Leixiang Wu CSE 300 Research Proposal Doctor: A Data-Flow Tracking System for Detecting Privacy Threats on Windows Phone In the last decade, a few mobile operating systems, such as Windows Phone, iOS, and Android, were released and have been deployed on cell phones. Since then, mobile phones have become more powerful, and the sales of smartphones have skyrocketed. Given the power of smartphones and smartphones’ popularity, more and more users store their sensitive data on their smartphones. The users’ private information is accessed by many mobile applications. To protect important data from malicious applications, (OS) companies, such as Apple, , or , have added many security mechanisms to their systems. This security concern also attracts many notable scholars. They have done researches to study the security on iOS and Android operating systems. Many of them developed tools or software to detect privacy threats on smartphones. However, the security of Windows Phone operating system is not well studied. Therefore, I propose to do a research to study privacy threats on Windows Phone smartphones. In my proposed research, I would develop Windows Phone Doctor, an automated software tool that can detect privacy breaches on Windows phones. There have been many researches related to security. A group of scholars developed a system, TaintDroid that provides phone owners with the visibility into how applications on their phones use their private data. Using TainDroid to test 30 popular Android applications, the scholars found that many apps leak personal information to advertisers. Although the tool is very powerful, it can be only deployed on Android smartphones. To extend the study of privacy threats on smartphones, another group of scholars built a new tool that detects possible privacy breaches on iOS devices. They used the tool, PiOS, to study 1400 iOS applications in Apple Store and Cydia. In their experiment, the researchers also discovered that many iOS applications send the users’ private data to third parties. Because some scholars are particularly interested in security of certain applications, they did a research to analyze nine popular mobile messaging applications that are available on both iOS and Android operating systems. The researchers discovered many vulnerable spots in the nine apps that can lead to five possible attacks, such as account hijacking. Application is not the only one component on smartphones that poses privacy threats, but also device hardware. Stanford scholars conducted a research to study issues of applications being able to access phone’s aggregate power meter without permission on Android devices. It turned out that power meter can be used to reveal the user’s location. Moreover, a group of researchers studied some potential security problems of using touch screen. They found that an attacker could easily infer Android phone’s unlocking password if the hacker has an image of oily residues remain on the touch screen. As we can see, many scholars have studied security on iOS and Android phones. However, most of them didn’t analyze Windows phones because iOS and Android smartphones are dominating ones in the phone market. Even though Windows Phone shares a small amount of OS market share, we need to study Windows Phone security since a fairly amount of own a Windows smartphone. Therefore, I will study privacy threats on Windows phones in this proposed project. Unlike previous researches, the applications I am going to test will be from both popular and general categories rather than from popular section only. The approach I will take to study Windows smartphones security is going be a combination of all the previous research methods. In this project, I would study privacy threats on Windows cell phones. To analyze applications, I would build a software tool, Windows Phone Doctor that allows me to evaluate Windows applications and detects possible privacy breaches of sending private data from devices to third parties without the user’s permission. The input of the software will be the files of a Windows Phone application. Based on the input files, Windows Phone Doctor will a data-flow graph for that particular program. Then the doctor tool will be able to detect any privacy breaches in the application. In addition to that, Windows Phone Doctor labels sensitive data, such as GPS location and address book. This enables users to monitor how their data is being used by applications on their phones. So the users are able to see which application sends their information to third parties, such as advertisers. The usage of Windows Phone Doctor would be very simple. Once a user installs it, whenever he/she downloads a new application from , Windows Phone Doctor will automatically evaluate the new app. If the tool identifies any privacy threats, it will pop a message to warn the user. So the user can take actions against those malicious applications before using them. Furthermore, the user can open my app to view every application’s data-related activities. Any running application that wants to send personal data from the device to a third party over the network will need the user’s permission to do so. In this project, I would target smartphones with latest Windows Phone operating system only, which is Mobile. Windows Phone Doctor will not be compatible on other versions due to limited amount of resources I have. Another limitation is that my tool can’t identify the severity of a privacy threat. Since there are too many applications in the Windows Phone store, it is impossible to evaluate every app. So I would use Windows Phone Doctor to examine 1,000 applications from the Windows Store top chart and another 1,000 random selected applications. In the experiment, I expect to find that many applications leak sensitive data. This is very similar to what had been discovered in previous researches. Although the result might not be very original, the project itself is new. It would be the first project that studies privacy threats on Windows smartphones. The tool I would build in this project is innovative because it is very simple to use and doesn’t require any operating system modification. Furthermore, it has all the features of all previous developed privacy breach detectors. Most of us have an Android or iOS smartphone. Due to their popularity, many research projects have been done to study their security, but Windows Phone operating system is not well studied since it only shares a small amount of mobile operating systems market. However, there are still a fair number of people owning a Windows Phone device. Therefore, my project will study privacy threats on Windows smartphones. In the research, I expect to find many Windows applications send private data to third parties. It will support previous studies, which show that there are many privacy leaks on smartphones that need to be fixed. This work will serve as the opening of studying security on Windows smartphones. I believe that it will attract more researches to study privacy threats on Windows devices. In addition to that, my research will extend the security analysis of different operating system smartphones. Once the project is finished, Windows Phone Doctor will be available in the Windows Store. So Windows Phone users can use my software to protect their personal information. Works Cited

1. S. Schrittwieser, P. Frhwirt, P. Kieseberg, M. Leithner, M. Mulazzani, M. Huber, and E. Weippl, “Guess who's texting you? Evaluating the security of smartphone messaging applications,” in Proc. the 19th Annual Symposium on Network and Distributed System Security, 2012. 2. M. Egele, . Kruegel, E. Kirda, and G. Vigna. Pios: De- tecting privacy leaks in applications. In Network and Distributed System Security Symposium (NDSS), 2011. 3. W. Enck, P. Gilbert, B.-G. Chun, L. P. Cox, J. Jung, P. Mc- Daniel, and A. N. Sheth. TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smart- phones. In Proceedings of the 9th USENIX Symposium on Operating Systems Design and Implementation, USENIX OSDI ’10, 2010. 4. A. J. Aviv, K. Gibson, E. Mossop, M. Blaze, and J. M. Smith. Smudge attacks on smartphone touch screens. In Proc. of the 4th USENIX Conf. on Offensive Technologies, pages 1–7, 2010. 5. Y. Michalevsky, G. Nakibly, A. Schulman, and D. Boneh, “Powerspy: Location tracking using power analysis,” CoRR, vol. abs/1502.03182, 2015.