Article

User-aware privacy control via extended static-information-flow analysis

Authors:

Nikolai Tillmann,

Manuel Fahndrich,

Jonathan De Halleux,

Michal MoskalAuthors Info & Claims

ASE '12: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering

Pages 80 - 89

https://doi.org/10.1145/2351676.2351689

Published: 03 September 2012 Publication History

Abstract

Applications in mobile-marketplaces may leak private user information without notification. Existing mobile platforms provide little information on how applications use private user data, making it difficult for experts to validate applications and for users to grant applications access to their private data. We propose a user-aware privacy control approach, which reveals how private information is used inside applications. We compute static information flows and classify them as safe/unsafe based on a tamper analysis that tracks whether private data is obscured before escaping through output channels. This flow information enables platforms to provide default settings that expose private data only for safe flows, thereby preserving privacy and minimizing decisions required from users. We built our approach into TouchDevelop, an application-creation environment that allows users to write scripts on mobile devices and install scripts published by other users. We evaluate our approach by studying 546 scripts published by 194 users.

References

[1]

William Enck, Peter Gilbert, Byung-Gon Chun, Landon P. Cox, Jaeyeon Jung, Patrick McDaniel, and Anmol N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones. In Proc. OSDI, pages 1–6, 2010.

Digital Library

[2]

Peter Gilbert, Byung-Gon Chun, Landon P. Cox, and Jaeyeon Jung. Vision: Automated Security Validation of Mobile Apps At App Markets. In Proc. MCS, pages 21–26, 2011.

Digital Library

[3]

Adrienne Porter Felt, Kate Greenwood, and David Wagner. The Effectiveness of Application Permissions. In USENIX Conference on Web Application Development (WebApps), 2011.

Digital Library

[4]

T. Vidas, N. Christin, and L. Cranor. Curbing Android Permission Creep. In Proc. W2SP, Oakland, CA, May 2011.

[5]

Franziska Roesner. User-Driven Access Control: A New Model for Granting Permissions in Modern Operating Systems. Qualifying Examination Project, University of Washington, June 2011.

[6]

Aslan Askarov and Andrew Myers. A semantic framework for declassiﬁcation and endorsement. In Programming Languages and Systems, volume 6012 of LNCS, pages 64–84. Springer, 2010.

Digital Library

[7]

TouchDevelop. http://research.microsoft.com/TouchDevelop.

[8]

Nikolai Tillmann, Michal Moskal, and Jonathan de Halleux. TouchDevelop - Programming Cloud-Connected Mobile Devices via Touchscreen. Microsoft Technical Report MSR-TR-2011-49, 2011.

[9]

Fraser Howard. Malware with your mocha: Obfuscation and anti-emulation tricks inmalicious JavaScript, September 2011. http://www.sophos.com/security/technicalpapers/malware_with_your_mocha.pdf.

[10]

Dorothy E. Denning. A Lattice Model of Secure Information Flow. Commun. ACM, pages 236–243, 1976.

Digital Library

[11]

Dorothy E. Denning and Peter J. Denning. Certiﬁcation of Programs for Secure Information Flow. Communications of The ACM, pages 504–513, 1977.

Digital Library

[12]

P. Cousot and R. Cousot. Abstract interpretation: a uniﬁed lattice model for static analysis of programs by construction or approximation of ﬁxpoints. In POPL, pages 238–252, 1977.

Digital Library

[13]

William Enck, Damien Octeau, Patrick McDaniel, and Swarat Chaudhuri. A study of android application security. In Proc. of USENIX Security Symposium, 2011.

Digital Library

[14]

Adrienne Porter Felt, Erika Chin, Steve Hanna, Dawn Song, and David Wagner. Android Permissions Demystiﬁed. In Proc. CCS, 2011.

Digital Library

[15]

David (Yu) Zhu, Jaeyeon Jung, Dawn Song, Tadayoshi Kohno, and David Wetherall. TaintEraser: Protecting Sensitive Data Leaks Using Application-Level Taint Tracking. SIGOPS Oper. Syst. Rev., pages 142–154, 2011.

Digital Library

[16]

Min Gyung Kang, Stephen McCamant, Pongsin Poosankam, and Dawn Song. DTA++: Dynamic taint analysis with targeted control-ﬂow propagation. In Proc. of NDSS, San Diego, CA, February 2011.

[17]

Shiuh-Pyng Shieh and Virgil D. Gligor. Auditing the use of covert storage channels in secure systems. In IEEE Symposium on Security and Privacy, pages 285–295, 1990.

[18]

J H Saltzer and M D Schroeder. The Protection of Information in Computer Systems. Proceedings of the IEEE, pages 1278–1308, 1975.

[19]

Yichen Xie and Alex Aiken. Static Detection of Security Vulnerabilities in Scripting Languages. In Proceedings of the 15th conference on USENIX Security Symposium, 2006.

Digital Library

[20]

Manuel Egele, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. PiOS : Detecting privacy leaks in iOS applications. In Proc. NDSS’11, 2011.

[21]

Andrei Sabelfeld and Andrew C. Myers. Language-Based Information-Flow Security. IEEE Journal on Selected Areas in Communications, 2002.

Digital Library

[22]

Nevin Heintze and Jon G. Riecke. The SLam Calculus: Programming with Secrecy And Integrity. In Proc. POPL, pages 365–377, 1998.

Digital Library

[23]

Andrew C. Myers and Barbara Liskov. Protecting Privacy using The Decentralized Label Model. ACM Transactions on Software Engineering and Methodology, 2000.

Digital Library

[24]

Andrew C. Myers. JFlow: Practical Mostly-Static Information Flow Control. In Proc. POPL, pages 228–241, 1999.

Digital Library

[25]

Indrajit Roy, Donald E. Porter, Michael D. Bond, Kathryn S. Mckinley, and Emmett Witchel. Laminar: Practical Fine-grained Decentralized Information Flow Control. In Proc. PLDI, pages 63–74, 2009.

Digital Library

[26]

MICROSOFT. What is User Account Control?, 2011. http://windows.microsoft.com/en-US/windows-vista/Whatis-User-Account-Control.

[27]

Yan Chen, George Danezis, and Vitaly Shmatikov, editors. Proc. CCS . ACM, 2011.

[28]

Jeanne Ferrante and Karl J. Ottenstein. The Program Dependence Graph And Its Use in Optimization. ACM Transactions on Programming Languages and Systems, 9:319–349, 1987.

Digital Library

Cited By

Pamucar DDeveci MGokasar IDelen DKöppen MPedrycz W(2023)Evaluation of metaverse integration alternatives of sharing economy in transportation using fuzzy Schweizer-Sklar based ordinal priority approachDecision Support Systems10.1016/j.dss.2023.113944171:COnline publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1016/j.dss.2023.113944
Maji R(2023)DeMAndApp: Detecting Malicious Android AppApplied Computing for Software and Smart Systems10.1007/978-981-99-7783-3_13(199-219)Online publication date: 27-Dec-2023
https://doi.org/10.1007/978-981-99-7783-3_13
Yang SWang YYao YWang HYe YXiao XDwyer MDamian DZeller A(2022)DescribeCtxProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510058(685-697)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510058
Show More Cited By

Index Terms

User-aware privacy control via extended static-information-flow analysis

Recommendations

User-aware privacy control via extended static-information-flow analysis

Applications in mobile marketplaces may leak private user information without notification. Existing mobile platforms provide little information on how applications use private user data, making it difficult for experts to validate applications and for ...
Privacy leakage analysis in online social networks

Online Social Networks (OSNs) have become one of the major platforms for social interactions, such as building up relationship, sharing personal experiences, and providing other services. The wide adoption of OSNs raises privacy concerns due to personal ...
Privacy-Enhancing of User's Behaviour Toward Privacy Settings in Social Networking Sites
CHI EA '16: Proceedings of the 2016 CHI Conference Extended Abstracts on Human Factors in Computing Systems

Social Networking Sites (SNSs) are applications that allow users to create personal profiles to interact with friends or public and to share data such as photos and short videos. The amount of these personal disclosures has raised issues and concerns ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASE '12: Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering

September 2012

409 pages

ISBN:9781450312042

DOI:10.1145/2351676

General Chair:
Michael Goedicke,
Program Chairs:
Tim Menzies,
Motoshi Saeki

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

SIGAI: ACM Special Interest Group on Artificial Intelligence
Universität Duisburg Essen: Universität Duisburg Essen
TCSE: IEEE Computer Society's Tech. Council on Software Engin.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 September 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

ASE'12

Sponsor:

SIGSOFT

ASE'12: IEEE/ACM International Conference on Automated Software Engineering

September 3 - 7, 2012

Essen, Germany

Acceptance Rates

Overall Acceptance Rate 82 of 337 submissions, 24%

Upcoming Conference

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

29
Total Citations
View Citations
444
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)1

Reflects downloads up to 30 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Pamucar DDeveci MGokasar IDelen DKöppen MPedrycz W(2023)Evaluation of metaverse integration alternatives of sharing economy in transportation using fuzzy Schweizer-Sklar based ordinal priority approachDecision Support Systems10.1016/j.dss.2023.113944171:COnline publication date: 1-Aug-2023
https://dl.acm.org/doi/10.1016/j.dss.2023.113944
Maji R(2023)DeMAndApp: Detecting Malicious Android AppApplied Computing for Software and Smart Systems10.1007/978-981-99-7783-3_13(199-219)Online publication date: 27-Dec-2023
https://doi.org/10.1007/978-981-99-7783-3_13
Yang SWang YYao YWang HYe YXiao XDwyer MDamian DZeller A(2022)DescribeCtxProceedings of the 44th International Conference on Software Engineering10.1145/3510003.3510058(685-697)Online publication date: 21-May-2022
https://dl.acm.org/doi/10.1145/3510003.3510058
Bai JWang WQin YZhang SWang JPan Y(2019)BridgeTaint: A Bi-Directional Dynamic Taint Tracking Method for JavaScript Bridges in Android Hybrid ApplicationsIEEE Transactions on Information Forensics and Security10.1109/TIFS.2018.285565014:3(677-692)Online publication date: Mar-2019
https://doi.org/10.1109/TIFS.2018.2855650
Zhang ZFu MFeng X(2019)A Lightweight Dynamic Enforcement of Privacy Protection for AndroidJournal of Computer Science and Technology10.1007/s11390-019-1949-134:4(901-923)Online publication date: 19-Jul-2019
https://doi.org/10.1007/s11390-019-1949-1
Mazuera-Rozo ABautista-Mora JLinares-Vásquez MRueda SBavota G(2019)The Android OS stack and its vulnerabilitiesEmpirical Software Engineering10.1007/s10664-019-09689-724:4(2056-2101)Online publication date: 1-Aug-2019
https://dl.acm.org/doi/10.1007/s10664-019-09689-7
Tao GZheng ZGuo ZLyu M(2018)MalPat: Mining Patterns of Malicious and Benign Android Apps via Permission-Related APIsIEEE Transactions on Reliability10.1109/TR.2017.277814767:1(355-369)Online publication date: Mar-2018
https://doi.org/10.1109/TR.2017.2778147
Jimenez LOchoa MRueda S(2017)Jif-Based Verification of Information Flow Policies for Android AppsInternational Journal of Secure Software Engineering10.4018/IJSSE.20170101028:1(28-42)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.4018/IJSSE.2017010102
Sadeghi ABagheri HGarcia JMalek S(2017)A Taxonomy and Qualitative Comparison of Program Analysis Techniques for Security Assessment of Android SoftwareIEEE Transactions on Software Engineering10.1109/TSE.2016.261530743:6(492-530)Online publication date: 1-Jun-2017
https://dl.acm.org/doi/10.1109/TSE.2016.2615307
Sun CFeng PLi TMa J(2017)Data-Oriented Instrumentation against Information Leakages of Android Applications2017 IEEE 41st Annual Computer Software and Applications Conference (COMPSAC)10.1109/COMPSAC.2017.97(485-490)Online publication date: Jul-2017
https://doi.org/10.1109/COMPSAC.2017.97
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents