research-article

Public Access

UiRef: analysis of sensitive user inputs in Android applications

Authors:

Benjamin Andow,

Tao XieAuthors Info & Claims

WiSec '17: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks

Pages 23 - 34

https://doi.org/10.1145/3098243.3098247

Published: 18 July 2017 Publication History

Abstract

Mobile applications frequently request sensitive data. While prior work has focused on analyzing sensitive-data uses originating from well-defined API calls in the system, the security and privacy implications of inputs requested via application user interfaces have been widely unexplored. In this paper, our goal is to understand the broad implications of such requests in terms of the type of sensitive data being requested by applications.

To this end, we propose UiRef (User Input REsolution Framework), an automated approach for resolving the semantics of user inputs requested by mobile applications. UiRef's design includes a number of novel techniques for extracting and resolving user interface labels and addressing ambiguity in semantics, resulting in significant improvements over prior work. We apply UiRef to 50,162 Android applications from Google Play and use outlier analysis to triage applications with questionable input requests. We identify concerning developer practices, including insecure exposure of account passwords and non-consensual input disclosures to third parties. These findings demonstrate the importance of user-input semantics when protecting end users.

References

[1]

2016. Modernizing OAuth interactions in Native Apps for Better Usability and Security. https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html. (2016).

[2]

2016. PCI Security Standards Council. https://www.pcisecuritystandards.org/. (2016).

[3]

2016. Privacy Rights Clearinghouse Data Breaches. https://www.privacyrights.org/data-breaches?title=. (2016).

[4]

2017. ApkTool. http://ibotpeaches.github.io/Apktool. (2017).

[5]

2017. UiRef Project Website. https://wspr.csc.ncsu.edu/uiref/. (2017).

[6]

Vitalii Avdiienko, Konstantin Kuznetsov, Alessandra Gorla, Andreas Zeller, Steven Arzt, Siegfried Rasthofer, and Eric Bodden. 2015. Mining Apps for Abnormal Usage of Sensitive Data. In Proceedings of the International Conference on Software Engineering (ICSE).

Digital Library

[7]

Tanzirul Azim and Iulian Neamtiu. 2013. Targeted and Depth-first Exploration for Systematic Testing of Android Apps. In Proceedings of the ACM SIGPLAN International Conference on Object Oriented Programming Systems Languages & Applications (OOPSLA).

Digital Library

[8]

Sergey Bartunov, Dmitry Kondrashkin, Anton Osokin, and Dmitry Vetrov. 2015. Breaking Sticks and Ambiguities with Adaptive Skip-gram. arXiv preprint arXiv:1502.07257 (2015).

[9]

Soteris Demetriou, Whitney Merrill, Wei Yang, Aston Zhang, and Carl A. Gunter. 2016. Free for All! Assessing User Data Exposure to Advertising Libraries on Android. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS).

[10]

Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2011. PiOS: Detecting Privacy Leaks in iOS Applications. In Proceedings of the ISOC Network and Distributed System Security Symposium (NDSS).

[11]

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. 2010. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proceedings of the USENIX Symposium on Operating Systems Design and Implementation (OSDI).

Digital Library

[12]

Xinming Ou Fengguo Wei, Sankardas Roy and Robby. 2014. Amandroid: A Precise and General Inter-component Data Flow Analysis Framework for Security Vetting of Android Apps. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[13]

Christian Fritz, Steven Arzt, Siegfried Rasthofer, Eric Bodden, Alexandre Bartel, Jacques Klein, Yves le Traon, Damien Octeau, and Patrick McDaniel. 2014. Flow-Droid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI).

Digital Library

[14]

Clint Gibler, Jon Crussell, Jeremy Erickson, and Hao Chen. 2012. AndroidLeaks: Automatically Detecting Potential Privacy Leaks In Android Applications on a Large Scale. In Proceedings of the International Conference on Trust and Trustworthy Computing (TRUST).

Digital Library

[15]

Michael I. Gordon, Deokhwan Kim, Jeff Perkins, Limei Gilham, Nguyen Nguyen, and Martin Rinard. 2015. Information Flow Analysis of Android Applications in DroidSafe. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS).

[16]

Alessandra Gorla, Ilaria Tavecchia, Florian Gross, and Andreas Zeller. 2014. Checking App Behavior Against App Descriptions. In Proceedings of the International Conference on Software Engineering (ICSE).

Digital Library

[17]

Jin Han, Qiang Yan, Debin Gao, Jianying Zhou, and Robert Deng. 2013. Comparing Mobile Privacy Protection through Cross-Platform Applications. In Proceedings of the ISOC Network and Distributed Systems Symposium (NDSS).

[18]

Jianjun Huang, Zhichun Li, Xusheng Xiao, Zhenyu Wu, Kangjie Lu, Xiangyu Zhang, and Guofei Jiang. 2015. SUPOR: Precise and Scalable Sensitive User Input Detection for Android Apps. In Proceedings of the USENIX Security Symposium.

Digital Library

[19]

Jianjun Huang, Xiangyu Zhang, Lin Tan, Peng Wang, and Bin Liang. 2014. As-Droid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction. In Proceedings of the International Conference on Software Engineering (ICSE).

Digital Library

[20]

Michael Lesk. 1986. Automatic Sense Disambiguation using Machine Readable Dictionaries: How to Tell a Pine Cone from an Ice Cream Cone. In Proceedings of the International Conference on Systems Documentation.

Digital Library

[21]

Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg S Corrado, and Jeff Dean. 2013. Distributed Representations of Words and Phrases and their Compositionality. In Advances in neural information processing systems.

Digital Library

[22]

Yuhong Nan, Min Yang, Zhemin Yang, Shunfan Zhou, Guofei Gu, and XiaoFeng Wang. 2015. UIPicker: User-Input Privacy Identification in Mobile Applications. In Proceedings of the USENIX Security Symposium.

Digital Library

[23]

Michael K. Ng, Mark Junjie Li, Joshua Zhexue Huang, and Zengyou He. 2007. On the Impact of Dissimilarity Measure in k-Modes Clustering Algorithm. In IEEE Transactions on Pattern Analysis and Machine Intelligence.

Digital Library

[24]

Damien Octeau, Somesh Jha, and Patrick McDaniel. 2012. Retargeting Android Applications to Java Bytecode. In Procedings of the ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE).

Digital Library

[25]

Damien Octeau, Patrick McDaniel, Somesh Jha, Alexandre Bartel, Eric Bodden, Jacques Klein, and Yves Le Traon. 2013. Effective Inter-component Communication Mapping in Android with EPPIC: An Essential Step Towards Holistic Security Analysis. In Proceedings of the USENIX Security Symposium.

Digital Library

[26]

Rahul Pandita, Xusheng Xiao, Wei Yang, William Enck, and Tao Xie. 2013. WHYPER: Towards Automating Risk Assessment of Mobile Applications. In Proceedings of the USENIX Security Symposium.

Digital Library

[27]

Zhengyang Qu, Vaibhav Rastogi, Xinyi Zhang, Yan Chen, Tiantian Zhu, and Zhong Chen. 2014. AutoCog: Measuring the Description-to-permission Fidelity in Android Applications. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

[28]

Vaibhav Rastogi, Yan Chen, and William Enck. 2013. AppsPlayground: Automatic Large-scale Dynamic Analysis of Android Applications. In Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY).

Digital Library

[29]

Franziska Roesner and Tadayoshi Kohno. 2013. Securing Embedded User Interfaces: Android and Beyond. In Proceedings of the USENIX Security Symposium.

Digital Library

[30]

Shengqian Yang and Hailong Zhang and Haowei Wu and Yan Wang and Dacong Yan and Atanas Rountev. 2015. Static Window Transition Graphs for Android. In IEEE/ACM International Conference on Automated Software Engineering.

[31]

N.N.R. Ranga Suri, Musti Narasimha Murty, and Gopalasamy Athithan. 2012. An Algorithm for Mining Outliers in Categorical Data through Ranking. In Proceedings of the IEEE International Conference on Hybrid Intelligent Systems (HIS).

[32]

Omer Tripp and Julia Rubin. 2014. A Bayesian Approach to Privacy Enforcement in Smartphones. In Proceedings of the USENIX Security Symposium.

Digital Library

[33]

Nicolas Viennot, Edward Garcia, and Jason Nieh. 2014. A Measurement Study of Google Play. In Proceedings of the ACM International Conference on Measurement and Modeling of Computer Systems (SIGMETRICS).

Digital Library

[34]

Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X. Sean Wang. 2013. AppIntent: Analyzing Sensitive Data Transmission in Android for Privacy Leakage Detection. In Proceedings of the ACM Conference on Computer and Communications Security (CCS).

Digital Library

Cited By

Khedkar MMondal ABodden EFilkov VRay BZhou M(2024)Do Android App Developers Accurately Report Collection of Privacy-Related Data?Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694949(176-186)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694949
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Wang YFan MLiu JTao JJin WWang HXiong QLiu T(2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.347928850:12(3225-3248)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3479288
Show More Cited By

Recommendations

An Explorative Study of the Mobile App Ecosystem from App Developers' Perspective
WWW '17: Proceedings of the 26th International Conference on World Wide Web

With the prevalence of smartphones, app markets such as Apple App Store and Google Play has become the center stage in the mobile app ecosystem, with millions of apps developed by tens of thousands of app developers in each major market. This paper ...
A Measurement-based Study on Application Popularity in Android and iOS App Stores
Mobidata '15: Proceedings of the 2015 Workshop on Mobile Big Data

Mobile application stores (appstores) are emerging digital distribution platforms with explosive growth. Although there have been some observations on the mobile application (app) popularity in Android appstores, there is no report on the app popularity ...
RubyMotion iOS Development Essentials

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSec '17: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks

July 2017

297 pages

ISBN:9781450350846

DOI:10.1145/3098243

General Chair:
Guevara Noubir
Northeastern University
,
Program Chairs:
Mauro Conti
University of Padua, Italy
,
Sneha Kumar Kasera
University of Utah

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control
NSF: National Science Foundation
ACM: Association for Computing Machinery

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 July 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Funding Sources

National Science Foundation
Maryland Procurement Office

Conference

WiSec '17

Sponsor:

WiSec '17: 10th ACM Conference on Security & Privacy in Wireless and Mobile Networks

July 18 - 20, 2017

Massachusetts, Boston

Acceptance Rates

Overall Acceptance Rate 98 of 338 submissions, 29%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

28
Total Citations
View Citations
616
Total Downloads

Downloads (Last 12 months)157
Downloads (Last 6 weeks)30

Reflects downloads up to 22 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Khedkar MMondal ABodden EFilkov VRay BZhou M(2024)Do Android App Developers Accurately Report Collection of Privacy-Related Data?Proceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering Workshops10.1145/3691621.3694949(176-186)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691621.3694949
Xiao YNadkarni ALiao XTorres-Arias SDe Carli LZhang Y(2024)Enhancing Transparency and Accountability of TPLs with PBOM: A Privacy Bill of MaterialsProceedings of the 2024 Workshop on Software Supply Chain Offensive Research and Ecosystem Defenses10.1145/3689944.3696159(1-11)Online publication date: 19-Nov-2024
https://dl.acm.org/doi/10.1145/3689944.3696159
Wang YFan MLiu JTao JJin WWang HXiong QLiu T(2024)Do as You Say: Consistency Detection of Data Practice in Program Code and Privacy Policy in Mini-AppIEEE Transactions on Software Engineering10.1109/TSE.2024.347928850:12(3225-3248)Online publication date: 1-Dec-2024
https://dl.acm.org/doi/10.1109/TSE.2024.3479288
Sutter TKehrer TRennhard MTellenbach BKlein J(2024)Dynamic Security Analysis on Android: A Systematic Literature ReviewIEEE Access10.1109/ACCESS.2024.339061212(57261-57287)Online publication date: 2024
https://doi.org/10.1109/ACCESS.2024.3390612
Tu TZhang HGong BDu DWen Q(2024)Intelligent analysis of android application privacy policy and permission consistencyArtificial Intelligence Review10.1007/s10462-024-10798-z57:7Online publication date: 13-Jun-2024
https://doi.org/10.1007/s10462-024-10798-z
Yan ZFan MWang YShi JWang HLiu TLin ZLiao X(2023)MUID: Detecting Sensitive User Inputs in Miniapp EcosystemsProceedings of the 2023 ACM Workshop on Secure and Trustworthy Superapps10.1145/3605762.3624429(17-21)Online publication date: 26-Nov-2023
https://dl.acm.org/doi/10.1145/3605762.3624429
Hong GWu MChen PLiao XYe GYang MMeng WJensen CCremers CKirda E(2023)Understanding and Detecting Abused Image Hosting Modules as Malicious ServicesProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623143(3213-3227)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623143
Zhang XHeaps JSlavin RNiu JBreaux TWang X(2023)DAISY: Dynamic-Analysis-Induced Source Discovery for Sensitive DataACM Transactions on Software Engineering and Methodology10.1145/356993632:4(1-34)Online publication date: 27-May-2023
https://dl.acm.org/doi/10.1145/3569936
Kober MSamhi JArzt SBissyandé TKlein J(2023)Sensitive and Personal Data: What Exactly Are You Talking About?2023 IEEE/ACM 10th International Conference on Mobile Software Engineering and Systems (MOBILESoft)10.1109/MOBILSoft59058.2023.00016(70-74)Online publication date: May-2023
https://doi.org/10.1109/MOBILSoft59058.2023.00016
Jain VGhanavati SPeddinti SMcMillan C(2023)Towards Fine-Grained Localization of Privacy Behaviors2023 IEEE 8th European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP57164.2023.00024(258-277)Online publication date: Jul-2023
https://doi.org/10.1109/EuroSP57164.2023.00024
Show More Cited By

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Figures

Tables

Media

View Table of Conten