research-article

Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps

Authors:

Sajjad Pourali,

Nayanamana Samarasinghe,

Mohammad MannanAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 2445 - 2458

https://doi.org/10.1145/3548606.3560665

Published: 07 November 2022 Publication History

Abstract

As privacy features in Android operating system improve, privacy-invasive apps may gradually shift their focus to non-standard and covert channels for leaking private user/device information. Such leaks also remain largely undetected by state-of-the-art privacy analysis tools, which are very effective in uncovering privacy exposures via regular HTTP and HTTPS channels. In this study, we design and implement, ThirdEye, to significantly extend the visibility of current privacy analysis tools, in terms of the exposures that happen across various non-standard and covert channels, i.e., via any protocol over TCP/UDP (beyond HTTP/S), and using multi-layer custom encryption over HTTP/S and non-HTTP protocols. Besides network exposures, we also consider covert channels via storage media that also leverage custom encryption layers. Using ThirdEye, we analyzed 12,598 top-apps in various categories from Androidrank, and found that 2887/12,598 (22.92%) apps used custom encryption/decryption for network transmission and storing content in shared device storage, and 2465/2887 (85.38%) of those apps sent device information (e.g., advertising ID, list of installed apps) over the network that can fingerprint users. Besides, 299 apps transmitted insecure encrypted content over HTTP/non-HTTP protocols; 22 apps that used authentication tokens over HTTPS, happen to expose them over insecure (albeit custom encrypted) HTTP/non-HTTP channels. We found non-standard and covert channels with multiple levels of obfuscation (e.g., encrypted data over HTTPS, encryption at nested levels), and the use of vulnerable keys and cryptographic algorithms. Our findings can provide valuable insights into the evolving field of non-standard and covert channels, and help spur new countermeasures against such privacy leakage and security issues.

References

[1]

Adb shell pm clear. 2020. Adbshell. https://adbshell.com/commands/adb-shellpm-clear.

[2]

Androguard. 2022. Androguard. https://github.com/androguard/androguard.

[3]

Androidrank. 2022. Androidrank. https://www.androidrank.org/.

[4]

AndroidViewClient. 2022. AndroidViewClient. https://github.com/dtmilano/ AndroidViewClient/.

[5]

Apktool. 2021. Apktool. https://github.com/scottyab/rootbeer.

[6]

Appium. 2022. Appium. https://appium.io/.

[7]

Evita Bakopoulou, Anastasia Shuba, and Athina Markopoulou. 2020. Exposures exposed: A measurement and user study to assess mobile data privacy in context. arXiv preprint arXiv:2008.08973 (2020).

[8]

Kenneth Block, Sashank Narain, and Guevara Noubir. 2018. An autonomic and permissionless android covert channel. In ACM Conference on Security & Privacy in Wireless and Mobile Networks (WISEC'18). Stockholm Sweden.

[9]

Cloudflare. 2022. What is MTU (maximum transmission unit)? https://www. cloudflare.com/learning/network-layer/what-is-mtu/.

[10]

Andrea Continella, Yanick Fratantonio, Martina Lindorfer, Alessandro Puccetti, Ali Zand, Christopher Kruegel, and Giovanni Vigna. 2017. Obfuscation-Resilient Privacy Leak Detection for Mobile Apps Through Differential Analysis. In Network and Distributed System Security Symposium (NDSS'17). San Diego, CA, USA.

[11]

Patrick Cronin, Xing Gao, Haining Wang, and Chase Cotton. 2021. An Exploration of ARM System-Level Cache and GPU Side Channels. In IEEE Symposium on Security and Privacy (SP'21). Association for Computing Machinery, Online. https://doi.org/10.1145/3485832.3485902

Digital Library

[12]

Dpkt. 2021. Dpkt. https://github.com/kbandla/dpkt.

[13]

Federal Trade Commission (FTC). 2016. Mobile Advertising Network InMobi Settles FTC Charges It Tracked Hundreds of Millions of Consumers' Locations Without Permission. https://www.ftc.gov/news-events/press-releases/2016/06/ mobile-advertising-network-inmobi-settles-ftc-charges-it-tracked.

[14]

Frida. 2022. Frida. https://frida.re/.

[15]

Sudipta Ghosh, SR Tandan, and Kamlesh Lahre. 2013. Shielding android application against reverse engineering. International Journal of Engineering Research & Technology 2, 6 (2013), 2635--2643.

[16]

Githubusercontent.com. 2022. List of the base rules that block ads in mobile apps. https://raw.githubusercontent.com/AdguardTeam/AdguardFilters/master/ MobileFilter/sections/specific_app.txt.

[17]

Google. 2020. Android Debug Bridge (adb). https://developer.android.com/ studio/command-line/adb.

[18]

Google. 2021. Logcat command-line tool. https://us.norton.com/internetsecuritymobile-android-vs-ios-which-is-more-secure.html.

[19]

Google. 2022. Call package manager (pm). https://developer.android.com/studio/ command-line/adb#pm.

[20]

Google. 2022. Cmd in Android native framework (cmd). https://android.googlesource.com/platform/frameworks/native// 593991bfd9747692c09ebd980ddc50dc29d86d5d/cmds/cmd/cmd.cpp.

[21]

Google. 2022. dumpsys. https://developer.android.com/studio/command-line/ dumpsys.

[22]

Google. 2022. Google Admob. https://developers.google.com/admob.

[23]

Google. 2022. Google Play Protect. https://developers.google.com/android/playprotect.

[24]

Google. 2022. monkeyrunner. https://developer.android.com/studio/test/ monkeyrunner.

[25]

Google. 2022. View class - Android Developers. https://developer.android.com/ reference/android/view/View.

[26]

Google. 2022. Work with data more securely. https://developer.android.com/ topic/security/data.

[27]

Huffpost.com. 2011. Google's Wi-Fi Database May Know Your Router's Physical Location. News article (Apr. 25, 2011). https://www.huffpost.com/entry/androidmap-reveals-router-location_n_853214.

[28]

Kyeonghwan Lim, Younsik Jeong, Seong-je Cho, Minkyu Park, and Sangchul Han. 2016. An Android Application Protection Scheme against Dynamic Reverse Engineering Attacks. J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl. 7, 3 (2016), 40--52.

[29]

Linux.die.net. 2022. tcpdump. https://linux.die.net/man/8/tcpdump.

[30]

Aravind Machiry, Rohan Tahiliani, and Mayur Naik. 2013. Dynodroid: An input generation system for android apps. In Joint Meeting on Foundations of Software Engineering (ESEC/FSE'13). Saint Petersburg, Russia.

Digital Library

[31]

Medium.com. 2016. Rotate Android device screen using adb commands (not emulator). https://medium.com/@navalkishoreb/rotate-android-device-screenusing-adb-commands-not-emulator-94ab1a749b87.

[32]

Mitmproxy. 2022. mitmproxy. https://mitmproxy.org/.

[33]

Mohammad Naseri, Nataniel P Borges Jr, Andreas Zeller, and Romain Rouvoy. 2019. AccessiLeaks: Investigating Privacy Leaks Exposed by the Android Accessibility Service. Proceedings on Privacy Enhancing Technologies 2 (2019), 291--305.

[34]

Dario Nisi, Antonio Bianchi, and Yanick Fratantonio. 2019. Exploring SyscallBased Semantics Reconstruction of Android Applications. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID'19). Beijing, China.

[35]

Oracle. 2020. Object (Java platform SE 7. https://docs.oracle.com/javase/7/docs/ api/java/lang/Object.html#hashCode().

[36]

Oracle. 2022. Class Cipher. https://docs.oracle.com/javase/7/docs/api/javax/ crypto/Cipher.html.

[37]

Gerald Palfinger, Bernd Prünster, and Dominik Julian Ziegler. 2020. AndroTIME: Identifying Timing Side Channels in the Android API. In ACM Conference on Trust, Security and Privacy in Computing and Communications (TrustCom'20). Guangzhou, China.

[38]

Priyam Patel, Gokul Srinivasan, Sydur Rahaman, and Iulian Neamtiu. 2018. On the effectiveness of random testing for Android: or how i learned to stop worrying and love the monkey. In International Workshop on Automation of Software Test (ICSE'18). Gothenburg, Sweden.

Digital Library

[39]

Anh Pham, Italo Dacosta, Eleonora Losiouk, John Stephan, Kévin Huguenin, and Jean-Pierre Hubaux. 2019. HideMyApp: Hiding the Presence of Sensitive Apps on Android. In USENIX Security Symposium (USENIX Security'19). Santa Clara, CA, USA.

[40]

Sajjad Pourali, Nayanamana Samarasinghe, and Mohammad Mannan. [n. d.]. Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps. Extended report (Oct. 1, 2022). https://users.encs.concordia.ca/~mmannan/publications/ ThirdEye-CCS2022.pdf.

[41]

Pypi.org. 2022. googletrans 3.0.0. https://pypi.org/project/googletrans/.

[42]

Python-magic. 2021. python-magic. https://github.com/ahupp/python-magic.

[43]

Joel Reardon, Álvaro Feal, Primal Wijesekera, Amit Elazari Bar On, Narseo VallinaRodriguez, and Serge Egelman. 2019. 50 ways to leak your data: An exploration of apps' circumvention of the android permissions system. In USENIX Security Symposium (USENIX Security'19). Santa Clara, CA, USA.

[44]

Red Hat. 2022. Chapter 24. Creating a dummy interface. https:// access.redhat.com/documentation/en-us/red_hat_enterprise_linux/ 8/html/configuring_and_managing_networking/creating-a-dummyinterface_configuring-and-managing-networking.

[45]

RIP Tutorial. 2022. Turn on/off Wifi. https://riptutorial.com/android/example/ 5113/turn-on-off-wifi.

[46]

Rootbeer. 2021. Rootbeer. https://github.com/scottyab/rootbeer.

[47]

RootCloak. 2016. RootCloak. https://github.com/devadvance/rootcloak.

[48]

Rootcloakplus. 2014. Rootcloakplus. https://github.com/devadvance/ rootcloakplus.

[49]

Erik Rye and Rob Beverly. 2021. IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation. BlackHat USA (July 31 - Aug. 5, 2021). https://www.blackhat.com/us-21/briefings/schedule/#ipvseeyouexploiting-leaked-identifiers-in-ipv-for-street-level-geolocation-22889.

[50]

Shadowsocks. 2022. shadowsocks. https://shadowsocks.org/en/index.html.

[51]

Similarweb. 2022. similarweb. https://www.similarweb.com/.

[52]

Raphael Spreitzer, Gerald Palfinger, and Stefan Mangard. 2018. Scandroid: Automated side-channel analysis of android apis. In Proceedings of the 11th ACM Conference on Security & Privacy in Wireless and Mobile Networks. 224--235.

Digital Library

[53]

San-Tsai Sun, Andrea Cuadros, and Konstantin Beznosov. 2015. Android rooting: Methods, detection, and evasion. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'15). Denver, Colorado, USA.

Digital Library

[54]

Symantec. 2022. WebPulse Site Review Request - dt.beyla.site. https://sitereview. bluecoat.com/#/lookup-result/dt.beyla.site.

[55]

Symbolics Cambridge Research Center. 1984. RFC0894: Standard for the transmission of IP datagrams over Ethernet networks. https://dl.acm.org/doi/pdf/ 10.17487/RFC0894.

[56]

Theiphonewik. 2015. xCon. https://www.theiphonewiki.com/wiki/XCon.

[57]

Tldp.org. 1996. The dummy interface. https://tldp.org/LDP/nag/node72.html.

[58]

UlionTse. 2021. translators. https://pypi.org/project/translators/.

[59]

Unity. 2022. Unity AdUnits. https://docs.unity.com/monetization-dashboard/ AdUnits.html.

[60]

Yingjie Wang, Xing Liu, Weixuan Mao, and Wei Wang. 2019. DCDroid: Automated detection of SSL/TLS certificate verification vulnerabilities in Android apps. In ACM Turing Celebration Conference (TURC'19). Sichuan, China.

Digital Library

[61]

Dominik Wermke, Nicolas Huaman, Yasemin Acar, Bradley Reaves, Patrick Traynor, and Sascha Fahl. 2018. A large scale investigation of obfuscation use in google play. In Annual Computer Security Applications Conference (ACSAC'18). San Juan, Puerto Rico, USA.

Digital Library

[62]

Wikipedia. 2022. Decimal degrees. https://en.wikipedia.org/wiki/Decimal_ degrees.

[63]

Junfeng Xu, Li Zhang, Yunchuan Sun, Dong Lin, and Ye Mao. 2015. Toward a secure android software protection system. In CIT/IUCC/DASC/PICOM'15. Liverpool, UK.

[64]

Zhemin Yang, Min Yang, Yuan Zhang, Guofei Gu, Peng Ning, and X Sean Wang. 2013. Appintent: Analyzing sensitive data transmission in Android for privacy leakage detection. In ACM Conference on Computer and Communications Security (CCS'13). Berlin, Germany.

Digital Library

[65]

Cong Zheng, Shixiong Zhu, Shuaifu Dai, Guofei Gu, Xiaorui Gong, Xinhui Han, and Wei Zou. 2012. Smartdroid: an automatic system for revealing ui-based trigger conditions in android applications. In ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices (SPSM'12). Raleigh, NC, USA.

Digital Library

Cited By

Shu-Pei HWatanabe TAkiyama MMori T(2024)An Investigation of Privacy and Security in VR APPs through URL String AnalysisJournal of Information Processing10.2197/ipsjjip.32.77932(779-788)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.779
Kuchhal DRamakrishnan KLi FVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Whatcha Lookin' At: Investigating Third-Party Web Content in Popular Android AppsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688405(114-129)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688405
Mangeard PYu XMannan MYoussef A(2023)No Place to Hide: Privacy Exposure in Anti-stalkerware Apps and Support WebsitesSecure IT Systems10.1007/978-3-031-47748-5_2(18-36)Online publication date: 16-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-47748-5_2

Index Terms

Hidden in Plain Sight: Exploring Encrypted Channels in Android Apps
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Enforcing fine-grained security and privacy policies in an ecosystem within an ecosystem
MobileDeLi 2015: Proceedings of the 3rd International Workshop on Mobile Development Lifecycle

Smart home automation and IoT promise to bring many advantages but they also expose their users to certain security and privacy vulnerabilities. For example, leaking the information about the absence of a person from home or the medicine somebody is ...
POSTER: Experimental Analysis of Popular Anonymous, Ephemeral, and End-to-End Encrypted Apps
WiSec '16: Proceedings of the 9th ACM Conference on Security & Privacy in Wireless and Mobile Networks

As social networking takes to the mobile world, smartphone apps provide users with ever-changing ways to interact with each other. Over the past couple of years, an increasing number of apps have entered the market offering end-to-end encryption, self-...
Bittersweet ADB: Attacks and Defenses
ASIA CCS '15: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security

Android devices and applications become prevalent and ask for unanticipated capabilities thanks to the increased interests in smartphones and web applications. As a way to use the capabilities not directly available to ordinary users, applications have ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Natural Sciences and Engineering Research Council of Canada

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
521
Total Downloads

Downloads (Last 12 months)141
Downloads (Last 6 weeks)30

Reflects downloads up to 22 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Shu-Pei HWatanabe TAkiyama MMori T(2024)An Investigation of Privacy and Security in VR APPs through URL String AnalysisJournal of Information Processing10.2197/ipsjjip.32.77932(779-788)Online publication date: 2024
https://doi.org/10.2197/ipsjjip.32.779
Kuchhal DRamakrishnan KLi FVallina-Rodríguez NSuarez-Tángil GLevin DPelsser C(2024)Whatcha Lookin' At: Investigating Third-Party Web Content in Popular Android AppsProceedings of the 2024 ACM on Internet Measurement Conference10.1145/3646547.3688405(114-129)Online publication date: 4-Nov-2024
https://dl.acm.org/doi/10.1145/3646547.3688405
Mangeard PYu XMannan MYoussef A(2023)No Place to Hide: Privacy Exposure in Anti-stalkerware Apps and Support WebsitesSecure IT Systems10.1007/978-3-031-47748-5_2(18-36)Online publication date: 16-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-47748-5_2

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents