Research Proposal
advertisement
Enhancing User Privacy on Android Devices via Permissions Removal CIS Honours Minor Thesis Quang Do (LHIS) Student ID: 110042499 Address: 8 Coonong Ave, Pooraka Date of Submission: 9/06/2013 Research Supervisors: Dr Raymond Choo & Ben Martini Abstract Android devices are becoming an increasingly popular alternative to laptop and desktop computers. This rise in the number of services (banking, shopping, medicinal records, etc.) being performed entirely on a smartphone or tablet, in turn, means there is a greater amount of sensitive data stored within the devices. Due to this rise in popularity and usage, Android devices are constantly at risk of apps stealing this sensitive information. Most research on enhancing user privacy on Android devices fall under the category of Android modifications or mock/shadow data. These proposed solutions often require the use of custom operating systems, significantly reducing the functionality. This research proposes the use of permissions removal in order to enhance user privacy, which does not require modifications to the Android operating system. A reverse engineering or repacking process is used to remove an app’s access to a certain Android resource, be it contacts data, location information or others. By working entirely within the app itself, this means the resulting repackaged app will work on all devices the original app had supported, thus greatly improving usability when compared with much of the research done in the area. Page 1 of 15 Contents Abstract ................................................................................................................................................... 1 1 Introduction ......................................................................................................................................... 3 1.1 Aims of Research........................................................................................................................... 4 1.2 Motivations of Research ............................................................................................................... 4 2 Literature Review ................................................................................................................................. 5 2.1 Improving the Android OS and Fine-grained Control ................................................................... 5 2.2 Mock/Shadow Data....................................................................................................................... 6 2.3 Permissions Removal .................................................................................................................... 7 2.4 Summary ....................................................................................................................................... 7 3 Research Design ................................................................................................................................... 8 3.1 Hardware and Software ................................................................................................................ 8 3.2 Methodology................................................................................................................................. 8 3.2.1 Permissions Removal Process .............................................................................................. 10 3.2.2 Permissions Monitoring Process .......................................................................................... 11 3.3 Limitations................................................................................................................................... 12 3.4 Expected Outcomes .................................................................................................................... 12 3.5 Future Work ................................................................................................................................ 12 4 Thesis Structure ................................................................................................................................. 13 4.1 Thesis Layout............................................................................................................................... 13 4.2 Research Plan and Timetable ...................................................................................................... 13 References ............................................................................................................................................ 14 Page 2 of 15 1 Introduction As smartphone usage increases in both availability and tasks, so too does the need for increased security and privacy. Smartphones are now being used for tasks once performed solely by personal computers and notebooks. Paying for bills, banking, ordering items online among others can now all be done via a smartphone alone. With the increase in the amount of sensitive information stored upon the device, user privacy becomes an important, if somewhat forgotten, factor. The most commonly used smartphone operating system as of early 2013 is the Android Operating System by Google (Oleaga 2013). The Android platform is designed with openness in mind, meaning all the system’s code is available for download, modification and review. Due to this open nature, this also means that the Android Play Store follows a blacklist style of accepting Android apps (“apps”); that is all apps are accepted unless they are detected by an in-house antivirus engine (Hou 2012), or are reported by users – an unregulated apps market. The main reason a system of this type is utilised is that security on an Android device relies heavily on its permissions system. Figure 1.1: Permission requests when installing Tumblr via the Google Play Store and manually Android depends on its permissions system in order to reduce the risk of installing a malicious app on the device. A user must manually check the list of permissions required by the app, which are presented upon installation, in order to deem if it is indeed legitimate. An app without the appropriate permissions cannot perform tasks requiring that resource. For example, an Android phone app requires the CALL_PHONE permission in order to make phone calls. By default, an app that is installed on an Android device can only be granted all of its requested permissions. While Page 3 of 15 some resource permissions requested may indeed be legitimate, others may be malicious in nature. A significant amount of the over-privileged apps (apps with too many permission requests), which includes apps containing malware, on the Google Play Store are designed to invade and steal user information such as contact data and phone records (http://www.kaspersky.com/about/news/virus/2011/Number_of_the_Week_at_Least_34_of_Andro id_Malware_Is_Stealing_Your_Data). This research explores methods in which Android apps, specifically social networking apps, can be made more user privacy friendly. The main way this will be achieved is via addressing an app’s usage of their requested permissions, which can be addressed by permission blocking and permission removal. The main focus of this research will be on app permission removal and its viability in addressing user privacy. 1.1 Aims of Research The purpose of this research is to investigate: How effective is permissions removal in enhancing user privacy on Android devices? This research will attempt to identify, classify and remove select permissions from Android social networking apps and record the impact on the stability and usability of the apps. The identification and classification of permissions to be removed will be part of the outcomes of this research. Usability and stability of the apps is based on whether an app performs similarly and without crashes before and after the permissions removal process. The field of research of this research question is Android security, specifically Android user privacy. 1.2 Motivations of Research The main motivation for performing research within this area of Android user privacy is due to the prevalence of smartphones along with our reliability on them in the current world. When a smartphone is compromised by an app, a huge amount of sensitive information is potentially at risk, which could be detrimental to an individual or even whole corporation. Methods for improving privacy Permissions removal, as opposed to other methods of enhancing user privacy, was chosen as it is the least researched (see section 2) and also most widely possible to adopt among the methods currently undertaken. The research will focus exclusively on reducing the privacy impact of Android social networking apps, as these are among the most commonly used applications that regularly request access to sensitive information. If successful, this will mean that companies such as Facebook will be unable or have great difficulty in collecting user information such as contact phone numbers and names. Current research into Android user privacy focuses mainly on the use of operating system enhancements and mock data (such as mock contacts and mock locations). Permissions removal has the potential to be more widely deployed than these other methods as it will run on any Android device that the original app would have been able to run on. Android enhancements and mock data often require a custom operating system to be installed on a device, or at the very least, a device with administrator (root) privileges. This research aims to provide repackaged apps which are able to run on devices without root access. Page 4 of 15 2 Literature Review With the widespread adoption of ubiquitous smartphones and their capacity to act as a general purpose computing platform, mobile user privacy and security have emerged as a salient area of inquiry. Privacy and data protection regimes vary between countries due to the different judicial and legal systems. In Australia, for example, the Privacy Act 1988 (Cth) regulates “information privacy” which is taken to mean the protection of personal information for the purposes of the Act. It does so by setting out a series of base line privacy standards – the 13 Australian Privacy Principles (APPs) which replace the current National Privacy Principles (NPPs) for organisations and Information Privacy Principles (IPPs) for government agencies with effect from 12 March 2014. Although privacy and data protection regimes are not fully harmonised internationally, the general requirement is that organisations must take reasonable care or appropriate steps to secure personal information. The Android Operating System is a mobile operating system that is based on the use of sandboxing and an apps permissions system wherein an app must first request controlled permissions from the system on installation. Many researchers working on Android security and privacy use the apps permissions approach to improve user privacy on these devices. For example, Book, Pridgen & Wallach (2013) examined a sample of 114 000 apps from the Google Play Store and found that the number of permissions apps are requiring are increasing, and as a result, posing a privacy risk to Android users. Shekhar, Dietz & Wallach (2012) suggested that the additional the increase of permissions may be due to the fact that advertising in Android apps is becoming much more popular and sometimes even expected due to the rise in the number of free apps. This is because advertising requires the use of many additional resources in order to cater for its own data collection, analysis and transmissions. A review of the current literature suggests that there are seemingly four main areas of research which is done with intent on improving Android users’ privacy in relation to apps permissions. These are: 1. Improving the Android OS 2. Fine grained app permission control 3. Mock/shadow data 4. Android permission removal 2.1 Improving the Android OS and Fine-grained Control Studies by Felt et al. (2012) and Kelley et al. (2012) suggested that many users have a low comprehension of the Android permissions system – that is the permissions system may be secure to technical users, but not in the hands of a novice user. They felt the system did not inform users of the dangers of allowing over privileged apps to be given access to these permissions upon installation. Felt et al. then put forth several suggestions for improving the base Android OS, including showing the users risks of allowing certain permissions instead of just the resource and defining user-friendly categories for permissions. The use of these techniques would significantly increase user comprehension of Android permissions, thus becoming a form of privacy enhancement in itself. Kern & Sametinger (2012) took a different approach to the problem of enhancing user privacy. They recommended the use of fine grained individual permissions control on a per app basis. This means that each Android app would have each of their permissions explicitly listed and Page 5 of 15 the user would either deny or allow permission request either in real-time or beforehand. In their study, Kern & Sametinger also examined the use of extensions to the OS and third party apps in order to finely grant or deny/block an app’s permissions, and developed their own app that followed their research, allowing a user to grant or deny a request as it occurs. In an independent yet related work, Zhou et al. (2011) designed a system that could control an app’s access to sensitive permissions – TISSA. With this system, the user can, for example, specify if the app is allowed to access the device’s ID, contacts, call logs, etc. This type of system is even finer grained than the system proposed by Kern & Sametinger, as their proposal does not address mock or anonymised data (addressed in the next section). With TISSA, one could allow an app to access the device’s contacts information but have the app receive faked or empty data, whilst simultaneously blocking the app access to call logs. Kern & Sametinger further found that to provide adequate control of app permissions, the apps would need to be repackaged specifically to reduce resource usage, although with the ever-increasing processing power of smartphones, this may no longer become a problem. While these researchers focused on a wider scope of user privacy, Bugiel, Heuser & Sadeghi (2012) instead presented some changes and improvements to the actual Android services located within the operating system in order to cater for fine-tuned control of app permissions. This differs from the previous research as a change in this area of the operating system code could lead to the improvements being feasible in future versions of Android. Most proposals for fine-tuned app control thus far require modification of the Android operating system. With the use of a privacy control app as opposed to an operating system modification, an app could possibly work on stock Android devices that have no operating system changes. 2.2 Mock/Shadow Data The third area in improving Android users’ privacy is that of mock, fake or shadow data. An example of this is sending mock location data to apps that request it instead of the real location information or presenting an app with an empty contacts list on a device that does indeed have contacts. MockDroid (Beresford et al. 2011) is a modified Android operating system that allows the user to fake, to an app, the access or retrieval of a requested resource. An app may require access to contact information in order to be installed in a device, but this may be because it requests the permission only to data mine the device. The downside to this approach is that a complete wipe and installation of the modified Android OS is required to use MockDroid on a device due to the fact that it employs a custom Android system. Deploying this approach across many commercial Android devices is thus not a feasible or a worthwhile endeavour. AppFence (Hornyack et al. 2011) is another modified Android system aimed at imposing privacy controls on Android apps. When an app requests data that the user does not want it to be allowed, AppFence substitutes the data with fake “shadow data”. For example, an app requesting for a list of all contacts may get back an empty list whereas in reality, this is not the case. Shadow data can be used in almost all areas of the Android system, but once again, its use generally requires a modified version of the Android OS. TaintDroid (Enck et al. 2010) is an approach to extending the Android operating system that allows for detection of sensitive data leaving a device, as well as extremely fine grained data access control. TaintDroid allows users to allow or deny apps from accessing data such as postal addresses, phone numbers, among others. Page 6 of 15 2.3 Permissions Removal A lesser researched area of Android app privacy is that of app permissions removal. This approach requires an app be modified so that permissions are selected and then removed. Generally this means an app’s source code is required or the app is decompiled, modified and then recompiled. An unpublished paper Helfer & Lin (2012) found that while it is possible to remove permissions manually from an app, it generally resulted in an app crashing or freezing immediately. Berthome et al. (2012) proposed a set of two apps, comprising (1) the Security Monitor, a third party app installed onto the device, and (2) the Security Reporter, which would be injected into a decompiled target app. The injected app is able to monitor the app that is targeted and can then report to the Security Monitor with details such as resource requests. Juanru, Dawu & Yuhao (2012) used a similar technique of decompiling Android apps to aid with their Android malware research. Xu, Saïdi & Anderson (2012), though, seem to have researched this area with the most depth in the current literature. They developed a solution called Aurasium which automatically repackages Android apps to have sandboxing and policy enforcement abilities in order to enhance user privacy. They also identified, as in our research, that most research being done on Android privacy requires major modifications to the operating system, resulting in usability issues. Permissions removal a relatively new but promising approach as it does not require modifications to the Android operating system or third party apps. 2.4 Summary It is a common result and suggestion of current research in Android privacy that the Android operating system itself requires more changes in order to become a system that is capable of providing an adequate amount of security to a user’s sensitive information. Third party frameworks and plugins that are built into custom versions of Android showcase what privacy measures are possible through direct OS improvements. These improvements include improving the user friendliness of the current permissions system and displaying risks of allowing certain permissions to users upon installation of an app. Another widely suggested and implemented method of improving user security and privacy is that of the use of fine grained permissions. This method allows for users to allow or deny specific permissions on a per application basis. Other researchers attempt to lessen the impact of malware and over-privileged apps on a user’s private and sensitive information by introducing the concept of shadow or mock data, that is data that is faked or empty, in order to mislead an app into thinking this is real data. Finally, a lesser used method of improving privacy is to reverse engineer or repackage and remove an app’s permission, completely preventing the app access to a resource. Research in this area should focus upon the lesser researched aspects of Android user privacy which are permissions removal and fine grained permissions control, of which this research will address. Page 7 of 15 3 Research Design 3.1 Hardware and Software To perform permissions removal on Android apps, a desktop PC is required. A desktop PC is needed as a great deal of processing power is needed in order to perform reverse engineering on an android app. A desktop PC can also emulate the Android operating system on a virtual device in order to be able to test for instabilities in the removal process. Physical Android devices are essential as well, as they are what the research’s main outcome addresses. Access to this hardware is easily available due to the common nature of the equipment. On the software side, a software package is required that can perform decompilation and recompilation of an Android app. Virtuous Ten Studio (http://www.virtuous-ten-studio.com/) was chosen as it is capable of both these tasks along with being an Integrated Development Environment (IDE) for the decompiled code. This means the tool is capable of being used in several parts of the permissions removal process. 3.2 Methodology In order to answer the research question, several steps must be defined and followed. 1. Commonly used social networking apps are identified from the Google Play Store. 2. From the chosen apps, a series of common and suitable permissions are selected to be removed. Figure 3.1 describes this in greater detail. 3. Each app (APK File) is then repackaged to have its permission requests removed as described in section 3.2.1. 4. The app is tested on several different commonly used Android platforms. This includes Android 2.2, 2.3, 4.0 and 4.2. a. Test for stability - No crashes or lost data. b. Test for results - The app actually has no access to the resource in which its permission request has been removed. 5. After results from step 4 are gathered, the permissions monitoring process described in section 3.2.2 is followed and step 4 is repeated with these repackaged apps. 6. Evaluate results from above steps. Page 8 of 15 Figure 3.1: Permissions Selection Process Figure 3.1 provides greater detail into the permissions selection process for choosing which permissions to remove or attempt to remove from an app. The most important question, which is asked first, is if the user themself feels like the app requires this permission. Studies by Felt et al. (2012) have shown that user comprehension of permissions is quite low. As this is the case, during permissions selection, this step will be simulated. The next question to ask is whether the app actually requires this permission in order to function. A location based mapping app will require location resources such as the GPS system in order to properly function. A note keeping app on the other hand, has no need for such information. Many app permissions allow an app to access sensitive information. These include permissions to access contact information, phone logs, phone IMEI numbers, text messages and more. Even if an app has the capability and uses for accessing this information, it may be worthwhile to disallow the permission in any case. Finally, the feasibility of removing an app’s permission is considered. Some apps may be so heavily ingrained with a certain resource that it may not function without it. Page 9 of 15 3.2.1 Permissions Removal Process Figure 3.2: The Permissions Removal Process In order to remove a particular permission from an Android app, it must first be decompiled with a suitable desktop application. The result is several files and folders, two of which are of great importance to this process. First is the AndroidManifest.xml wherein each of the permissions requested by the app is listed, in XML format. Within the smali folder is usually thousands of files that make up the source code of the Android app. This source code, though, is in a language called “smali”; a difficult language to debug and program in. As a result, these files need to be converted to something more readable. The end result is a Jar file in which java class files are obtained. These files can then be modified as they are in plain Java. Many of the permissions, though, can be simply removed from the AndroidManifest.xml file without requiring source code changes, whilst also having a fully functioning app. Figure 3.3: AndroidManifest.xml File with READ_CONTACTS permission selected Page 10 of 15 3.2.2 Permissions Monitoring Process Figure 3.4: Process to Repackage an App to Contain Permissions Monitoring Another related aspect of Android privacy, related to permissions removal, is actual monitoring of Android app permissions. The process proposed in Figure 3.4 gives two methods for permissions removal: one is manually adding code to each call of a resource request (listed as Manual) and the other (Automatic) is adding code primarily to the main activity of an app which detects when resources are used. The manual method is efficient as a monitoring system is not required to be constantly running in the background to detect resource usage and has a higher chance of success with blocking or restricting all permissions access. Its drawbacks are its bloated code and the fact that manually changing code is time consuming and may be unfeasible in a large app. The use of the automatic method means that the code detection part of an app may work with more than one app due to the similar nature of access for some resource permissions. For example, to read contacts, a Cursor object needs to be instantiated. Simply checking for this, an app may be able to deny or allow contacts access. The main reason both permissions monitoring and permissions removal are undertaken in the research proposed is that they go in hand in hand in terms of privacy. By monitoring when and what resources are accessed, it may be possible to determine which permissions should be removed and which should be retained or restricted. Android permissions monitoring will be a minor part of the proposed research, with permissions removal being the main focus. Page 11 of 15 3.3 Limitations A major limitation of the permissions removal process is that the conversion process from the smali source code to plain Java code is not completely utilisable. The result of such a conversion presents Java code files filled with numerous errors. In an application such as Facebook, the number of Java classes number in the thousands. It is not feasible to fix the source code as the semantics of the code may have been affected by the conversion, resulting in methods performing completely different tasks. Figure 3.5: Non-ideal Permissions Removal Process As a result of this, the ideal permissions process presented in Figure 3.2 requires changes in order to be feasible. Figure 3.5 is the less ideal process that needs to be undertaken. This means research into the actual smali coding language is required in order to properly reverse engineer an Android app. As smali is a complex language, the process of learning the language could take a significant amount of time. 3.4 Expected Outcomes The purpose of this research is to address the research question proposed in section 1.1. The research will establish whether permissions removal is indeed a viable method to use in order to enhance user privacy by testing these methods on Android social networking apps. As part of this, the research will also identify permissions commonly requested by social networking apps that should not be requested or can be used to some malicious intent. As an end outcome, the apps will be tested on a physical Android device and tested to see if they fully function without the required resource or resources that have been removed. 3.5 Future Work As the processing power of Android continues to increase at such a rate, the ability to use these devices entirely in a process originally intended for desktop machines is possible. This means the decompilation, modification of source code, recompilation of an Android app could be done entirely on the device, thus removing the need for a desktop machine and greatly increasing the portability of the process. Other future work could focus on entirely automating the process of permissions removal, or crowd sourcing the selection process of dangerous permissions. Page 12 of 15 4 Thesis Structure 4.1 Thesis Layout Below is the currently proposed layout for the minor thesis to be completed by October. 1 Introduction 2 Literature Review 3 Research Methodology 4 Permissions Removal 5 Permissions Monitoring 6 Conclusion and Future work Chapter 1, the introduction would include subsections which may include background and contributions. The literature review follows as chapter 2 and will be the literature review currently included within this research proposal with additional detail as more works are found and used as the research progresses. Research methodology details the steps taken in order to perform the permissions removal and eventually the permissions monitoring processes. Chapters 4 and 5 are the main contributions of the research, going into depth about the research’s findings. The final section of the thesis is the summary and presentation of the results. 4.2 Research Plan and Timetable Figure 4.1: Proposed Gantt chart for Minor Thesis Figure 4.1 displays the current tasks undertaken so far, the current progress and expected future tasks for the research. The blue lines represent the boundaries of the Minor Thesis project, with the first line being the beginning of the project and the blue line representing the end. The red line represents the current progress and date (End of May, 2013). Further experiments are conducted after the main experiments in case the findings from the first experiment do not result in significant findings. It is expected that the thesis be in its final stages by the beginning of October. Page 13 of 15 References Beresford, AR, Rice, A, Skehin, N & Sohan, R 2011, 'MockDroid: trading privacy for application functionality on smartphones', Proceedings of the 12th Workshop on Mobile Computing Systems and Applications, pp. 49-54. Berthome, P, Fecherolle, T, Guilloteau, N & Lalande, JF 2012, 'Repackaging Android Applications for Auditing Access to Private Data', Availability, Reliability and Security (ARES), 2012 Seventh International Conference on, 20-24 Aug. 2012, pp. 388-396. Book, T, Pridgen, A & Wallach, DS 2013, 'Longitudinal Analysis of Android Ad Library Permissions', arXiv preprint arXiv:1303.0857. Bugiel, S, Heuser, S & Sadeghi, A-R 2012, myTunes: Semantically Linked and User-Centric FineGrained Privacy Control on Android, Technical Report TUD-CS-2012-0226, Center for Advanced Security Research Darmstadt (CASED). Enck, W, Gilbert, P, Chun, B-G, Cox, LP, Jung, J, McDaniel, P & Sheth, AN 2010, 'TaintDroid: an information-flow tracking system for realtime privacy monitoring on smartphones', Proceedings of the 9th USENIX conference on Operating systems design and implementation, pp. 1-6. Felt, AP, Ha, E, Egelman, S, Haney, A, Chin, E & Wagner, D 2012, 'Android permissions: User attention, comprehension, and behavior', Proceedings of the Eighth Symposium on Usable Privacy and Security, p. 3. Helfer, J & Lin, T 2012, Giving the User Control over Android Permissions, updated December 15, 2012, viewed March 25th, <http://css.csail.mit.edu/6.858/2012/projects/helfer-ty12.pdf>. Hornyack, P, Han, S, Jung, J, Schechter, S & Wetherall, D 2011, 'These aren't the droids you're looking for: retrofitting android to protect data from imperious applications', Proceedings of the 18th ACM conference on Computer and communications security, pp. 639-652. Hou, O 2012, A Look at Google Bouncer, updated July 20th, 2012, Trend Labs Security Intelligence Blog, viewed April 14th, <http://blog.trendmicro.com/trendlabs-security-intelligence/a-look-atgoogle-bouncer/>. Juanru, L, Dawu, G & Yuhao, L 2012, 'Android Malware Forensics: Reconstruction of Malicious Events', Distributed Computing Systems Workshops (ICDCSW), 2012 32nd International Conference on, 18-21 June 2012, pp. 552-558. Kelley, PG, Consolvo, S, Cranor, LF, Jung, J, Sadeh, N & Wetherall, D 2012, 'A Conundrum of Permissions: Installng Applications on an Android Smartphone', Proceedings of the Workshop on Usable Security (USEC). Kern, M & Sametinger, J 2012, 'Permission Tracking in Android', UBICOMM 2012, The Sixth International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies, pp. 148-155. Oleaga, M 2013, OS vs. Android Market Share 2013: Google Mobile Platform Dominating Apple Worldwide in March Figures, updated March 22nd, 2013, Lationos Post, viewed March 25th, <http://www.latinospost.com/articles/15039/20130322/ios-vs-android-market-share-2013-googlemobile-platform-dominating.htm>. Shekhar, S, Dietz, M & Wallach, DS 2012, 'Adsplit: Separating smartphone advertising from applications', CoRR, abs/1202.4030. Page 14 of 15 Xu, R, Saïdi, H & Anderson, R 2012, 'Aurasium: Practical policy enforcement for android applications', Proceedings of the 21st USENIX conference on Security symposium, pp. 27-27. Zhou, W, Zhou, Y, Jiang, X & Ning, P 2012, 'Detecting repackaged smartphone applications in thirdparty android marketplaces', Proceedings of the second ACM conference on Data and Application Security and Privacy, pp. 317-326. Page 15 of 15
