privacy Oracle,
TightLip, Laminar, the work of Haldar et al., WASP, the work of
Chandra and Franz, the work of Nair et. al., the work of Vogt et al.,
the work of Xu et. al. and Resin.

Reproducibility

The authors give a fair amount of detail to make their experiments
reproducible. Since much of the applications are available off the
shelf, it makes material for a large part of their tests available.

Question:

Has a similar study been conducted for other smartphones? It’d be
interesting to see if data is commonly misused.

Criticism:

It’d have been nice to see this experiment conducted across various
smartphones. Otherwise, this paper is well-presented and clear to
follow.

Ideas for Further Work:

As the authors state, they plan on doing an automatic analysis for the
enumeration of information flows and JNI methods. This will make the
task less time-consuming.

[Abhiram Natarajan]

Paper Title: TaintDroid: An Information-Flow Tracking System for

Realtime Privacy Monitoring on Smartphones

Author(s): William Ench, Peter Gilbert, Byung-Gon Chun, Landon P. Cox,

Jaeyeon Jung, Patrick McDaniel, Anmol N. Sheth

Novel Idea: Development of TrainDroid, an extension to the Andriod
mobile-phone platform that tracks the flow of privacy sensitive data
through third-party applications.

Main Result(s): A system that is efficient and effective at system-
wide dynamic taint tracking and analysis with the capability of
tracking multiple sources of sensitive data.

Impact: TaintDroid would ensure that smartphone users can be more
relaxed when downloading third party applications.

Evidence: The authors state that they found 20 applications about 30
popular applications which could potentially misuse users' private
information.

Prior Work: Some related work is
(1) Kirin, Saint, Security-by-Contract
(2) Asbestos, HiStar, Denning's lattice model, Flume, DEFCon, PRECIP
(3) TightLip, Privacy Oracle
(4) Language-based information flow security, Jif, SLam, Laminar,
legacy software designs
(5) Dynamic Binary Translation, Optimizing Context Switches, On-Demand
Tracking, x86 binaries

Competitive Work: The authors performed experiments on Google Nexus
One running Android OS version 2.1 adapted for TaintDroid. They devise
Macrobenchmarks and Java & IPC Microbenchmarks.

Reproducibility: As usual, exact results are hard to reproduce. For
one, we don't know the applications they used itself! However, there
seems to be sufficient explanation about the architecture, and thus
building a similar system would probably not be too hard.

[James Chin]

Paper Title: “TaintDroid: An Information-Flow Tracking System for

Realtime Privacy Monitoring on Smartphones”

Authors(s): William Enck, Peter Gilbert, Byung-Gon Chun, Landon P.

Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth

Date: 2010 (OSDI ‘10)

Novel Idea: This paper presents TaintDroid, an efficient, system-wide
dynamic taint tracking and analysis system capable of simultaneously
tracking multiple sources of sensitive data. TaintDroid provides
realtime analysis by leveraging Android’s virtualized execution
environment.

Main Result(s): Using TaintDroid to monitor the behavior of 30 popular
third-party Android applications, chosen at random from the Android
Marketplace, the authors found 68 instances of potential misuse of
users’ private information across 20 applications. Specifically, this
study revealed that two-thirds of the applications that were monitored
had exhibited suspicious handling of sensitive data, and that 15 of
the 30 applications reported users’ locations to remote advertising
servers. On a side note, TaintDroid incurs only 14% performance
overhead on a CPU-bound micro-benchmark and imposes negligible
overhead on interactive third-party applications.

Impact: Today’s smartphone operating systems frequently fail to
provide users with adequate control over and visibility into how third-
party applications use their private data. Mobile-phone operating
systems currently provide only coarse-grained controls for regulating
whether an application can access private information, but provide
little insight into how private information is actually used.
Monitoring sensitive data with TaintDroid provides informed use of
third-party applications for phone users and valuable input for
smartphone security service firms seeking to identify misbehaving
applications.

Evidence: The authors randomly selected 30 popular applications from a
subset of the 50 most popular free Android applications that require
Internet permissions along with permissions to access either location,
camera, or audio data. They studied each of the thirty downloaded
applications
by starting the application, performing any initialization or
registration that was required, and then manually exercising the
functionality offered by the application. The authors also recorded
system logs including detailed information from TaintDroid: tainted
binder messages, tainted file output, and tainted network messages
with the remote address. To verify their results, they also logged
network traffic
using tcpdump. Finally, they also noted whether applications acquired
user consent for exporting sensitive information.

Prior Work: This includes OS-level protections, including the Kirin,
Saint, and Security-by-Contract projects. Decentralized information
flow control (DIFC) enhanced operating systems such as Asbestos and
HiStar label processes and enforce access control. Additionally,
tools that analyze applications for privacy sensitive information
leaks include Privacy Oracle and TightLip. Moreover, language-based
information flow security extends existing programming languages by
labeling variables with security attributes. Finally, dynamic taint
analysis has been applied to virtual machines and interpreters.

Competitive Work: To the authors’ knowledge, TaintDroid is the first
taint tracking system for a mobile phone and is the first dynamic
taint analysis system to achieve practical system-wide analysis
through the integration of tracking multiple data object
granularities.

Reproducibility: The findings appear to be reproducible if one follows
the testing procedures outlined in this paper and has access to the
code for TaintDroid.

Question: Are the authors planning on developing TaintDroid-like
applications for other mobile operating systems?

Criticism: TaintDroid can only be used on the Android OS.

Ideas for further work: Develop TaintDroid-like applications for other
mobile operating systems.


On Nov 29, 10:14 pm, Rodrigo Fonseca <rodrigo.fons...@gmail.com>
wrote:

[Zikai]

Paper Title: TaintDroid: An Information-Flow Tracking System for
Realtime Privacy Monitoring on Smartphones

Author(s): William Enck, Peter Gilbert, Byung-gon Chun, Landon P. Cox,

Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth

Date/Conference: OSDI 10

Novel Idea: Achieve an appropriate tradeoff between performance and
accuracy for resource constrained smart phones by integrating four
granularities of taint propagation (variable-level, message-level,
method level and file-level).

Main Results: (1) Design and implement TaintDroid, an efficient,
system-wide information flow tracking tool that can simultaneously
track multiple sources of sensitive data.
(2) Evaluate TaintDroid on 30 randomly selected popular applications
and find a number of potential privacy violations in three categories
with no false positive rate. Also test TaintDroid with a series of
macro and micro benchmarks and find that performance and space
overhead is limited.

Impact: In a world with more and more mobile application stores and
mobile applications, TaintDroid can give users some kind of confidence
level into mobile applications they purchase, download, install and
rely on.

Evidence:
(1) In Part 6, authors apply TaintDroid on 30 randomly selected
popular applications
requiring different privacy permissions and find a number of potential
privacy violations in three categories with no false positive rate.
(2) In Part 7, authors use a series of macro and micro benchmarks to
test latency and
space overhead of TaintDroid.

Prior Work: dynamic taint analysis (especially on instruction-level)
CaffeineMark

Competitive Work:
In part9, authors cover competitive work on OS-level mobile phone host
security protection, DIFC, tools that analyze privacy, language-based
information flow security, dynamic taint analysis.

Reproducibility:
TaintDroid ’s source code is available at http://appanalysis.org/download.html
with detailed instructions of building and flashing on mobile devices.
Therefore, one can easily install it on Android phone and reproduce
the evaluations.

Question: (1) Authors concede that limited performance overhead of
TaintDroid is because ‘1) most applications are primarily in a ‘wait
state’ 2) heavyweight operations occur in unmonitored native
libraries. Therefore, a natural question will be: what if we have a
highly interactive application with heavy IPC and networking data
flow? What if we have to monitor heavyweight native libraries because
they involve operations that touch private data?
(2) A related question to (1) is whether the macro benchmarks are
sufficient to prove low overhead of TaintDroid. Again applications and
operations they tested were not highly interactive applications or
calling heavyweight native libraries that involve private data.

Criticism: In Part6, Authors tested 30 mobile applications by
‘manually exercising the functionalities offered by the application’
and generate good results with no false positives. However, they did
not cover the coverage on the test applications in their test (maybe
in terms of line coverage, branch coverage, path coverage and so on).
Therefore, there are two possibilities: (1) TaintDroid is able to find
more privacy violations when they have better test coverage (2)
TaintDroid will generate more false positives when they have better
test coverage. I think the latter is inevitable because the one taint
tag per array/IPC message/file method is sacrificing accuracy (higher
false positive rate) to decrease performance/space overhead and no
false positives are weird.

On Nov 29, 10:14 pm, Rodrigo Fonseca <rodrigo.fons...@gmail.com>
wrote:

[Visawee]

Paper Title :
TaintDroid: An Information-Flow Tracking System for Realtime Privacy
Monitoring on Smartphones


Author(s) :

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon
Jung, Patrick McDaniel, Anmol N. Sheth


Date :
To appear at the 9th USENIX Symposium on Operating Systems Design and
Implementation (OSDI’ 10)


Novel Idea :
Integrating multiple taint tracking techniques to provide dynamic
taint tracking and analysis system that can simultaneously tracking
multiple sources of sensitive data in mobile device.


Evidence/Main Result(s) :
The authors set up several experiments to evaluate TaingDroid.
(1) Application Study: The authors use TaintDroid to analyze how 30
popular third-party Android applications use privacy sensitive data.
This study shows that TaintDroid is able to monitor runtime access of
sensitive user data and to relate the monitored accesses precisely
with the data exposure by applications.
(2) Macrobenchmarks: The authors devises five macrobenchmarks for
common high-level smartphone operations to observe performance
overhead of TaintDroid. The performance overheads are 3% for loading
application, 5.5% for creating entry in phonebook, 18% for reading
entry in phonebook, 10% for making phone call, and 29% for taking
picture.
(3) Microbenchmark: The authors setup a CPU-bond micro-benchmark and
find that TaintDroid adds only 14% performance overhead to the system.


Impact :
Users of android devices have more visibility into how applications
use their private data, and can identify misbehaving applications.


Prior Work :
There were several tainting techniques before TaintDroid. However, the
authors’ work is on integrating these techniques together and
identifying an appropriate trade-off between performance and accuracy
for resource constrained smartphones.


Reproducibility :
The results are reproducible if given TaintDroid’s code because the
experiments are mentioned in detail in the paper.


Criticism :
- The paper is very well written and easy to follow except for the
section about implementation. Without reading the Technical Report, it
is very hard to understand the detailed implementation of TaintDroid.

[Joost]

Title: TaintDroid: An Information-Flow Tracking System for Realtime
Privacy Monitoring on Smartphones

Authors : William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox,

Jaeyeon Jung, Patrick McDaniel, Anmol N. Sheth

Date: OSDI 2010
Novel Idea: The authors present a system whereby users can track to
see how information from their phone is being used by 3rd party
applications.
Main Results: The authors implemented such a system for the Android
smartphone. The system they implemented works with the native
architecture of the Android to track information flow through apps.
From this they were able to discern what type of information the apps
were accessing, and further able to isolate potential misuse of this
information.
Impact: Systems like this could be run on all apps submitted to mobile
app-stores and require that they pass the test sweep before they are
allowed to be accessible for download. While individual usage of a
system like this is possible, so long as the apps remain centralized
in distribution it makes more sense for the app-stores to deal with
this.
Evidence: The authors ran their system on 30 popular Android
applications and found 105 instances of personal information being
transmitted, with only 37 of these cases being clearly legitimate.
Fully two-thirds of the apps had questionable usage of data either to
third party ads or other information not relevant to eh function of
the app.
Prior Work: This system is an extension of previous taint-tracking
methods, though it did require a overhaul owing to the limited
capacity that a smartphone provides compared to traditional machines.
Reproducibility: Given that the code has been released to open source,
it would be easy to conduct similar experiments with other Android
applications.
Question/Criticism: Since the framework developed relies heavily on
the Androids native libraries, how mod-able is this system to other
smart phones?


On Nov 29, 10:14 pm, Rodrigo Fonseca <rodrigo.fons...@gmail.com>
wrote: