X-Decaf : Android平台社交类应用的缓存文件泄露检测

李晖; 王斌; 张文; 汤祺; 张艳丽

doi:10.11999/JEIT160555

X-Decaf : Android平台社交类应用的缓存文件泄露检测

doi: 10.11999/JEIT160555

李晖¹,
王斌^1, ,,
张文¹,
汤祺¹,
张艳丽¹

基金项目:

国家自然科学基金资助(61370195)，中兴通讯产学研项目

计量
- 文章访问数: 1267
- HTML全文浏览量: 190
- PDF下载量: 404
- 被引次数: 0
出版历程
- 收稿日期: 2016-05-28
- 修回日期: 2016-10-12
- 刊出日期: 2017-01-19

X-Decaf : Detection of Cache File Leaks in Android Social Apps

LI Hui¹,
WANG Bin^{1
, ,},
ZHANG Wen¹,
TANG Qi¹,
ZHANG Yanli¹

Funds:

The National Natural Science Foundation of China (61370195), ZTE Corporation and University Joint Research Project

摘要

摘要: 由于社交类应用涉及的隐私数据类型非常多，导致这类应用在被广泛使用的同时，频繁出现用户隐私泄露事件，但是目前还鲜有针对社交应用的隐私泄露检测机制的研究。该文结合Android系统的特性，提出一个面向Android社交类应用检测框架X-Decaf(Xposed-based-detecting-cache-file)，创新性地利用污点追踪技术以及Xposed框架，获取应用内疑似泄露路径，监测隐私数据的缓存文件。此外，该文给出了对隐私泄露进行评级的建议，并利用该框架对50款社交类应用进行了检测，发现社交类应用普遍存在泄露用户隐私信息的漏洞。
- 隐私泄露 /
- 污点追踪 /
- 缓存文件 /
- Xposed /
- Android系统
Abstract: Since social applications involve various types of information related to the user privacy, events of privacy leakage occur frequently along with their popular applications and few studies are available on the privacy leakage detection for social applications. With the combination of the characteristics of the Android system as well as the exploitation of the taint tracking technology and Xposed framework, a privacy leakage detection tool named X-Decaf (Xposed-based-detecting-cache-file) is proposed, which is oriented to social applications on Android platform. It suspects the leakage paths within the applications and detects the privacy datas cache files. This paper also presents a suggestion for the evaluation of the privacy leakage. Evaluation results of 50 kinds of Android social applications show that many vulnerabilities of user privacy leakage exist in the social applications on Android platform.
- Privacy leakage /
- Taint tracking /
- Cache file /
- Xposed /
- Android system

HTML全文

参考文献(16)

ZHANG Y, YANG M, YANG Z, et al. Permission use analysis for vetting undesirable behaviors in android apps[J]. IEEE Transactions on Information Forensics and Security, 2014, 9(11): 1828-1842. doi: 10.1109/TIFS.2014.2347206.

SHEBARO B, OLUWATIMI O, and BERTINO E. Context- based access control systems for mobile devices[J]. IEEE Transactions on Dependable and Secure Computing, 2015, 12(2): 150-163. doi: 10.1109/TDSC.2014.2320731.

NAUMAN M, KHAN S, OTHMAN A T, et al. Realization of a user-centric, privacy preserving permission framework for Android[J]. Security and Communication Networks, 2015, 8(3): 368-382. doi: 10.1002/sec.986.

WU L, DU X, and ZHANG H. An effective access control scheme for preventing permission leak in Android[C]. 2015 International Conference on Computing, Networking and Communications (ICNC), IEEE, Anaheim, CA, USA, 2015: 57-61. doi: 10.1109/ ICCNC.2015.7069315.

LU L, LI Z, WU Z, et al. Chex: Statically vetting android apps for component hijacking vulnerabilities[C]. Proceedings of the 2012 ACM Conference on Computer and Communications Security, North Carolina, USA, 2012: 229-240.

TAN J, DROLIA U, MARTINS R, et al. Short paper: Chips: Content-based heuristics for improving photo privacy for smartphones[C]. Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless Mobile Networks. Oxford, UK, 2014: 213-218. doi: 10.1145/2627393.2627394.

NAVEED M, ZHOU X, DEMETRIOU S, et al. Inside job: Understanding and mitigating the threat of external device mis-binding on Android[C]. Network and Distributed System Security Symposium, San Diego, California, USA, 2014. doi: 10.14722/ndss.2014.23097.

RAHMAN M, BALLESTEROS J, CARBUNAR B, et al. Toward preserving privacy and functionality in geosocial networks[C]. Proceedings of the 19th ACM Annual International Conference on Mobile Computing Networking, Miami, Florida, USA, 2013: 207-210.

FAWAZ K, FENG H, and SHIN K G. Anatomization and protection of mobile apps location privacy threats[C]. 24th USENIX Security Symposium (USENIX Security 15). Washington, D.C., USA, 2015: 753-768.

YAN L, GUO Y, and CHEN X. SplitDroid: isolated execution of sensitive components for mobile applications[C]. International Conference on Security and Privacy in Communication Systems. Springer International Publishing, Dallas, TX, USA, 2015: 78-96.

TRIPP O and RUBIN J. A Bayesian approach to privacy enforcement in smartphones[C]. 23rd USENIX Security Symposium (USENIX Security 14). California, USA, 2014: 175-190.

ENCK W, GILBERT P, HAN S, et al. TaintDroid: An information-flow tracking system for realtime privacy monitoring on smartphones[J]. ACM Transactions on Computer Systems (TOCS), 2014, 32(2): 5. doi: 10.1145/ 2619091.

HSIAO S W, HUNG S H, CHIEN R, et al. PasDroid: real- time security enhancement for Android[C]. 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing (IMIS), Birmingham, UK, 2014: 229-235.

BAL G, KAI R, and HONG J I. Styx: Privacy risk communication for the Android smartphone platform based on apps' data-access behavior patterns[J]. Computers Security, 2015, 53: 187-202.

CUI X, YU D, CHAN P, et al. Cochecker: Detecting capability and sensitive data leaks from component chains in android[C]. Information Security and Privacy. Springer International Publishing, Wollongong, NSW, Australia, 2014: 446-453.

ZHANG M and YIN H. Efficient, context-aware privacy leakage confinement for android applications without firmware modding[C]. Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security. Kyoto, Japan, 2014: 259-270.

施引文献

资源附件(0)

访问统计